Mobile Telecom Security Landscape Blog: November 24

Welcome to our November Security Landscape blog. This month, we look at the need to spot hidden persistent network accesses – is there something hiding in your network? There have been reports of attackers launching successful pre-positioning attacks. These ‘quiet’ attacks may have been missed by defence capabilities or may have existed prior to defence upgrades. They might exist with low levels of activity, occasionally contacting the Command and Control (C2) server, gathering information, exfiltrating low levels of data or waiting for a better time to launch a more destructive attack. Threat hunting plays a role in uncovering these long-term attacks, other defensive strategies are also highlighted.

Reactive security defences play a huge role in delivering safe and resilient networks. Occasionally, though, these defences may have missed a successful attack that may have sought to pre-position a persistent ‘bridgehead’ from which to assert cyber attacks in a variety of forms. These ‘quiet’ attacks may have bypassed cybersecurity defences or have a long-term presence that pre-dates security enhancements or has been missed in log file analysis.

Underlying activities

These persistent capabilities may undertake a variety of activities including:

  • Maintaining a persistent ‘backdoor’ access
  • Living off the Land (LOTL) involving the abuse of native tools and processes on systems and allows attackers to operate discreetly
  • Beaconing to a C2 server
  • Undertaking file deletion
  • Side-loading malware
  • Exfiltration of data
  • Keylogging
  • Credential theft.
Examples of a threat

A couple of reported compromises point to evidence of this long-term attack ploy. Syniverse filed with the Securities and Exchange Commission that “in May 2021, Syniverse became aware of unauthorised access to its operational and information technology systems by an unknown individual or organisation. Promptly upon Syniverse’s detection of the unauthorised access, Syniverse launched an internal investigation, notified law enforcement, commenced remedial actions and engaged the services of specialised legal counsel and other incident response professionals.” Syniverse said that its “investigation revealed that the unauthorised access began in May 2016” and “that the individual or organisation gained unauthorised access to databases within its network. The existence of this five-year access demonstrates the long-term approach taken by some attackers.

In the June security landscape blog, the Kyivstar attack was noted, whereby hackers had gained initial access to Kyivstar systems, then likely compromised an employee account and then spent some time gaining access to other accounts. This appears to have eventually led them to those with administrative privileges and further access into Active Directory. The attack was reported to have gone undetected for some months and was reported that the group used a zero-day wiper malware, which Kyivstar’s protection systems couldn’t identify. The later destructive phase wiped out a range of infrastructure causing significant service interruption. Kyivstar reportedly were able to restore services in a very short time.

The ENISA 2024 Threat Landscape Report notes: Living Off Trusted Sites (LOTS): Threat actors extended their stealth techniques into the cloud, using trusted sites and legitimate services to avoid detection and disguising Command and Control communications (C2) as ordinary traffic or innocuous messages on platforms like Slack and Telegram.

Proactive Defence – threat hunting

In addition to reactive security controls, proactive threat hunting across the whole of the attack surface (see October blog post) may uncover these pre-positioning attacks. By focusing only on initial access points, teams may miss escalating threats or allow a stealthy bad actor to bypass detection. Proactively hunting for signs of an attacker’s lateral movement through the network, identifying unauthorised privilege escalation, access rights abuse, and other threats, can help reveal potential risks that may not have been identified initially.

Some regulations are pushing operators to establish the principle of ‘assumed compromise’ whereby operators should normally assume network oversight functions to be subject to high-end attacks, which may not have been detected, and implement business practices that make it harder for an attacker to maintain covert access.

Mitigation Activities
  • Threat hunting is an active defence that can identify and remediate threats through a range of activities and traits, such as curiosity and intuition, to investigate potential threats. Also, insights can be gained by examining higher impact areas such as privileged access actions, activity logs plus analysis and network forensics tools (an obvious area for Security Information and Event Management (SIEM) tools including those that are AI-based).
  • Implement trusted boot capabilities and secure roots of trust to establish an initial known-good state and periodically rebuilding the functions to an up-to-date known-good state.
  • The GSMA Telecommunication Information Sharing and Analysis Center (T-ISAC) is the central hub of information threat sharing for the Telecommunication Industry. Information threat sharing is essential for the protection of the mobile ecosystem, and the advancement of cybersecurity for the telecommunication sector T-ISAC intel sharing. Utilising T-ISAC intelligence and reciprocating by sharing Indicators of Compromise (IoCs) and evidenced attack techniques can lead to strong insights. These insights can be used proactively to identify how an initial compromise may have occurred and how to spot (and remediate) such attacks.
  • Proactive penetration testing can be an additional tool with which to identify initial attack vectors, and, in turn, spot previous extant attack platforms. In the UK, a framework called T-BEST is sometimes used to undertake these activities in a controlled manner. T-BEST is a threat intelligence-led penetration testing scheme which simulates a well-resourced cyber-attack from a nation state or large organised crime groups. T-BEST seeks to assess how well a provider can detect, contain and respond to such an attack. The overall aim is to identify and address any security vulnerability or other weaknesses in a provider’s functions, processes, policies, systems or networks.

There are major consequences of having an undetected compromise on a network.  Establishing a principle of ‘assumed compromise’ can lead to activities that identify these low-profile attacks.  Fortunately, there are a number of proactive steps that can be undertaken to spot these compromises including threat hunting, trusted boot and rebuilding platforms, intelligence sharing and proactive penetration testing.  Let’s crack on and find these lurking cyber dangers.

If you’d like to discuss these topics or to get more closely involved, please email [email protected].