Lock your interspaces or expect defenestration telcos told
State-sponsored Chinese attackers are amassing “a broad network of compromised infrastructure” from which they can attack mobile network operators (MNOs), according to the FBI, the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA). The three US-based security agencies have urged telcos to patch systems, make multi-factor authentication obligatory, segment networks to restrict movement and disable any out of band management potential for all devices. In a joint advisory they have warned allied governments, critical infrastructure operators and private industry to close all the open apertures on their networks.
Close those windows
The security agencies have warned telcos that their network devices will be targeted. In response the agencies have identified the 16 most frequently used windows into a telco’s infrastructure that will be used by hackers, many of which have been left open a long time. Some have been neglected since 2017 and none are more recent than April 2021. The hackers are being encouraged to use open source tools like RouterSploit and RouterScan to find potentially vulnerable boxes which, The Register reports, are in abundance in the homes and small businesses networked by mobile operators. These are not easy to patch and the users are rarely advised on the need to update their firmware.
Update firmware
Mobile network operators in Europe, the Middle East and Africa have been warned that these compromised devices will be the doorway into their organisation after which the attackers will hunt for users with valuable privileges and infrastructure that manages authentication, authorization and accounting. In a typical attack a China-sponsored hacker identified a critical Remote Authentication Dial-In User Service (RADIUS) server, then obtained the credentials to access the underlying SQL database and used SQL commands to dump the credentials, which contained both cleartext and hashed passwords for user and administrative accounts. The hackers then used their newly stolen credibility as part of automated scripts to authenticate access to a router via Secure Shell, then executed router commands and saved the output. Among the haul was all the configuration detail on each router attached to the telco’s network.
Stolen authentication
“The cyber actors likely used additional scripting to further automate the exploitation of medium to large victim networks, where routers and switches are numerous, to gather massive numbers of router configurations that would be necessary to successfully manipulate traffic within the network,” the joint agency security advice said. That manipulation included capture and exfiltration of traffic out of the network to actor-controlled infrastructure.
Hard to spot
The attacks will be hard for telco security experts spot, the advisory said, because China’s hired hackers often mix their customised tools with publicly available ones, often choosing tools that are native to the network environment. This blends them into normal look and feel of a network and obscures their intent. The actors often change their tactics in response to published advisories, the published advisory said.