A highly sophisticated adversary named LightBasin active since 2016, has been identified as behind a string of attacks targeting the telecom sector with the goal of collecting “highly specific information” from mobile communication infrastructure, such as subscriber information and call metadata.
A recent incident investigation found the targeted intrusion actor taking advantage of external DNS servers to connect directly to and from other compromised telecom companies’ GPRS networks via SSH and through previously established backdoors such as Ping-Pong. The initial compromise is facilitated with the help of password spraying attacks, consequently leading to the installation of SLAPSTICK malware to steal passwords and pivot to other systems in the network.
Other indications based on telemetry data show the targeted intrusion actor’s ability to emulate GPRS network access points so as to perform C2 communications in conjunction with a Unix-based backdoor called TinyShell, thereby enabling the attacker to tunnel traffic through the telecommunications network.
Also Read : Harvest attack Telcos
Multiple tools in LightBasin’s malware arsenal is a network scanning and packet capture utility called “CordScan” that allows the operators to fingerprint mobile devices, as well as “SIGTRANslator,” an ELF binary that can transmit and receive data via the SIGTRAN protocol suite, which is used to carry public switched telephone network signaling over IP networks.
LightBasin’s ability to pivot between multiple telecommunications companies stems from permitting all traffic between these organizations without identifying the protocols that are actually required. The key recommendation here is for any telecommunications company to ensure that firewalls responsible for the GPRS network have rules in place to restrict network traffic to only those protocols that are expected, such as DNS or GTP.