{"id":15770,"date":"2019-07-12T08:10:05","date_gmt":"2019-07-12T16:10:05","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/07\/12\/news-9517\/"},"modified":"2019-07-12T08:10:05","modified_gmt":"2019-07-12T16:10:05","slug":"news-9517","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/07\/12\/news-9517\/","title":{"rendered":"Cellular networks under fire from Soft Cell attacks"},"content":{"rendered":"

Credit to Author: Christopher Boyd| Date: Fri, 12 Jul 2019 15:30:00 +0000<\/strong><\/p>\n

We place a lot of trust in our mobile experience, given they\u2019re one of the most constant companions we have. Huge reams of data, tied to a device we always carry with us, with said device frequently offering additional built-in app functionality. An astonishing wealth of information, for anyone bold enough to try and take it.<\/p>\n

Security firm Cybereason uncovered an astonishing attack dubbed \u201cOperation soft cell<\/a>\u201d haunting at least ten cellular networks based around the globe. Over the course of seven years, they went after all manner of detailed information on just 20 to 30 targets, feeding it back to base and building up an amazingly detailed picture of their daily dealings.<\/p>\n

What happened here?<\/h3>\n

The compromise, which the researchers have given a high probability of being a nation-state attack, went to elaborate lengths to nab their high value targets. Attackers first gained a foothold by targeting a web-connected server and making use of an exploit to gain access. A shell<\/a> would then be placed to enable further unauthorised activity.<\/p>\n

In this particular case, a modified version of the well-known China Chopper<\/a> was deployed to carry out specific tasks. It\u2019s quite flexible, able to run on multiple server platforms. It\u2019s also quite old, dating back several years. I guess there\u2019s no tunes quite like the classics.<\/p>\n

Thanks to China Chopper and a variety of alternative compromise tools, the attackers would make use of credentials from the first machine to dig deeper in the network. Well-worn RATs like PoisonIvy<\/a> were used to ensure continued access on compromised devices.<\/p>\n

Eventually, they\u2019d gain control of the Domain Controller<\/a> and at that point,\u00a0 <\/span>it\u2019s essentially game over for the targeted organisation.<\/p>\n

Groundhog Day<\/h3>\n

It appears the criminals reused various techniques to work their way around the various cellular networks, with little resistance. Talk about \u201cIf it ain\u2019t broke, don\u2019t fix it.\u201d So total was their ownership of certain organisations, they were able to set up VPN services<\/a> to enable quick, persistent access on hijacked networks instead of taking the much slower route and connecting their way through multiple compromised servers.<\/p>\n

If they were worried about being caught in the act, they certainly didn\u2019t show it. In fact, from reading the main report<\/a> it seems in cases where there was some pushback, they simply looped back around and tried again till they succeeded, attacking in waves staggered over a period of months.<\/p>\n

The Crown Jewels<\/h3>\n

Most of the time, attacks on web-facing servers result in an email from Have I been pwned<\/a> and you see which bits of personal information have been fired across the web this time. Not here, however\u2014it was never going to end with a username\/password dump.<\/p>\n

The attackers plundered cellular networks, gained access to pretty much everything you could think of. In cases where the target was fully compromised<\/a>, all username\/passwords were grabbed, along with billing information and various smatterings of personal data.<\/p>\n

However, the big prize here wasn\u2019t being able to hurl all of this onto a Pastebin or upload it to social media as a free-for-all; nothing so bland. It was, instead, being able to sit on both this data quietly alongside hundreds of gigabytes of call detail records. This is, as you\u2019ll see, a bad thing.<\/p>\n

Call detail records: What are they?<\/h3>\n

Good question.<\/p>\n

Call detail records are all about metadata<\/a>. They won\u2019t give you the contents of the call itself, but what they will give you is pretty much everything else. They\u2019re useful for a variety of things: billing disputes, law enforcement inquiries, tracking people down, bill generation, call volumes\/handling for businesses and much more. Not only do they avoid recordings of conversations, they also steer clear of specific location information.<\/p>\n

Nonetheless, patterns of behaviour are easy to figure out. A typical CDR could include:<\/p>\n