A group of hackers known as LightBasin (UNC1945) with suspicious links to China has hacked 13 telecom firms around the world by exploiting the eDNS server via SSH and some specialized tools to get the following information from telecom operators:-
- Call logs
- Text messages
This investigation is executed by CrowdStrike Services, CrowdStrike Intelligence, and Falcon OverWatch. All these telcos around the world have always been the primary targets of hackers from countries like:-
Leaping through GPRS eDNS Servers
The hacking group, LightBasin has been active since at least 2016, but it was only recently that it was spotted using the most sophisticated tools to date. And not only that even it has been marked as one of the sophisticated groups with strong operational security (OPSEC) strategy.
While the United States also solicits access to the call logs, which show which numbers have called each other, how often, and for how long.
CrowdStrike collected the information responding to incidents in several countries, which it refused to name. However, CrowdStrike has already published the technical details to allow other companies to check similar attacks.
Here the hackers have compromised the network of these telcos through an SSH connection and “previously established implants.”
In this event, the threat actors have targeted the following systems that are part of the General Packet Radio Service (GPRS) network that enables roaming between mobile operators:-
Moreover, LightBasin has the ability to identify various brands of telecommunications products and compile tools for various architectures. This implies that it has strong R&D capabilities to clasp in the infrastructure of specific suppliers that are commonly found in the telecommunications environment.
The threat actors have used custom malware to collect credentials to an obfuscated text file, and it’s tracked as SLAPSTICK PAM. But, later, from a compromised telco the hackers have also multiple eDNS servers by exploiting an implant, known as PingPong.
LightBasin uses a novel technique
To move traffic through the telecommunications network it has been identified that LightBasin uses a novel technique to support the C2 activities in accord with TinyShell, it’s an open-source Unix backdoor and this involves the use of SGSN emulation software (sgsnemu2).
Here the emulation software drifts the traffic through the telecommunications network, and SGSNs are the essentially GPRS network access points. In short, the script is used here as a persistence mechanism, and this script is operated by the attackers for only 30 minutes on a regular basis.
Tools & Malware
CrowdStrike has listed all the sophisticated tools and malware used by the LightBasin hacking group, and here they are mentioned below:-
- CordScan: It’s a network scanning and packet capture tool.
- SIGTRANslator: It’s an ELF binary
- Fast Reverse Proxy: It’s an open-source reverse proxy tool.
- Microsocks Proxy: It’s an open-source lightweight SOCKS5 proxy server.
- ProxyChains: It’s an open-source tool, and it binds proxies and network traffic together.
In the current era, telcos are extensively targeted by state-sponsored hacking groups to gain access to their crucial data hub.
So, here to mitigate these types of situations, telcos have to adapt the latest security mechanisms, access comprehensive threat intelligence resources, and stay up-to-date to understand the evolving TTPs of the hackers.