Closing the Backdoor in TACACS+: Why Full-Session Encryption Matters More Than Ever

Salt Typhoon Didn't Hack Their Way In - They Logged In

The Salt Typhoon campaign, a sophisticated operation attributed to a state-sponsored actors, revealed a chilling reality: attackers don't always need exploits to breach critical infrastructure. Instead, they used stolen credentials and protocol weaknesses to blend in seamlessly.

Here's how their playbook unfolded, based on reports from Cisco Talos and other sources:

1. Target Administrators: Attackers focused on network operators with high privileges, managing routers, switches, and firewalls.
2. Harvest TACACS+ Traffic: Traditional TACACS+ encrypts only the password field, leaving usernames, authorization messages, accounting exchanges, and commands in plaintext, vulnerable to interception.
3. Steal Credentials: Attackers captured TACACS+ traffic to extract passwords (crackable offline) and other sensitive data, such as device configurations, to enable unauthorized access.
4. Exfiltrate Data: TACACS+ sessions and device configurations were quietly collected and sent offshore for analysis, masquerading as normal admin traffic.
5. Blend in as Admins: Using stolen credentials, attackers authenticated like legitimate administrators, issuing commands and generating logs that appeared routine.
6. Evade Detection: By analyzing plaintext accounting data, attackers understood log patterns and cleared traces (e.g., .bash_history, auth.log) to cover their tracks.
7. Move Laterally and Persist: Over months or years, they expanded access across devices, maintaining durable footholds in critical infrastructure.

The brilliance of the campaign wasn't in breaking the system. It was in living inside the system by abusing weaknesses in an outdated protocol.

The campaign's success lay in exploiting TACACS+'s outdated security model, turning routine admin traffic into a goldmine for attackers.

The Legacy Problem: TACACS+ in a Modern Threat Environment

TACACS+ (Terminal Access Controller Access-Control System Plus) has been a cornerstone of device administration for decades, providing authentication, authorization, and accounting (AAA). However, its design reflects a pre-Zero Trust era:

• Limited Encryption: Only the password field is encrypted; usernames, commands, authorization replies, and accounting data remain in plaintext.
• Replay Risk: Without cryptographic session binding, captured TACACS+ traffic could theoretically be reused to authenticate or execute commands, though specific evidence of this in Salt Typhoon is limited.
• Predictable Logs: Plaintext accounting messages allow attackers to study and anticipate log entries, aiding evasion tactics like log clearing.
• Trusted-Network Assumption: TACACS+ was built for internal networks, not modern environments with remote access or untrusted connections.

These flaws make TACACS+ a liability in today's threat landscape, where attackers exploit intercepted traffic to impersonate admins.

Why Replay Attacks Are a Concern?

While not explicitly confirmed in Salt Typhoon's tactics, the risk of replay attacks in traditional TACACS+ is significant due to its lack of session-specific cryptographic protections:

• Authentication Replay: Captured authentication exchanges could potentially be reused to gain access.
• Authorization Replay: Stolen authorization tokens might allow attackers to execute privileged commands.
• Command Replay: Recorded command strings could be repeated to mimic legitimate admin actions.

This vulnerability stems from TACACS+'s absence of ephemeral keys or timestamps, making captured traffic appear valid. Salt Typhoon's credential theft and log manipulation highlight how such weaknesses can be exploited to blend into normal operations.

Cisco's Answer: TACACS+ Over TLS 1.3

Cisco has addressed these vulnerabilities with TACACS+ over TLS 1.3 in Cisco Identity Services Engine (ISE) 3.4 Patch 2 and later releases, delivering a robust, standards-aligned solution for securing device administration. This implementation leverages TLS 1.3 to provide:

• Full-Session Encryption: All TACACS+ traffic - usernames, authorization replies, commands, and accounting data is encrypted, eliminating plaintext exposure.
• Replay Protection: Ephemeral session keys ensure each exchange is unique and non-replayable, rendering captured sessions useless.
• Modern Cipher Suites: TLS 1.3 uses secure, up-to-date ciphers, hardened against downgrade and interception attacks.

This solution directly counters the vulnerabilities exploited by Salt Typhoon, such as plaintext data exfiltration and potential session reuse, ensuring admin traffic remains confidential and tamper-proof.

Going Beyond Encryption: Stopping Credential Abuse with MFA

Encryption secures data in transit, but stolen credentials remain a risk. Cisco's ecosystem integrates Cisco ISE with Cisco Duo multi-factor authentication (MFA) to address this:

• Duo MFA: Requires a second factor for device admin logins, neutralizing stolen or intercepted credentials.
• Zero Trust Alignment: Continuous verification ensures that even valid credentials cannot be used without additional authentication, thwarting impersonation attempts or credential theft.

This combination strengthens administrative access controls, aligning with Zero Trust principles of never trusting and always verifying.

Why This Matters Now

Identity-based attacks, like Salt Typhoon, are increasingly common among nation-state and criminal actors. Rather than relying on exploits, attackers target protocols and credentials to gain persistent access. For organizations using traditional TACACS+:

• You risk exposing usernames, commands, and accounting data in plaintext.
• You are vulnerable to credential theft and potential session replay.
• Your logs can be studied and manipulated by attackers.
• You may not meet modern compliance standards, such as NIST 800-53, FIPS 140-3, or PCI DSS, which require strong encryption and authentication.

Cisco's TACACS+ over TLS 1.3, combined with Duo MFA, offers a leading solution to secure device administration, supported by Cisco's extensive experience in network security.

The Takeaway

Attackers like Salt Typhoon exploit weaknesses in outdated protocols to impersonate admins and persist undetected. Traditional TACACS+ leaves critical data exposed and vulnerable.

With Cisco ISE 3.4 Patch 2 and Duo MFA, you can:

• Encrypt all TACACS+ traffic with TLS 1.3
• Prevent credential theft and session replay
• Block unauthorized access with MFA
• Protect logs from analysis and tampering
• Meet compliance requirements (e.g., NIST, FIPS, PCI DSS)
• Implement Zero Trust for device administration

Security threats evolve rapidly. Your AAA strategy must keep pace. Cisco's solution empowers you to secure your administrators and protect your infrastructure from sophisticated attacks.

Read more about Cisco ISE.

We'd love to hear what you think! Ask a question and stay connected with Cisco Security on social media.

Cisco Security Social Media

LinkedIn
Facebook
Instagram
X