If a connection is established, the SGSN emulator creates a connection to the device via the GPRS Tunnelling Protocol (GTP), and utilizes the interface tun0 for the connection.” This process generates Packet Data Protocol (PDP) context requests for mobile stations with the IMSI/MSISDN number pairs until a connection is established. “ If connectivity to the IP address fails, the script executes the SGSN emulator in a loop, attempting to connect to a set of nine pairs of International Mobile Subscriber Identity (IMSI) and Mobile Subscriber Integrated Services Digital Network (MSISDN) numbers that are used as arguments to the SGSN emulator these numbers identify specific mobile devices, or mobile stations, for the SGSN emulator to create tunnels to. The role of the SGSN emulator was to establish an alternate communication route if TinyShell failed to connect to the command and control (C2) IP address via a route added on the interface tun0.
#Socks5 proxy list mozilla firefox software
The actor created a bash script that combined the TinyShell backdoor and publicly available software (sgsnemu2) that emulates GPRS network access points - the so-called Serving GPRS Support Nodes (SGSNs) - to move traffic between networks via specific mobile stations.Īlthough the script ran on the system at all times, it only executed specific steps during a half-hour window every day, similar to a scheduled task. Novel technique to move data between networksĬrowdStrikes notes that LightBasin relies on a novel technique to move traffic via the telecommunications network, which involved specific software emulation and the use of TinyShell, a common open-source Unix backdoor. To maintain a low profile, LightBasin also added iptables rules to the eDNS server that allowed SSH communication from five compromised companies.Īdditionally, the actor used a trojanized version of the iptables utility that removed output containing the first two octets from IP addresses belonging to other hacked companies, making it more difficult for admins to find the modified rules. The researchers say that they noticed reverse shells created by the PingPong implant that talked via the TCP port 53 (default for DNS) to servers from other telecommunication companies in other parts of the world. “eDNS servers are usually protected from general external internet access by firewalls the magic packet PingPong listens for would most likely have to be sent from other compromised GPRS network infrastructure” - CrowdStrike PingPong would receive commands through an ICMP request to set a TCP reverse shell to an IP address and port specified in the packet.
With backdoor access to the target Solaris system, LightBasin could steal passwords to pivot to other systems and establish persistence through the same method.Īt a later time, the hackers accessed multiple eDNS servers from a compromised telco through an implant that CrowdStrike named PingPong. The researchers found evidence of LightBasin brute-forcing their way on the system by trying the default credentials for the targeted system.įollowing a successful compromise, the threat actor installed and executed custom malware that is currently tracked as SLAPSTICK - a backdoor for the Solaris Pluggable Authentication Module (PAM) that gives access to the system based on a hardcoded password. They learned that the adversary would hop from one compromised network to another via an SSH connection and “previously established implants.”Īmong the telecommunications systems that LightBasin targeted are External DNS (eDNS) servers, Service Delivery Platform (SDP) systems, and SIM/IMEI provisioning, all of which are part of the General Packet Radio Service (GPRS) network that enables roaming between mobile operators.ĭuring their investigation, CrowdStrike found that the threat actor first accessed an eDNS server through an SSH connection from the network of another compromised company. The researchers pieced together LightBasin activity starting from an incident they investigated at one telecommunications company.
In a report today, CrowdStrike cybersecurity company says that the threat actor is a sophisticated group with strong operational security (OPSEC) strategy.
#Socks5 proxy list mozilla firefox windows
LightBasin is active since at least 2016 and targets Linux and Solaris servers in particular, although it did interact with Windows systems where needed, in their mission to steal subscriber information and call metadata. Since 2019, the group hacked into more than a dozen telecommunication companies and maintained persistence through custom malware, to steal data that would serve intelligence organizations. A group of hackers that security researchers call LightBasin has been compromising mobile telecommunication systems across the world for the past five years.
0 kommentar(er)
