- Joined
- May 15, 2016
- Messages
- 14,085
- Likes
- 2,643
- Points
- 1,730
The goal of the hackers was to collect subscriber information and metadata for intelligence services.
The cybercriminal group, dubbed by security researchers LightBasin, has been hacking into mobile communications systems around the world for five years. Since 2019, the group has attacked more than a dozen telecommunications companies and maintained its presence on their networks using custom malware. The goal of the hackers was to collect subscriber information and metadata for intelligence services.
LightBasin has been active since at least 2016 and attacks servers mainly Linux and Solaris, however, if necessary, hackers can also break into Windows systems. In a new report, cybersecurity firm CrowdStrike characterizes LightBasin as a highly skilled team with a highly robust operational security strategy (OPSEC).
Researchers have pieced together information about LightBasin's activity, starting with an incident they are investigating at one of the telecommunications companies. As we found out, attackers move from one compromised network to another via an SSH connection and "predefined bookmarks".
The list of attacked telecommunications systems includes: External DNS (eDNS) servers, Service Delivery Platform (SDP) and SIM / IMEI registration systems. All of these systems are part of the General Packet Radio Service (GPRS) network, which provides inter-carrier roaming capabilities.
The researchers found that attackers first gain access to the eDNS server over an SSH connection from the network of another compromised company. The experts also found signs that hackers are using brute force attacks to gain access to the system - they try to log in using default credentials.
After a successful compromise, the group installs and executes custom malware, currently identified as SLAPSTICK, an Oracle Solaris PAM backdoor that provides password-based access to the system. By accessing Solaris through a backdoor, attackers can steal passwords to log into other systems and remain persistent.
The group gained access to many eDNS servers from the networks of the compromised telecommunications company through a bookmark that CrowdStrike specialists called PingPong.
PingPong receives commands via ICMP requests to set up a reverse TCP shell to the IP address and port specified in the packet.
"EDNS servers are usually protected from outside access via the Internet using firewalls; the magic PingPong packet listens to what is most likely to be sent from the infrastructure of another compromised GPRS network," the researchers explained.
The experts discovered a reverse wrapper created by the PingPong tab that communicates over TCP port 53 (the default for DNS) with servers of other telecommunications companies in other parts of the world.
To remain stealthy, the group adds iptables rules to the eDNS server to allow SSH connections to the five compromised companies.
On top of that, the hackers use a trojanized version of the iptables utility, which deletes outgoing data containing the first two octets of IP addresses belonging to other compromised companies. This makes it difficult for administrators to find changed rules.
In their report, CrowdStrike experts presented a list of utilities and malware used by LightBasin:
CordScan, a network scanning and packet capture utility capable of creating fingerprints and extracting information related to telecommunications protocols;
SIGTRANslator - ELF binary file capable of sending and receiving data via telecommunication protocols (SIGTRAN);
Fast Reverse Proxy - open source reverse proxy tool;
Microsocks Proxy - Lightweight open source SOCKS5 proxy server;
ProxyChains is an open source tool that ties proxies together and directs network traffic through their chain.
CrowdStrike experts do not assign the grouping to any country. However, Mandiant experts have found evidence that the SIGTRANslator developer knows Chinese.
PAM modules (Pluggable Authentication Modules) are pluggable authentication modules. A set of shared libraries that allow you to integrate various low-level authentication methods into a single high-level API. This provides unified mechanisms for managing, embedding applications in the authentication process. It is part of the standard UNIX security mechanism.
iptables is a command line utility that is the standard interface for managing the netfilter firewall for Linux kernels 2.4, 2.6, 3.x, 4.x. Superuser privileges are required to use the iptables utility.
__________________
The cybercriminal group, dubbed by security researchers LightBasin, has been hacking into mobile communications systems around the world for five years. Since 2019, the group has attacked more than a dozen telecommunications companies and maintained its presence on their networks using custom malware. The goal of the hackers was to collect subscriber information and metadata for intelligence services.
LightBasin has been active since at least 2016 and attacks servers mainly Linux and Solaris, however, if necessary, hackers can also break into Windows systems. In a new report, cybersecurity firm CrowdStrike characterizes LightBasin as a highly skilled team with a highly robust operational security strategy (OPSEC).
Researchers have pieced together information about LightBasin's activity, starting with an incident they are investigating at one of the telecommunications companies. As we found out, attackers move from one compromised network to another via an SSH connection and "predefined bookmarks".
The list of attacked telecommunications systems includes: External DNS (eDNS) servers, Service Delivery Platform (SDP) and SIM / IMEI registration systems. All of these systems are part of the General Packet Radio Service (GPRS) network, which provides inter-carrier roaming capabilities.
The researchers found that attackers first gain access to the eDNS server over an SSH connection from the network of another compromised company. The experts also found signs that hackers are using brute force attacks to gain access to the system - they try to log in using default credentials.
After a successful compromise, the group installs and executes custom malware, currently identified as SLAPSTICK, an Oracle Solaris PAM backdoor that provides password-based access to the system. By accessing Solaris through a backdoor, attackers can steal passwords to log into other systems and remain persistent.
The group gained access to many eDNS servers from the networks of the compromised telecommunications company through a bookmark that CrowdStrike specialists called PingPong.
PingPong receives commands via ICMP requests to set up a reverse TCP shell to the IP address and port specified in the packet.
"EDNS servers are usually protected from outside access via the Internet using firewalls; the magic PingPong packet listens to what is most likely to be sent from the infrastructure of another compromised GPRS network," the researchers explained.
The experts discovered a reverse wrapper created by the PingPong tab that communicates over TCP port 53 (the default for DNS) with servers of other telecommunications companies in other parts of the world.
To remain stealthy, the group adds iptables rules to the eDNS server to allow SSH connections to the five compromised companies.
On top of that, the hackers use a trojanized version of the iptables utility, which deletes outgoing data containing the first two octets of IP addresses belonging to other compromised companies. This makes it difficult for administrators to find changed rules.
In their report, CrowdStrike experts presented a list of utilities and malware used by LightBasin:
CordScan, a network scanning and packet capture utility capable of creating fingerprints and extracting information related to telecommunications protocols;
SIGTRANslator - ELF binary file capable of sending and receiving data via telecommunication protocols (SIGTRAN);
Fast Reverse Proxy - open source reverse proxy tool;
Microsocks Proxy - Lightweight open source SOCKS5 proxy server;
ProxyChains is an open source tool that ties proxies together and directs network traffic through their chain.
CrowdStrike experts do not assign the grouping to any country. However, Mandiant experts have found evidence that the SIGTRANslator developer knows Chinese.
PAM modules (Pluggable Authentication Modules) are pluggable authentication modules. A set of shared libraries that allow you to integrate various low-level authentication methods into a single high-level API. This provides unified mechanisms for managing, embedding applications in the authentication process. It is part of the standard UNIX security mechanism.
iptables is a command line utility that is the standard interface for managing the netfilter firewall for Linux kernels 2.4, 2.6, 3.x, 4.x. Superuser privileges are required to use the iptables utility.
__________________