The Persistent Threat Of Salt Typhoon: Tracking Exposures Of Potentially Targeted Devices

A new report by Censys reveals how the Chinese APT group Salt Typhoon (linked to Volt Typhoon) is actively scanning and targeting internet-exposed systems like iDRAC, iLO, firewalls, and VPN gateways. These attackers use credential-based access and living-off-the-land (LOTL) techniques to move laterally without triggering traditional security tools.

🔗 Censys Report: https://lnkd.in/ee7wCJxR
🔗 Splunk Volt Typhoon Detection Suite: https://lnkd.in/ehBhJdYF
🔗 Detect FYI APT Playbook: https://lnkd.in/e6xZu9K7
🔗 GreyNoise on Cisco Exploits: https://lnkd.in/ejS9tpHy
🔗 Deception Playbook: https://lnkd.in/eZir2ykH
🔗 Sigma Rule Repository: https://lnkd.in/eVWCfPKt
🔗 RuleHound.io: https://rulehound.io

You Should Know: Detecting & Mitigating Salt Typhoon Attacks

1. Check for Exposed Remote Management Interfaces

Use Nmap to scan for open iDRAC, iLO, RDP, and VPN ports:

nmap -p 443,3389,17988,8443 -sV --script vuln <target_IP>

2. Hunt for Suspicious Logins

Check Windows Event Logs for RDP brute-forcing:

Get-WinEvent -LogName "Security" -FilterXPath "[System[EventID=4625]]" | Where-Object { $_.Message -like "Source Network Address: " }

3. Block Default Credentials

Force password changes on iDRAC/iLO:

racadm config -g cfgUserAdmin -o cfgUserAdminPassword -i <user_id> <new_password>

4. Deploy Sigma Rules for Detection

Use Splunk/Sigma to detect LOTL techniques:

title: Suspicious RDP Session from Rare IP 
description: Detects RDP logins from uncommon sources 
author: Censys 
logsource: 
product: windows 
service: security 
detection: 
selection: 
EventID: 4624 
LogonType: 10 
SourceNetworkAddress: 
- "192.168." 
- "10." 
condition: selection

5. Monitor for Anomalous Outbound Connections

Detect C2 communications with Zeek (Bro):

zeek -C -r traffic.pcap local "notice_filters.bro"

6. Harden VPN & Firewall Configurations

Disable weak cipher suites on OpenVPN:

openvpn --config server.conf --tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

What Undercode Say

Salt Typhoon’s low-and-slow intrusion tactics make them hard to detect using traditional AV. Organizations must:

✅ Disable default credentials on all management interfaces

✅ Deploy deception traps (e.g., Canary tokens)

✅ Enforce MFA on RDP/VPN

✅ Log & analyze unusual lateral movement

Expected Commands for Defense:

 Check for hidden SSH tunnels 
netstat -tulnp | grep ssh

Detect pass-the-hash attacks 
sudo auditd -l | grep -i "msv1_0"

Block Chinese APT IPs via iptables 
iptables -A INPUT -s 45.xx.xx.xx -j DROP

Expected Output:

Active Internet connections (servers and established) 
tcp 0 0 192.168.1.10:22 45.xx.xx.xx:443 ESTABLISHED

Prediction:

Chinese APTs will increasingly target edge devices (routers, NAS, IoT) to bypass EDR. Expect AI-driven credential stuffing by 2025.

Expected Output:

A hardened network with reduced exposure, behavioral detections, and blocked malicious IPs.

References:

Reported By: Simone Kraus – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Listen to this Post

1. Check for Exposed Remote Management Interfaces

2. Hunt for Suspicious Logins

Check Windows Event Logs for RDP brute-forcing:

3. Block Default Credentials

Force password changes on iDRAC/iLO:

4. Deploy Sigma Rules for Detection

Use Splunk/Sigma to detect LOTL techniques:

5. Monitor for Anomalous Outbound Connections

Detect C2 communications with Zeek (Bro):

6. Harden VPN & Firewall Configurations

Disable weak cipher suites on OpenVPN:

What Undercode Say

✅ Disable default credentials on all management interfaces

✅ Deploy deception traps (e.g., Canary tokens)

✅ Enforce MFA on RDP/VPN

✅ Log & analyze unusual lateral movement

Expected Commands for Defense:

Expected Output:

Prediction:

Expected Output:

References:

Join Our Cyber World:

Related Posts: