InfiltrateCon 2016 - Why Nation-State Hack Telco Networks

Author: Ömer Coşkun

Why Nation-State Malwares Target Telco Networks: Dissecting Technical Capabilities of Regin and Its Counterparts – v2

The supreme art of war is to subdue the enemy without fighting. Sun Tzu

1 Apple versus FBI

2 Did you ever ask ‘Why’?

Author: Ömer Coşkun

Why Nation-State Malwares Target Telco Networks: Dissecting Technical Capabilities of Regin and Its Counterparts – v2

The supreme art of war is to subdue the enemy without fighting. Sun Tzu

$ whoami

Ömer Coşkun (@0xM3R) ¡  BEng. Computer Science

Research Assistant in Quantum Cryptography & Advanced Topics in AI

2

¡ Industry Experience

KPN – CISO , Ethical Hacking

Verizon – Threat & Vulnerability Management

IBM ISS – Threat Intelligence

¡  Interests

Algorithm Design, Programming, Reverse Engineering, Malware Analysis, OS Internals, Rootkits

Outline

¡  Overview

¡  Telecom Network Architecture

¡  Practical Attack Surfaces

¡  GRX/IPX Attack Vectors

¡  SS7 Attack Vectors

¡  Practical Attack Scenarios

¡  Unblocking Stolen Phones (*new)

¡  User Location Tracking in the LTE Network (*new)

¡  Rootkit Attacks: Regin and it’s counterparts

¡  Regin Instrumentation and Analysis

¡  Demo: Dynamic Regin Instrumentation (PoC || GTFO)

¡  Regin Evolution over the time Regin vs. Its Counterparts

¡  Demo: Regin Simulator Rootkit (PoC || GTFO)

¡  Questions ?

3

$ REDteam 4

Motivations 5 ¡ Analyze existing vulnerabilities and attack

surface of GSM networks

¡ Governments hack their own citizens

¡  Surveillance implants shifted focus to telecom networks and network devices

¡  European Telco companies are really paranoid after Regin attack

¡  Rootkits are fun : a lot to learn & challenge

¡  Reproduce the attack scenario and implement it!

GSM Network Architecture 6

Regin targets GSM Networks 19

Regin targets GSM Networks 20

Determining Attack Surface 21

Potential Attack Surfaces 25

Potential Attack Surfaces

¡ Absence of physical intrusion detection devices

¡ Vulnerable services running accessible from BTS

¡ Absence of cable/device tamper resistance and unauthorized access protection

¡  Improper network segmentation; inner non-routable segments of the Telco company could accessible.

¡ Core GPRS Network and Network Subsystem (NSS) running exploitable services!

26

GRX Networks 28

GRX versus IPX Networks 29

Similar to GRX but everything is on IP and operators can connect ISP, ASP etc.

GRX vs. IPX Networks 30 ¡ GRX designed for GPRS roaming and only mobile

operators can interconnect, IPX designed for IP interconnect.

¡ GRX transport is best effort traffic, IPX is managed

¡ GRX doesn’t have end-to-end service model for security, IPX has end-to-end model security and QoS.

¡  Both are trust-based, highly interconnected network, made for internet sharing

¡  In both , a failure or malicious activity would affect multiple connected machines

Regin targets GRX Networks 31

GRX Networks – Attack Vectors 32

GRX Networks – Network Flow 33

GRX Networks – Attack Vectors 34 Cellular communication when roaming

Cellular data communication when roaming

GRX/IPX Networks – Network Flow 35

PDP Structure -> IMSI, Subscriber Network, Tunnel Endpoint

Deadly Attacks – GTP Flooding 36

Source: McAfee’s 7 Deadly threats to 4G: 4G LTE Security Roadmap and Reference Design

Fighting Against Nation-State? 38

Meanwhile in the wild

Fighting Against Nation-State? 39

SS7 & SIGTRAN 41

SS7 & SIGTRAN 42

SS7 & SIGTRAN 43 SS7 Introduces procedures for

¡  User identification.

Routing

¡  Billing

¡ Call management

MTP + SCCP = Network Service Part 44

SS7 Protocol Analysis 45

SS7 Protocol Analysis 46 All the juicy info here :

ü  Calling no.

ü  Called no

ü  Call duration

ü  Call duration

ü  Call status

47 SS7 Practical Attack Scenarios

1 • Intercepting subscribers calls


2 • Subscriber service change attacks


3 • Interception of SMS messages

4 • Interception of outgoing calls

5 • Redirection of incoming or outgoing calls

6 • Making changes in user bills or balance


8 • Unblocking stolen mobile devices

IEEE August 2015, Nokia Researchers Espoo, Finland.

Details: http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=7345408

58 Unblocking a stolen phone


1 • Access control for switching IMEI validation

2 • Logging of the activation of validation feature

3 • Filtering on MAP level the CHECK_IMEI request coming from (HLR, MSC)

4 • Layer cross checks – SCCP and MAP layers are consistent

5 • If SS7 run over IP (SIGTRAN) then use IPSec!

What GSM providers do NOT do:

61

Source: https://wikileaks.org/hackingteam/emails/emailid/343623

Hacking Team after SS7 Hacks


9 • User location tracking in LTE Roaming

Author(s) : Silke Holtmans, Nokia R&D & Omer Coskun , KPN REDteam



First location tracking attack – Engel , CCC 2008



Cell-ID location tracking attack – Positive Technologies , 2014

71 Location tracking in LTE Roaming

9 • What’s the issue in LTE Roaming ??

72 Location tracking in LTE Roaming

9 • What’s the issue in LTE Roaming ??


9 • User location tracking in LTE Roaming (new)


9 • User location tracking in LTE Roaming(new)


9 • What’s CELL-ID Location ?


1 •  IPSec following 3GPP TS 33.201 to ensure end of the tunnels know

identities

2 • Proper SMS inboud and outbound routing to prevent operator network

sniffing

3 • Advanced ACL – whitelist/ blacklist partner nodes, anti-spoofing, origin-

realm

4 • Cross-layer checking for messages routed over SS7 and Diameter

What GSM providers do NOT do:

80 How hard could it be ?

v.s.

81 Rootkit Techniques

82 Regin Platform Structure

83 Regin Platform Analysis

• No one had the dropper when started analysis

• Multi stage and encrypted framework structure

• Modules are invoked via SOA structure by the framework

• Malware data are stored inside the VFS

• Researched GSM Networks had no indication of compromise J

¡ Challenges, Hurdles & Difficulties:


¡ What is the solution ?

Regin instrumentation by Mattheiu Kaczmarek: http://artemonsecurity.com/regin_analysis.pdf

RE Orchestrator Memory dumps Static Analysis Instrumentation of Calls

Dynamic Analysis


¡ IDA couldn’t resolve the imports


¡ It seems this is not a valid file header


¡ What is the solution ?

Fix file header

Determine sections

Align sections

Repair entry point

Runnable DLL


¡ IDA and Debugger are happy this time J

90

Demo

91 Regin Platform Stages

92 Regin Platform – Stage 1

95 Regin Platform – Stage 3 & 4

96 Regin Platform – Stage 3 & 4

97 Regin Platform – Stage 3 & 4 – How to Weaponize it ?

1 • Register a call-back function to a process

2 • Log the PID of the target process

3 • Obtain PEB via ZwQueryInformation() for base

adresses of the modules

4 • Obtain the EP via PsLookupProcesByProcess()

5 • Get inside to the process context via

KeStackAttachProcess() referenced by EP

6 • Read PEB and other data in process context

98 Regin Platform – Stage 3 & 4 – How to Weaponize it ?

99 Uruborus < Regin < Duqu2

Uruborus Regin Duqu2

Encrypted VFS Encrypted VFS Encrypted VFS #2

PatchGuard Bypass Fake Certificate Stolen Certificate

Multiple Hooks Orchestrator SOA Orchestrator SOA

AES RC5 Camellia 256, AES, XXTEA

Backdoor/Keylogger Mod

Advanced Network/File Mods

More Advanced Network/File/USB Mods

99 Regin Attack Simulation

Mini Regin Attack Simulator

Covert Channel Data Exfiltration

Run as a thread of legitimate app’s address space

Orchestrator simulator and partial SOA

File system, registry and network calls hooking

Backdoor/Keylogger Mod

99

Demo

99

Questions ?

99 References

¡  http://denmasbroto.com/article-5-gprs-network-architecture.html

¡  http://docstore.mik.ua/univercd/cc/td/doc/product/wireless/moblwrls/cmx/mmg_sg/cmxgsm.htm

¡  http://4g-lte-world.blogspot.nl/2013/03/gprs-tunneling-protocol-gtp-in-lte.html

¡  http://labs.p1sec.com/2013/04/04/ss7-traffic-analysis-with-wireshark/

¡  http://www.gl.com/ss7_network.html

¡  http://www.slideshare.net/mhaviv/ss7-introduction-li-in

¡  http://www.gl.com/ss7.html

InfiltrateCon 2016 - Why Nation-State Hack Telco Networks

Software

Transcript of InfiltrateCon 2016 - Why Nation-State Hack Telco Networks