Security News > 2021 > October > Crims target telcos' Linux and Solaris boxes, which don't get enough infosec love

Crims target telcos' Linux and Solaris boxes, which don't get enough infosec love
2021-10-20 05:40

Security vendor CrowdStrike claims it's spotted the group and that it "Has been consistently targeting the telecommunications sector at a global scale since at least 2016 to retrieve highly specific information from mobile communication infrastructure, such as subscriber information and call metadata." The gang appears to understand telco operations well enough to surf the carrier-to-carrier links that enable mobile roaming, across borders and between carriers, to spread its payloads.

"Whatever the group is called, the pair write that it"employs significant operational security measures, primarily establishing implants across Linux and Solaris servers, with a particular focus on specific telecommunications systems, and only interacting with Windows systems as needed.

"LightBasin's focus on Linux and Solaris systems is likely due to the combination of critical telecommunications infrastructure running on those operating systems, in addition to the comparatively lax security measures and monitoring solutions on Linux/Solaris systems that are typically in place on Windows operating systems within an organization," the pair wrote.

Harries and Mayer write that they've seen the group attack "By leveraging external DNS servers - which are part of the General Packet Radio Service network and play a role in roaming between different mobile operators - to connect directly to and from other compromised telecommunication companies' GPRS networks via SSH and through previously established implants."

The company's post suggests LightBasin uses some banal tactics like using default passwords, but that the group also knows telco kit well enough to implant the TinyShell backdoor in Serving GPRS Support Node emulator sgsnemu and use it to hop across mobile networks in search of servers to compromise.

CrowdStrike's researchers suggest carriers can keep LightBasin in the dark by ensuring that "Firewalls responsible for the GPRS network have rules in place to restrict network traffic to only those protocols that are expected, such as DNS or GTP". The firm also recommends that *nix implementations in telco-land need "Basic security controls and logging in place for process execution, file integrity monitoring for recording file changes of key configuration files)".


News URL

https://go.theregister.com/feed/www.theregister.com/2021/10/20/linux_solaris_under_attack_at_telcos/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Linux 18 397 1368 1114 696 3575