LightBasin hackers breach at least 13 telecom service providers since 2019

A highly sophisticated adversary named LightBasin has been identified as behind a series of attacks targeting the telecommunications industry in an attempt to collect “very specific information” from the mobile communications infrastructure, such as subscriber information and call metadata.

“The nature of the data targeted by the actor corresponds to information that may be of significant interest to signals intelligence organizations,” researchers from cybersecurity firm CrowdStrike said in an analysis released Tuesday.

Known to be active since 2016, LightBasin (aka UNC1945) has reportedly compromised 13 telecom companies around the world since 2019 by leveraging custom tools and their in-depth knowledge of telecom protocols to tamper with organizations defenses. The identity of the targeted entities was not disclosed, nor did the findings establish a link between the cluster’s activity and a specific country.

Automatic GitHub backups

Indeed, a recent incident investigated by CrowdStrike revealed that the targeted intruder was taking advantage of external DNS servers (eDNS) to connect directly to the GPRS networks of other compromised telecommunications companies via SSH and via previously established backdoors. such as PingPong. Initial compromise is facilitated with the help of password spray attacks, thus leading to the installation of SLAPSTICK malware to steal passwords and pivot to other systems on the network.

Further indications based on telemetry data show the ability of the targeted intrusion actor to emulate access points to the GPRS network in order to perform command and control communications in conjunction with a backdoor based on Unix called TinyShell, thus allowing the attacker to tunnel traffic through the telecommunications network.

Among the multiple tools in LightBasin’s malware arsenal is a network scan and packet capture utility called “CordScan” that allows operators to take fingerprints on mobile devices, as well as ” SIGTRANslator “, an ELF binary that can transmit and receive data through the SIGTRAN protocol suite. , which is used to carry public switched telephone network (PSTN) signaling over IP networks.

Prevent ransomware attacks

“It’s no surprise that servers need to communicate with each other as part of roaming agreements between carriers; however, LightBasin’s ability to pivot between multiple telecommunications companies stems from allowing all traffic between those organizations without identifying the protocols that are actually required, ”noted CrowdStrike.

“As such, the main recommendation here is that any carrier should ensure that the firewalls responsible for the GPRS network have rules in place to restrict network traffic to only the expected protocols, such as DNS or GTP,” the company added.

The findings also come as cybersecurity firm Symantec leaked details of a never-before-seen Advanced Persistent Threat (APT) group dubbed “Harvester,” which has been linked to an information theft campaign targeting them. telecommunications, government and information technology sectors in South Asia. since June 2021 using a custom implant called “Graphon”.

Previous listeners, Mayor of Williamsport: River Valley Transit finances are "alarming" | News, Sports, Jobs
Next Fed report shows wage pressures amid "modest to moderate" economic growth

No Comment

Leave a reply

Your email address will not be published.