Cybereason exposes Chinese threat actors that compromise telecommunication providers

guest · Aug 3, 2021

Cybereason exposes Chinese threat actors that compromise telecommunication providers
The findings were outlined in a report that highlighted attack trends to leverage third-party service providers
August 3, 2021
https://www.calcalistech.com/ctech/articles/0,7340,L-3914061,00.html

Israeli cybersecurity company Cybereason has announced the discovery of several previously unidentified cyberattack campaigns that have infiltrated telecommunications providers across Southeast Asia. The campaigns are similar to recent SolarWinds and Kayesya attacks seen around the world and were the motivation for a report, DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos, following the Biden Administration's rebuke of China’s Ministry of State Security.

“The attacks are very concerning because they undermine the security of critical infrastructure providers and expose the confidential and proprietary information of both public and private organizations that depend on secure communications for conducting business,” said Cybereason CEO and co-founder Lior Div.
According to Cybereason, there was a significant overlap in tactics, techniques, and procedures (TTPs) across the three operations that strongly aligned with Chinese state interests.
Click to expand...

The report outlined how adaptive attackers would work to obscure their activity and maintain persistence on infected systems.

“The attacks were discovered in 2021, however, forensic evidence shows that the attackers compromised the networks since 2017 - and remained undetected for at least three years. The different APT groups involved in the attacks used various advanced techniques to evade detection and remain under the radar.”
Click to expand...

Cybereason: DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos

KEY FINDINGS

Adaptive, Persistent and Evasive: The highly adaptive attackers worked diligently to obscure their activity and maintain persistence on the infected systems, dynamically responding to mitigation attempts after having evaded security efforts since at least 2017, an indication that the targets are of great value to the attackers.

Microsoft Exchange Vulnerabilities Exploited: Similar to the HAFNIUM attacks, the threat actors exploited recently disclosed vulnerabilities in Microsoft Exchange Servers to gain access to the targeted networks. They then proceeded to compromise critical network assets such as Domain Controllers (DC) and billing systems which contain highly sensitive information like Call Detail Record (CDR) data, allowing them access to the sensitive communications of anyone using the affected telecoms’ services.

High Value Espionage Targets: Based on previous findings from the Operation Soft Cell Report Cybereason published in 2019, as well as other published analysis of operations conducted by these threat actors, it is assessed that the telecoms were compromised in order to facilitate espionage against select targets. These targets are likely to include corporations, political figures, government officials, law enforcement agencies, political activists and dissident factions of interest to the Chinese government.

Operating in the Interest of China: Three distinct clusters of attacks have varying degrees of connection to APT groups Soft Cell, Naikon and Group-3390 -- all known to operate in the interest of the Chinese government. Overlaps in attacker TTPs across the clusters are evidence of a likely connection between the threat actors, supporting the assessment that each group was tasked with parallel objectives in monitoring the communications of specific high value targets under the direction of a centralized coordinating body aligned with Chinese state interests.

Click to expand...

According to our analysis, Cluster A was executed by the Soft Cell activity group, a group that is known to have attacked Telcos in the past in multiple regions and believed to be operating on behalf of Chinese state interests.

Cluster B was discovered in late 2020 and exhibited a different set of tools and techniques, including the rare Nebulae backdoor and the previously undocumented EnrollLogger keylogger. We suspect that the activity in this cluster was carried out by the Naikon APT group, a very active cyber espionage group previously attributed to the Chinese People’s Liberation Army’s (PLA).

Cluster C is the oldest among the clusters, with first signs of intrusions going back to 2017. This cluster exhibited a rare OWA backdoor that shows considerable code and functionality similarities to previously documented backdoors that were used by the Group-3390 (APT27), an infamous cyber espionage APT group operating on behalf of Chinese state interests.
Click to expand...

guest · Oct 20, 2021

China-linked LightBasin group accessed calling records from telcos worldwide
October 20, 2021
https://securityaffairs.co/wordpress/123588/apt/lightbasin-cyberspies.html

A China-linked hacking group, tracked as LightBasin (aka UNC1945), hacked mobile telephone networks around the globe and used specialized tools to access calling records and text messages from telecommunications companies.

The cyberespionage group has been active since at least 2016, according to the CrowdStrike researchers it is using a very sophisticated toolset. CrowdStrike researchers reported that at least 13 telecommunication companies were compromised by since 2019.
Click to expand...

The campaign was uncovered by CrowdStrike by investigating a series of security incidents in multiple countries, the security firm added that the threat actors show an in-depth knowledge of telecommunications network architectures.

“LightBasin (aka UNC1945) is an activity cluster that has been consistently targeting the telecommunications sector at a global scale since at least 2016, leveraging custom tools and an in-depth knowledge of telecommunications network architectures.” reads the report published by Crowdstrike.
Click to expand...

Once compromised the eDNS servers, the attackers deployed a custom backdoor, tracked as SLAPSTICK, that allowed them to access the Solaris Pluggable Authentication Module (PAM). The implant was used by LightBasin to steal passwords to access other systems and deploy additional implants.
Later, the hacking group accessed multiple eDNS servers from compromised telecommunications companies and used another implant tracked as PingPong.

Additionally, the actor used a trojanized version of the iptables utility that removed output containing the first two octets from IP addresses belonging to other hacked companies, making it more difficult for admins to find the modified rules.
Researchers noticed that LightBasin uses a novel technique involving the use of SGSN emulation software for C2 connections involving also the TinyShell open-source backdoor.

“TinyShell is an open-source Unix backdoor used by multiple adversaries; however, LightBasin uniquely combined this implant with the publicly available SGSN emulator sgsnemu
Click to expand...

The report also includes info about additional malware and utilities used by the group along with a set of recommendations and Indicators of Compromise (IoCc).
Click to expand...

Crowdstrike: LightBasin: A Roaming Threat to Telecommunications Companies

LightBasin (aka UNC1945) is an activity cluster that has been consistently targeting the telecommunications sector at a global scale since at least 2016, leveraging custom tools and an in-depth knowledge of telecommunications network architectures.

Recent findings highlight this cluster’s extensive knowledge of telecommunications protocols, including the emulation of these protocols to facilitate command and control (C2) and utilizing scanning/packet-capture tools to retrieve highly specific information from mobile communication infrastructure, such as subscriber information and call metadata.

The nature of the data targeted by the actor aligns with information likely to be of significant interest to signals intelligence organizations.

CrowdStrike Intelligence assesses that LightBasin is a targeted intrusion actor that will continue to target the telecommunications sector. This assessment is made with high confidence and is based on tactics, techniques and procedures (TTPs), target scope, and objectives exhibited by this activity cluster. There is currently not enough available evidence to link the cluster’s activity to a specific country-nexus.

Click to expand...

Rasheed187 · Oct 23, 2021

mood said: ↑

China-linked LightBasin group accessed calling records from telcos worldwide
October 20, 2021
https://securityaffairs.co/wordpress/123588/apt/lightbasin-cyberspies.html

Crowdstrike: LightBasin: A Roaming Threat to Telecommunications Companies
Click to expand...

More proof that Unix based systems aren't as secure as thought. From what I understood, hackers were able to hack them from remote and succesfully managed to get malware up and running for a long period of time.

Log in or Sign up

Cybereason exposes Chinese threat actors that compromise telecommunication providers

guest Guest

guest Guest

Rasheed187 Registered Member

Log in or Sign up

Cybereason exposes Chinese threat actors that compromise telecommunication providers

guest Guest

guest Guest

Rasheed187 Registered Member

Useful Searches