• Full‑session encryption critical for modern TACACS+ security. • Attackers use stolen credentials and protocol weaknesses to breach infrastructure. • Cisco Talos reports highlight need for end‑to‑end encryption. • Encryption protects against credential theft and traffic analysis. • Modernizing TACACS+ reduces risk of lateral movement attacks.

Article Summaries:

  • Salt Typhoon, a state‑backed threat group, demonstrated that modern attackers can breach critical infrastructure without exploits by exploiting the legacy TACACS+ protocol. The campaign targeted high‑privilege network operators, captured TACACS+ traffic, and extracted passwords and device configurations from the protocol’s plaintext fields. With stolen credentials, the attackers impersonated legitimate administrators, issued commands, and cleared logs to evade detection. Over months, they expanded lateral movement and maintained persistent access. The incident highlights TACACS+’s shortcomings-only the password is encrypted, there is no session‑binding or replay protection, and accounting data remains in cleartext-underscoring the need for full‑session encryption in today’s threat landscape.

Sources: