Crims target telcos' Linux and Solaris boxes, which don't get enough infosec love

CrowdStrike says 'LightBasin' gang avoids Windows, and knows that telco networks run on badly-secured *nix


A mysterious criminal gang is targeting telcos' Linux and Solaris boxes, because it perceives they aren't being watched by infosec teams that have focussed their efforts on securing Windows.

Security vendor CrowdStrike claims it's spotted the group and that it "has been consistently targeting the telecommunications sector at a global scale since at least 2016 … to retrieve highly specific information from mobile communication infrastructure, such as subscriber information and call metadata." The gang appears to understand telco operations well enough to surf the carrier-to-carrier links that enable mobile roaming, across borders and between carriers, to spread its payloads.

CrowdStrike principal consultant Jamie Harries and senior security researcher Dan Mayer named the group "LightBasin", but it also goes by the handle "UNC1945".

Whatever the group is called, the pair write that it "employs significant operational security (OPSEC) measures, primarily establishing implants across Linux and Solaris servers, with a particular focus on specific telecommunications systems, and only interacting with Windows systems as needed.

"LightBasin's focus on Linux and Solaris systems is likely due to the combination of critical telecommunications infrastructure running on those operating systems, in addition to the comparatively lax security measures and monitoring solutions on Linux/Solaris systems [compared to measures] that are typically in place on Windows operating systems within an organization," the pair wrote.

That assessment suggests telecoms companies' security posture is worse for their operational tech than for their other systems. Which is rather scary.

Whatever OS LightBasin attacks, its efforts are cunning and draw on deep expertise.

Harries and Mayer write that they've seen the group attack "by leveraging external DNS (eDNS) servers – which are part of the General Packet Radio Service (GPRS) network and play a role in roaming between different mobile operators – to connect directly to and from other compromised telecommunication companies' GPRS networks via SSH and through previously established implants."

CrowdStrike claims to have found 13 telecoms companies the gang has cracked.

The company's post suggests LightBasin uses some banal tactics like using default passwords, but that the group also knows telco kit well enough to implant the TinyShell backdoor in Serving GPRS Support Node emulator sgsnemu and use it to hop across mobile networks in search of servers to compromise.

Some LightBasin code includes strings that use Pinyin – the standard for transliterating Chinese into Roman text. However, CrowdStrike doesn't think that means the gang is linked to China, and indeed offered no hypotheses about a link to any nation-state.

CrowdStrike's researchers suggest carriers can keep LightBasin in the dark by ensuring that "firewalls responsible for the GPRS network have rules in place to restrict network traffic to only those protocols that are expected, such as DNS or GTP". The firm also recommends that *nix implementations in telco-land need "basic security controls and logging in place (e.g., SSH logging forwarded to a SIEM, endpoint detection and response (EDR) for process execution, file integrity monitoring (FIM) for recording file changes of key configuration files)".

That your carrier may not already have those in place for Linux and Solaris running core network services may be the scariest thing of all about CrowdStrike's findings. ®

Similar topics


Other stories you might like

  • India reveals home-grown server that won't worry the leading edge

    And a National Blockchain Strategy that calls for gov to host BaaS

    India's government has revealed a home-grown server design that is unlikely to threaten the pacesetters of high tech, but (it hopes) will attract domestic buyers and manufacturers and help to kickstart the nation's hardware industry.

    The "Rudra" design is a two-socket server that can run Intel's Cascade Lake Xeons. The machines are offered in 1U or 2U form factors, each at half-width. A pair of GPUs can be equipped, as can DDR4 RAM.

    Cascade Lake emerged in 2019 and has since been superseded by the Ice Lake architecture launched in April 2021. Indian authorities know Rudra is off the pace, and said a new design capable of supporting four GPUs is already in the works with a reveal planned for June 2022.

    Continue reading
  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading

Biting the hand that feeds IT © 1998–2021