Security News > 2021 > October > LightBasin Hackers Breach at Least 13 Telecom Service Providers Since 2019

A highly sophisticated adversary named LightBasin has been identified as behind a string of attacks targeting the telecom sector with the goal of collecting "Highly specific information" from mobile communication infrastructure, such as subscriber information and call metadata.

Known to be active as far back as 2016, LightBasin is believed to have compromised 13 telecommunication companies across the world since 2019 by leveraging custom tools and their extensive knowledge of telecommunications protocols for scything through organizations' defenses.

A recent incident investigated by CrowdStrike found the targeted intrusion actor taking advantage of external DNS servers to connect directly to and from other compromised telecom companies' GPRS networks via SSH and through previously established backdoors such as PingPong.

The initial compromise is facilitated with the help of password-spraying attacks, consequently leading to the installation of SLAPSTICK malware to steal passwords and pivot to other systems in the network.

Among the multiple tools in LightBasin's malware arsenal is a network scanning and packet capture utility called "CordScan" that allows the operators to fingerprint mobile devices, as well as "SIGTRANslator," an ELF binary that can transmit and receive data via the SIGTRAN protocol suite, which is used to carry public switched telephone network signaling over IP networks.

The key recommendation here is for any telecommunications company to ensure that firewalls responsible for the GPRS network have rules in place to restrict network traffic to only those protocols that are expected, such as DNS or GTP," the company added.

News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/wgFFxk2ihOI/lightbasin-hackers-breach-at-least-13.html