Crims target telcos' Linux and Solaris boxes, which don't get enough infosec love

CrowdStrike says 'LightBasin' gang avoids Windows, and knows that telco networks run on badly-secured *nix


A mysterious criminal gang is targeting telcos' Linux and Solaris boxes, because it perceives they aren't being watched by infosec teams that have focussed their efforts on securing Windows.

Security vendor CrowdStrike claims it's spotted the group and that it "has been consistently targeting the telecommunications sector at a global scale since at least 2016 … to retrieve highly specific information from mobile communication infrastructure, such as subscriber information and call metadata." The gang appears to understand telco operations well enough to surf the carrier-to-carrier links that enable mobile roaming, across borders and between carriers, to spread its payloads.

CrowdStrike principal consultant Jamie Harries and senior security researcher Dan Mayer named the group "LightBasin", but it also goes by the handle "UNC1945".

Whatever the group is called, the pair write that it "employs significant operational security (OPSEC) measures, primarily establishing implants across Linux and Solaris servers, with a particular focus on specific telecommunications systems, and only interacting with Windows systems as needed.

"LightBasin's focus on Linux and Solaris systems is likely due to the combination of critical telecommunications infrastructure running on those operating systems, in addition to the comparatively lax security measures and monitoring solutions on Linux/Solaris systems [compared to measures] that are typically in place on Windows operating systems within an organization," the pair wrote.

That assessment suggests telecoms companies' security posture is worse for their operational tech than for their other systems. Which is rather scary.

Whatever OS LightBasin attacks, its efforts are cunning and draw on deep expertise.

Harries and Mayer write that they've seen the group attack "by leveraging external DNS (eDNS) servers – which are part of the General Packet Radio Service (GPRS) network and play a role in roaming between different mobile operators – to connect directly to and from other compromised telecommunication companies' GPRS networks via SSH and through previously established implants."

CrowdStrike claims to have found 13 telecoms companies the gang has cracked.

The company's post suggests LightBasin uses some banal tactics like using default passwords, but that the group also knows telco kit well enough to implant the TinyShell backdoor in Serving GPRS Support Node emulator sgsnemu and use it to hop across mobile networks in search of servers to compromise.

Some LightBasin code includes strings that use Pinyin – the standard for transliterating Chinese into Roman text. However, CrowdStrike doesn't think that means the gang is linked to China, and indeed offered no hypotheses about a link to any nation-state.

CrowdStrike's researchers suggest carriers can keep LightBasin in the dark by ensuring that "firewalls responsible for the GPRS network have rules in place to restrict network traffic to only those protocols that are expected, such as DNS or GTP". The firm also recommends that *nix implementations in telco-land need "basic security controls and logging in place (e.g., SSH logging forwarded to a SIEM, endpoint detection and response (EDR) for process execution, file integrity monitoring (FIM) for recording file changes of key configuration files)".

That your carrier may not already have those in place for Linux and Solaris running core network services may be the scariest thing of all about CrowdStrike's findings. ®


Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022