A China-linked state-sponsored actor has implanted kernel-level BPFdoor backdoors and passive implants deep within global telecommunications backbone infrastructure to maintain long-term, stealthy access for high-level espionage. Rapid7 found these sleeper tools working alongside CrossC2, TinyShell, credential harvesters, and brute-forcing utilities, with initial access abusing public-facing apps and vendor appliances such as Ivanti, Cisco, Fortinet, VMware, and Palo Alto Networks. #BPFdoor #SaltTyphoon
Keypoints
- Operators deployed kernel implants (BPFdoor) and passive backdoors inside telecom backbone systems for extended persistence.
- BPFdoor inspects packets in the Linux kernel and triggers shells when a specific magic byte sequence is detected, often hiding as legitimate infrastructure.
- Initial access methods included abusing public-facing applications, valid accounts, and vulnerabilities in appliances from Ivanti, Cisco, Fortinet, VMware, and Palo Alto Networks.
- Attackers used CrossC2 beacons, TinyShell passive backdoors, credential harvesters, SSH brute-forcers, and custom keyloggers for staging and lateral movement.
- Rapid7 warns the campaign targets underlying telecom platforms—bare-metal systems, cloud-native Kubernetes CNFs, and signaling protocols—prompting the release of a scanner to detect infections.
Read More: https://www.securityweek.com/chinese-hackers-caught-deep-within-telecom-backbone-infrastructure/