Salt Typhoon’s JumbledPath shows legacy protocols still enable NHI abuse

At a glance

What this is: Beyond Identity’s analysis of Salt Typhoon’s JumbledPath malware shows how stolen credentials and legacy protocols can be chained to compromise telecom edge devices and persist inside networks.

Why it matters: For IAM and NHI practitioners, it reinforces that service access paths, device authentication, and protocol exposure can create an identity attack surface even when human login controls look sound.

By the numbers:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
• Only 5.7% of organisations have full visibility into their service accounts.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.

👉 Read Beyond Identity’s analysis of Salt Typhoon’s JumbledPath campaign

Context

Salt Typhoon’s JumbledPath campaign is a reminder that NHI risk does not stop at cloud workloads and API keys. Legacy network devices, privileged service paths, and old authentication protocols such as SNMP, TACACS, and RADIUS can still become a workable identity layer for attackers when credentials are stolen or reused.

For telecom operators and their enterprise counterparts, the governance problem is broader than malware removal. If a remote access path still accepts weak or long-lived credentials, the attacker does not need to defeat the perimeter in the traditional sense. That makes the issue a combined IAM, NHI, and device-access control problem, not just a network defense problem.

Key questions

Q: How should security teams handle legacy network devices in NHI governance?

A: Security teams should treat legacy network devices as identity-bearing assets with ownership, rotation, and offboarding requirements. If a device still relies on static credentials or shared admin access, it belongs in the same control plane as other NHIs. That means inventorying it, limiting its reach, and retiring it where possible.

Q: Why do legacy protocols increase NHI risk?

A: Legacy protocols increase NHI risk because they often assume trust once a credential is accepted, with little device binding or continuous verification. That makes stolen passwords, keys, or tokens reusable across administrative paths. When the protocol layer is weak, identity controls degrade into simple access checks.

Q: What is the difference between password rotation and phishing-resistant access for NHIs?

A: Password rotation changes a secret on a schedule, while phishing-resistant access changes the authentication model itself by tying access to a device-bound cryptographic factor. Rotation helps reduce exposure time, but it does not remove the possibility of credential replay. Device-bound access is stronger when the goal is to stop stolen secrets from being reused.

Q: When do jump-hosts help, and when do they add risk?

A: Jump-hosts help when they limit direct exposure and centralise logging for sensitive administration. They add risk when they become a trusted relay that attackers can abuse to mask origin or inherit internal trust. The control is only effective when paired with strong authentication, monitoring, and least-privilege session access.

Technical breakdown

How stolen credentials turn legacy protocols into an access path

JumbledPath matters because it uses the trust model already present in many network environments. When a device, jump-host, or management plane accepts username and password based access, the attacker can authenticate as if they were legitimate and then blend into normal administrative traffic. Legacy protocols such as SNMP, TACACS, and RADIUS were built for operational reliability, not modern identity assurance. If those channels are not strongly protected, an attacker can harvest more credentials, observe authentication exchanges, and extend access from one device to the next.

Practical implication: Treat legacy protocol exposure as an identity control failure, not just a network hardening issue.

Why edge devices create NHI governance blind spots

Edge networking devices often sit outside the same identity lifecycle controls applied to cloud workloads and application secrets. They may use static credentials, inconsistent logging, and limited federation options, which makes offboarding and rotation harder to enforce. In practice, that means the device becomes both the resource and the authenticator, with little separation between administrative privilege and network reach. Once an attacker controls an edge device, they inherit a stable foothold that can outlast one password reset if adjacent credentials and trust paths remain intact.

Practical implication: Inventory edge devices as NHIs and bring them into rotation, review, and offboarding workflows.

Why jump-host chaining increases trust assumptions

A jump-host can reduce direct exposure, but it also creates a trusted intermediary that attackers can abuse if they gain access upstream. In this case, routing through a jump-host made malicious requests appear to come from an internal source, which weakens perimeter-based detection and complicates attribution. The architectural issue is not the jump-host itself, but the absence of strong device-bound identity and continuous verification across the path. The more trust is inherited from one hop to the next, the easier it becomes to hide in legitimate administration flows.

Practical implication: Require step-up controls and session visibility wherever a management path can confer broad device access.

Threat narrative

Attacker objective: The objective is durable access to telecom infrastructure and the ability to move through trusted device paths without triggering obvious alarms.

1. Entry: The attacker gains access with stolen credentials and uses them against legacy remote access and management paths.
2. Escalation: Once inside, the attacker extracts additional credentials from device configurations and intercepted authentication traffic.
3. Impact: The attacker maintains persistent access across compromised edge devices while hiding origin through intermediary routing.

Breaches seen in the wild

• IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Legacy protocol exposure is now an NHI governance issue, not a network side issue. The article shows that stolen credentials remain effective when older device protocols still carry administrative trust. That means organisations cannot separate IAM policy from network operations when the same credential can unlock both access and visibility. Practitioners should fold edge devices, management planes, and protocol authentication into the NHI program.

JumbledPath exposes an identity blast radius problem. Once an attacker reaches a trusted device, the ability to pivot through that device and reuse its trust context expands the blast radius far beyond the initial login. This is the named concept practitioners should track: the identity blast radius is the amount of infrastructure exposed after a single credential or management hop is compromised. Teams need to reduce how much trust any one device can inherit.

Phishing-resistant MFA helps, but it does not close the whole path. The article correctly emphasises stronger authentication at entry, yet device administration often still depends on legacy patterns deeper in the stack. If authentication traffic, configuration data, and management channels remain exposed, a stronger front door only slows the attacker. Practitioners should view MFA as necessary baseline control, not the end state.

Telemetry and federation are the difference between detection and blind trust. The malware succeeds partly because administrative actions can look like normal internal traffic. Better federation, device logs, and authentication traceability make it harder for an attacker to blend into trusted workflows. Security teams should prioritise auditability wherever operational devices still sit on the identity-critical path.

Telecom is a warning sector for every organisation that runs legacy infrastructure. The provider detail matters, but the pattern is broader: any enterprise with unmanaged edge devices, static credentials, or weak protocol boundaries can inherit the same risk. The practitioner conclusion is simple, if your management plane still trusts passwords and old protocols, your NHI governance is incomplete.

From our research:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which leaves most environments unable to verify where privileged machine access actually exists.
• For a broader control view, 52 NHI Breaches Analysis shows how repeatable credential misuse becomes a durable intrusion pattern.

What this signals

Identity blast radius will become a useful planning concept for telecom, critical infrastructure, and any enterprise that still depends on management planes with inherited trust. If one compromised credential can expose multiple devices and protocols, the response model has to shift from account cleanup to blast-radius reduction through segmentation, device binding, and access tiering.

The programme-level signal is that administrative paths need the same scrutiny as application auth paths. Teams should expect more pressure to prove who or what accessed a device, through which intermediary, and with what credential type. That makes logging, federation, and lifecycle enforcement operational requirements, not optional hardening.

With NHIs outnumber human identities by 25x to 50x in modern enterprises, the governance problem will only widen if edge devices remain outside standard identity review cycles. Practitioners should prepare for unified policies that cover service accounts, network appliances, and autonomous tooling together.

For practitioners

• Inventory edge devices as NHIs Classify routers, switches, firewalls, and other management-plane assets as non-human identities so they enter the same lifecycle review, ownership, and offboarding process as service accounts.
• Replace password-only admin paths Move administrative access to device-bound, phishing-resistant authentication where supported, and eliminate shared passwords for privileged device access.
• Restrict and log management traffic Limit access to known administrative sources, capture detailed device logs, and correlate jump-host activity with authentication events to detect origin masking.
• Rotate and retire legacy secrets Set aggressive rotation schedules for device credentials, SNMP strings, TACACS keys, and any static secrets that still protect edge infrastructure.

Key takeaways

• Stolen credentials remain highly effective when legacy protocols and trusted device paths still exist in the environment.
• Telecom-targeting malware such as JumbledPath shows that one compromised admin path can expand into broad identity blast radius.
• Security teams should bring edge devices, management planes, and static secrets into the same lifecycle and access controls used for NHIs.

Key terms

• Identity Blast Radius: The amount of infrastructure, data, or administrative trust exposed after one identity or credential is compromised. In NHI environments, the blast radius often grows when devices, protocols, and shared secrets are allowed to inherit trust across multiple systems.
• Legacy Protocol Exposure: The risk created when older administrative protocols still accept credentials or trust decisions without modern assurance controls. These protocols can be operationally useful, but they often lack device binding, strong auditability, or continuous verification.
• Jump-Host Chaining: A method of routing administrative requests through one or more intermediary systems so the traffic appears to originate from a trusted internal source. This can improve control and logging, but it becomes a concealment layer when attackers compromise the relay path.
• Phishing-Resistant Authentication: An authentication method that relies on cryptographic proof bound to a device or key rather than reusable secrets that can be phished or replayed. For NHIs and privileged access, it reduces credential theft risk but does not replace lifecycle governance.

Deepen your knowledge

Legacy device access, credential rotation, and phishing-resistant authentication are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your environment still depends on network devices or shared administrative trust, the course can help frame the governance gap.

This post draws on content published by Beyond Identity: Salt Typhoon: JumbledPath Malware Targeting US Telecom Providers. Read the original.