Criminals attack poorly secured Unix servers at telecommunications companies • The Register
A mysterious gang of criminals is targeting the Linux and Solaris boxes of telecommunication companies realizing that they are not being watched by infosec teams that have focused their efforts on securing Windows.
Security vendor CrowdStrike claims to have discovered the group and “has been targeting the telecommunications sector on a global scale since at least 2016 … to retrieve highly specific information from the mobile communications infrastructure, such as subscriber information and call metadata”. The gang seem to understand telecommunications operations well enough to search the carrier-to-carrier links that enable mobile roaming across borders and between carriers to distribute its payloads.
CrowdStrike’s chief advisor, Jamie Harries, and senior security researcher Dan Mayer called the group “LightBasin”, but it is also called “UNC1945”.
Whatever the name of the group, the couple writes that they employ âsignificant operational security measures (OPSEC), mostly installing implants on Linux and Solaris servers, with a particular focus on specific telecommunication systems and only interacting with Windows systems when needed .
“LightBasin’s focus on Linux and Solaris systems is probably due to the combination of the critical telecommunications infrastructure that runs on these operating systems, in addition to the comparatively lax security measures and monitoring solutions on Linux / Solaris systems.” [compared to measures] which are normally present on Windows operating systems within an organization, “the two wrote.
This assessment suggests that the security situation of telecommunications companies is worse for their operating technology than for their other systems. Which is rather scary.
Whatever OS LightBasin attacks, its efforts are crafty and based on in-depth expertise.
Harries and Mayer write that they saw the group attack “using external DNS servers (eDNS) – which are part of the General Packet Radio Service (GPRS) network and play a role in roaming between different cellular providers – to get one to connect directly to and from the GPRS networks of other compromised telecommunications companies via SSH and through previously established implants. “
CrowdStrike claims to have found 13 telecommunications companies that the gang broke.
The company’s post suggests that LightBasin use some mundane tactics like using default passwords, but that the group also knows the Telco kit well enough to implant the TinyShell backdoor in the Serving GPRS Support Node emulator
sgsnemu and use it to hop over mobile networks in search of servers that could compromise.
Some LightBasin codes contain strings that use pinyin – the standard for transliterating Chinese to Roman text. However, CrowdStrike does not believe the gang is connected to China, and in fact has not hypothesized any connection to any nation-state.
CrowdStrike researchers suggest that carriers can keep LightBasin in the dark by ensuring that “the firewalls in charge of the GPRS network have rules to restrict network traffic to only the expected protocols like DNS or GTP”. The company also recommends that * nix implementations in telecommunications land “require basic security controls and logging (e.g. file changes to key configuration files)”.
That your carrier may not yet have Linux and Solaris running core network services is perhaps the most frightening thing about the CrowdStrike results. Â®