[HN Gopher] GTPDOOR - A novel backdoor tailored for covert acces...
___________________________________________________________________
GTPDOOR - A novel backdoor tailored for covert access over the
roaming exchange
Author : LinuxBender
Score : 26 points
Date : 2024-03-04 19:06 UTC (3 hours ago)
(HTM) web link (doubleagent.net)
(TXT) w3m dump (doubleagent.net)
| mike_d wrote:
| For context this is a tool deployed by a Chinese based threat
| actor referred to as LightBasin [1]. I believe them to be an
| adjacent team to the more well known Mustang Panda [2], but
| focused specifically on access to telecom infrastructure.
|
| 1. https://malpedia.caad.fkie.fraunhofer.de/actor/lightbasin 2.
| https://malpedia.caad.fkie.fraunhofer.de/actor/mustang_panda
| haxrob wrote:
| > I believe them to be an adjacent team to the more well known
| Mustang Panda
|
| This is interesting - the attribution for this actor has
| remained elusive for quite some time due to their consistent
| operational security.
|
| Could you elaborate on how you came to this attribution? And to
| what confidence?
| kramerger wrote:
| I think it would be more interesting to keep quiet about this and
| monitor what type of information this backdoor is used to access.
|
| The counterintelligence that would give you should be far more
| valuable.
| sterlind wrote:
| Are GTP packets exchanged between peering providers? As in, would
| the C2 server have to be operated by a complicit telco in order
| to receive the packets? Or do they make it to the public Internet
| somewhere?
|
| If it's the former, then it seems very un-stealthy. Like, if the
| GTP packets are making their way back to e.g. China Unicom, it's
| going to be hard to deny they were in on the operation. Which,
| maybe they don't care, but it seems like they're risking
| blacklisting.
| haxrob wrote:
| Recommend taking a read of CrowdStrike's write up on this [1].
|
| The threat actor maintains a presence on the roaming exchange
| through compromising "at least 13 telecommunication companies".
|
| > If it's the former, then it seems very un-stealthy
|
| In this article there is one example where the outbound
| connectivity to the Internet was via a "SGSN emulator in a
| loop, attempting to connect to a set of nine pairs of
| International Mobile Subscriber Identity (IMSI) and Mobile
| Subscriber Integrated Services Digital Network (MSISDN)
| numbers."
|
| In this example, the transit traffic before egress to the
| Internet would appear to be legitimate subscriber traffic -
| user payload encapsulated in a PDP context / GTP tunnel to
| another telco's GGSN / packet gateway.
|
| > Which, maybe they don't care, but it seems like they're
| risking blacklisting.
|
| By compromising so many telcos, there are many points of
| redundancy for persistence on the roaming exchange. This threat
| actor has remained on telco networks for many years undetected
| - their techniques are apparently are quite effective.
|
| [1] https://www.crowdstrike.com/blog/an-analysis-of-
| lightbasin-t...
| iJohnDoe wrote:
| Pretty amazing. Great write up.
|
| This is really advanced stuff and when it comes to infiltrating
| telco communications, it's usually done at the highest levels of
| state actors, to listen in or tap connections of countries and
| their president's communications.
|
| Also, the equipment is extremely expensive and getting access to
| it to craft exploits offline is costly. Exploiting it in the wild
| has it's own risks.
___________________________________________________________________
(page generated 2024-03-04 23:00 UTC)