Mobile Telecom Security Landscape Blog: September 24

Welcome to our September blog. This month, we will discuss enabling infrastructure (building on last month’s BGP discussion), including virtualisation, DDOS attacks and attack types, and DNS security.

Microsoft researchers uncovered a vulnerability in ESXi hypervisors being exploited by several ransomware operators to obtain full administrative permissions on domain-joined ESXi hypervisors. ESXi is a bare-metal hypervisor that is installed directly onto a physical server and provides direct access and control of underlying resources. ESXi hypervisors host virtual machines that may include critical servers in a network. The vulnerability, CVE-2024-37085, relates to a domain group whose members are granted full administrative access to the ESXi hypervisor by default without proper validation. Microsoft disclosed the findings to VMware through Coordinated Vulnerability Disclosure (CVD) and VMWare released a security update

Recently, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning related to threat actors exploiting the legacy Cisco Smart Install feature to access sensitive data. CISA recommended organisations disable the Smart Install feature as failing to do so could enable threat actors to gain access to impacted devices, crack passwords and reach system configuration files.

It’s interesting to read about the Networking infrastructure DDoS attacks that are on the rise in Q2 2024.  NBIP, in the Netherlands, reported the most common types of attacks were Domain Name System (DNS) Amplification, Memcached Amplification (Memcached is a high-performance, open-source, distributed memory and database caching system), Network Time Protocol (NTP) Amplification, UDP Flood and ‘ACK’ Flood.  Amplification attacks exploit an asymmetry in bandwidth cost between an attacker and the target. When the asymmetry is multiplied across many requests, the resulting volume of traffic can disrupt network infrastructure. Asymmetry is created by sending small queries that result in large responses.  The NTP security is one of those protocols that gets less coverage so it is interesting to see it on the NBIP list.  NTP allows internet-connected devices to synchronise their internal clocks.

Also worthy of interest in this space is another DNS-based attack reported as DNSBomb Pulsing DoS Attack. The attack idea is comprised of a number of steps: accumulating DNS Queries, amplifying DNS queries into responses, concentrating the DNS responses into a short pulse window and then sent to the target.  These high-intensity bursts can be difficult to defend against, and careful configuration is required to mount a practical defence. 

A recent report from Gcore gave an interesting perspective on DDoS Attack Trends for Q1–Q2 2024.  The report covers a wide set of sectors including telecoms.  In aggregate, it was reported that the number of DDOS incidents rose by 46% compared to the same period last year.  Telecoms were targeted in 10% of the identified attacks.  The report distinguishes between network-layer (L3-4) and application-layer (L7) attacks, noting that different industries are impacted in various ways.  Network-layer attacks were reported predominantly affecting the gaming, technology, and telecom industries due to their reliance on real-time data services. 

To expand a little more on DNS and why it is important.  A key requirement of running the internet has been the ability to map and route the requested service hostnames to their machine-readable IP addresses. DNS was introduced in 1987 to perform the resolution of human-readable domain names into machine-routable IP addresses. This resolution involves the client recursively questioning a distributed hierarchy of name servers, each of which is responsible for directing the client one step at a time towards the ‘authoritative’ name server for that domain name.  Some DNS solutions are not fully secure as they can make plaintext requests to a known port for all its DNS query resolution requirements and these can be read or manipulated en-route. 

There are a number of ways in which DNS security has been improved.  Data integrity and authentication capabilities were added to DNS using a digital signatures scheme DNS Security Extensions (DNSSEC).  Other capabilities include DNS over HTTPS (DoH), DNS over TLS (DoT) as well as proprietary browser and operating system implementations.  The solution space is complex due to other competing requirements such as national and regulatory requirements, the ability to block malicious domain names, filtering to combat illegal content, implementing parental controls, network security activities and performance impacts.  The balance of enhanced security controls and the need to manage the potential for unintended consequences means careful steps are taken in this space.  For GSMA members, document IG.10 DNS Encryption (available on Member Gateway) discusses many of these aspects in more detail.


If you’d like to discuss these themes or to get more closely involved, please email [email protected].