Hacker group LightBasin hacked 13 telecoms in the last two years

CrowdStrike specialists have prepared a report on the LightBasin hacker group (also known as UNC1945 according to Mandiant), which was hacked into the systems of mobile operators around the world for several years. Since 2019, the group has compromised 13 unnamed telecommunications companies and maintained a presence on their systems to steal subscriber information and call metadata.

Experts write that LightBasin has been active since at least 2016 and mainly attacks Linux and Solaris servers, although hackers can interact with Windows machines if necessary. Experts began to study the activities of the group after one incident, which they investigated in an unnamed telecommunications company. There, experts discovered that attackers jump from one compromised network to another via SSH and “previously installed implants” (malware). So, it turned out that hackers got access to the victim’s eDNS server via an SSH connection from the network of another compromised company.

The telecommunications systems targeted by LightBasin include External DNS servers (eDNS), Service Delivery Platform (SDP) systems, and SIM / IMEI. They are all part of the General Packet Radio Service (GPRS) network, which enables roaming between mobile operators.

The report states that it is common for the LightBasin grouping to brute force the target system to try to use the default credentials. After a successful hack, the attackers install and run a special malware on the target’s machine called SLAPSTICK, a backdoor for the Solaris Pluggable Authentication Module (PAM), which provides access to the system based on a hard-coded password.

With backdoor access to the target Solaris system, hackers are able to steal passwords to move to other machines, as well as securely gain a foothold in the system. Thus, in the course of the mentioned incident, hackers eventually gained access to several eDNS servers of the hacked company through a malware called PingPong by CrowdStrike analysts. It receives commands via ICMP requests to set the TCP reverse shell to the IP address and port specified in the packet.

PingPong’s generated reverse shells communicated over TCP port 53 (the default for DNS) with servers from other telecommunications companies in other parts of the world. As was said, to go unnoticed, LightBasin added iptables rules to the eDNS server that allowed SSH connections to five other compromised companies. In addition, the attackers used a trojanized version of iptables, which removed the output of the first two octets from IP addresses belonging to other compromised companies, making it even more difficult to find the changed rules.

CrowdStrikes analysts also point out that LightBasin uses a new technique for tunnelling traffic on telecommunications networks, which includes a special emulator and TinyShell (a common open source Unix backdoor).

In general, CrowdStrike lists the following set of utilities and malware that LightBasin uses in its operations:

1. CordScan: a network scanner and packet sniffer that is capable of scanning and extracting information specific to telecommunication protocols;
2. SIGTRANslator: ELF binary that can send and receive data via telecom-specific protocols (SIGTRAN);
3. Fast Reverse Proxy: open source reverse proxy;
4. Microsocks Proxy: lightweight open source SOCKS5 proxy;
5. ProxyChains: Another open source tool that aggregates proxies and routes network traffic through the resulting chain.

Let me remind you that we also wrote that Three Chinese APT Groups Attack Major Telecommunications Companies.