“With the clear evidence that a highly sophisticated adversary is abusing these systems and the trust between different organizations, it is of the utmost importance to focus on improving the security of these networks. “
LightBasin attackers were observed using a new technique to move stolen data between networks, which involved the use of SGSN emulation software to support C2 activities. SGSN (which stands for Serving GPRS Support Node) is used as a network access point for GPRS networks. The attackers combined the emulator with TinyShell, an open source Unix backdoor that has already been used by several opponents, via a bash script. The publicly available SGSN emulation software (sgsnumu2) was used to tunnel TinyShell C2 traffic between the attackers’ server and the infected host, through the GPRS Tunneling Protocol (GTP), a group of IP-based communication protocols used to carry a general packet radio service. , the researchers said.
Attackers may have resorted to this tactic because GTP encapsulated traffic is potentially subject to less restriction by network security solutions, the researchers said. GTP-encapsulated TinyShell C2 traffic can also be less abnormal within a global mobile communications network, as it uses a protocol native to the telecommunications infrastructure that is compromised, they said. The script would only run for 30 minutes per day, the same as a scheduled job, and if a successful connection was not made at the end of the 30 minute window, then the script would kill both l SGSN emulator and TinyShell implant.
“The script is used as a persistence mechanism; it runs continuously, but attempts to tunnel to each of the specified mobile stations, which in turn act as tunnels to the TinyShell C2 server, ”said Jamie Harries and Dan Mayer, researchers at Crowdstrike.
The researchers said that the process of securing the telecommunications sector comes with various challenges. This is because these organizations have a partner-heavy nature and focus on high availability systems, while creating and operating a critical infrastructure used to communicate and store large amounts of sensitive information. In March, McAfee researchers uncovered a spy campaign that used a spear-phishing website – masquerading as a Huawei career page – to infect carriers with malware. Earlier in October, researchers discovered a spy attack targeting telecommunications companies in the Middle East, the United States, Russia and Europe with the aim of stealing sensitive data from critical assets as well as gleaning information on victim infrastructure and technology.
“With the clear evidence that a highly sophisticated adversary is abusing these systems and the trust between different organizations, it is of the utmost importance to focus on improving the security of these networks,” said Harries and Mayer. “Given the significant value of intelligence to any state-sponsored adversary likely to be contained in telecommunications companies, CrowdStrike expects these organizations to continue to be targeted by sophisticated actors, further emphasizing the importance of securing all aspects of the telecommunications infrastructure beyond just focusing on the corporate network. alone.”
A key recommendation for carriers is to ensure that the firewalls responsible for the GPRS network have rules in place to restrict network traffic to only expected protocols, such as DNS or GTP, the researchers said. This could help stifle LightBasin’s ability to pivot between multiple carriers, as compromised organizations allowed all traffic between those organizations without identifying the protocols that were actually required.
“Also, since this is a common situation where parts of the network may in fact be managed by a third-party managed service provider as opposed to the telecommunications company itself, an assessment of the security controls in place with the partner must be undertaken to ensure that the systems are sufficiently protected, ”the researchers said.