InfiltrateCon 2016 - Why Nation-State Hack Telco Networks
-
Upload
omer-coskun -
Category
Software
-
view
283 -
download
3
Transcript of InfiltrateCon 2016 - Why Nation-State Hack Telco Networks
![Page 1: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/1.jpg)
Author: Ömer Coşkun
Why Nation-State Malwares Target Telco Networks: Dissecting Technical Capabilities of Regin and Its Counterparts – v2
The supreme art of war is to subdue the enemy without fighting. Sun Tzu
![Page 2: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/2.jpg)
1 Apple versus FBI
![Page 3: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/3.jpg)
2 Did you ever ask ‘Why’?
![Page 4: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/4.jpg)
Author: Ömer Coşkun
Why Nation-State Malwares Target Telco Networks: Dissecting Technical Capabilities of Regin and Its Counterparts – v2
The supreme art of war is to subdue the enemy without fighting. Sun Tzu
![Page 5: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/5.jpg)
$ whoami
Ömer Coşkun (@0xM3R) ¡ BEng. Computer Science
Research Assistant in Quantum Cryptography & Advanced Topics in AI
2
¡ Industry Experience
KPN – CISO , Ethical Hacking
Verizon – Threat & Vulnerability Management
IBM ISS – Threat Intelligence
¡ Interests
Algorithm Design, Programming, Reverse Engineering, Malware Analysis, OS Internals, Rootkits
![Page 6: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/6.jpg)
Outline
¡ Overview
¡ Telecom Network Architecture
¡ Practical Attack Surfaces
¡ GRX/IPX Attack Vectors
¡ SS7 Attack Vectors
¡ Practical Attack Scenarios
¡ Unblocking Stolen Phones (*new)
¡ User Location Tracking in the LTE Network (*new)
¡ Rootkit Attacks: Regin and it’s counterparts
¡ Regin Instrumentation and Analysis
¡ Demo: Dynamic Regin Instrumentation (PoC || GTFO)
¡ Regin Evolution over the time Regin vs. Its Counterparts
¡ Demo: Regin Simulator Rootkit (PoC || GTFO)
¡ Questions ?
3
![Page 7: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/7.jpg)
$ REDteam 4
![Page 8: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/8.jpg)
Motivations 5 ¡ Analyze existing vulnerabilities and attack
surface of GSM networks
¡ Governments hack their own citizens
¡ Surveillance implants shifted focus to telecom networks and network devices
¡ European Telco companies are really paranoid after Regin attack
¡ Rootkits are fun : a lot to learn & challenge
¡ Reproduce the attack scenario and implement it!
![Page 9: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/9.jpg)
GSM Network Architecture 6
![Page 10: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/10.jpg)
GSM Network Architecture 7
![Page 11: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/11.jpg)
GSM Network Architecture 8
![Page 12: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/12.jpg)
GSM Network Architecture 9
![Page 13: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/13.jpg)
GSM Network Architecture 10
![Page 14: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/14.jpg)
GSM Network Architecture 11
![Page 15: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/15.jpg)
GSM Network Architecture 12
![Page 16: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/16.jpg)
GSM Network Architecture 13
![Page 17: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/17.jpg)
GSM Network Architecture 14
![Page 18: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/18.jpg)
GSM Network Architecture 15
![Page 19: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/19.jpg)
GSM Network Architecture 16
![Page 20: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/20.jpg)
GSM Network Architecture 17
![Page 21: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/21.jpg)
GSM Network Architecture 18
![Page 22: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/22.jpg)
Regin targets GSM Networks 19
![Page 23: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/23.jpg)
Regin targets GSM Networks 20
![Page 24: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/24.jpg)
Determining Attack Surface 21
![Page 25: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/25.jpg)
Determining Attack Surface 22
![Page 26: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/26.jpg)
Determining Attack Surface 23
![Page 27: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/27.jpg)
Determining Attack Surface 24
![Page 28: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/28.jpg)
Potential Attack Surfaces 25
![Page 29: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/29.jpg)
Potential Attack Surfaces
¡ Absence of physical intrusion detection devices
¡ Vulnerable services running accessible from BTS
¡ Absence of cable/device tamper resistance and unauthorized access protection
¡ Improper network segmentation; inner non-routable segments of the Telco company could accessible.
¡ Core GPRS Network and Network Subsystem (NSS) running exploitable services!
26
![Page 30: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/30.jpg)
Potential Attack Surfaces 27
![Page 31: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/31.jpg)
GRX Networks 28
![Page 32: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/32.jpg)
GRX versus IPX Networks 29
Similar to GRX but everything is on IP and operators can connect ISP, ASP etc.
![Page 33: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/33.jpg)
GRX vs. IPX Networks 30 ¡ GRX designed for GPRS roaming and only mobile
operators can interconnect, IPX designed for IP interconnect.
¡ GRX transport is best effort traffic, IPX is managed
¡ GRX doesn’t have end-to-end service model for security, IPX has end-to-end model security and QoS.
¡ Both are trust-based, highly interconnected network, made for internet sharing
¡ In both , a failure or malicious activity would affect multiple connected machines
![Page 34: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/34.jpg)
Regin targets GRX Networks 31
![Page 35: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/35.jpg)
GRX Networks – Attack Vectors 32
![Page 36: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/36.jpg)
GRX Networks – Network Flow 33
![Page 37: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/37.jpg)
GRX Networks – Attack Vectors 34 Cellular communication when roaming
Cellular data communication when roaming
![Page 38: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/38.jpg)
GRX/IPX Networks – Network Flow 35
PDP Structure -> IMSI, Subscriber Network, Tunnel Endpoint
![Page 39: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/39.jpg)
Deadly Attacks – GTP Flooding 36
Source: McAfee’s 7 Deadly threats to 4G: 4G LTE Security Roadmap and Reference Design
![Page 40: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/40.jpg)
Potential Attack Surfaces 37
![Page 41: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/41.jpg)
Fighting Against Nation-State? 38
Meanwhile in the wild
![Page 42: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/42.jpg)
Fighting Against Nation-State? 39
![Page 43: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/43.jpg)
Potential Attack Surfaces 40
![Page 44: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/44.jpg)
SS7 & SIGTRAN 41
![Page 45: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/45.jpg)
SS7 & SIGTRAN 42
![Page 46: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/46.jpg)
SS7 & SIGTRAN 43 SS7 Introduces procedures for
¡ User identification.
Routing
¡ Billing
¡ Call management
![Page 47: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/47.jpg)
MTP + SCCP = Network Service Part 44
![Page 48: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/48.jpg)
SS7 Protocol Analysis 45
![Page 49: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/49.jpg)
SS7 Protocol Analysis 46 All the juicy info here :
ü Calling no.
ü Called no
ü Call duration
ü Call duration
ü Call status
![Page 50: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/50.jpg)
47 SS7 Practical Attack Scenarios
1 • Intercepting subscribers calls
![Page 51: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/51.jpg)
48 SS7 Practical Attack Scenarios
2 • Subscriber service change attacks
![Page 52: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/52.jpg)
49 SS7 Practical Attack Scenarios
3 • Interception of SMS messages
4 • Interception of outgoing calls
5 • Redirection of incoming or outgoing calls
6 • Making changes in user bills or balance
![Page 53: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/53.jpg)
50 SS7 Practical Attack Scenarios
![Page 54: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/54.jpg)
51 SS7 Practical Attack Scenarios
![Page 55: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/55.jpg)
52 SS7 Practical Attack Scenarios
![Page 56: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/56.jpg)
53 SS7 Practical Attack Scenarios
![Page 57: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/57.jpg)
54 SS7 Practical Attack Scenarios
![Page 58: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/58.jpg)
55 SS7 Practical Attack Scenarios
![Page 59: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/59.jpg)
56 SS7 Practical Attack Scenarios
8 • Unblocking stolen mobile devices
IEEE August 2015, Nokia Researchers Espoo, Finland.
Details: http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=7345408
![Page 60: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/60.jpg)
57 SS7 Practical Attack Scenarios
8 • Unblocking stolen mobile devices
![Page 61: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/61.jpg)
58 Unblocking a stolen phone
![Page 62: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/62.jpg)
59 SS7 Practical Attack Scenarios
8 • Unblocking stolen mobile devices
![Page 63: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/63.jpg)
60 SS7 Practical Attack Scenarios
1 • Access control for switching IMEI validation
2 • Logging of the activation of validation feature
3 • Filtering on MAP level the CHECK_IMEI request coming from (HLR, MSC)
4 • Layer cross checks – SCCP and MAP layers are consistent
5 • If SS7 run over IP (SIGTRAN) then use IPSec!
What GSM providers do NOT do:
![Page 64: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/64.jpg)
61
Source: https://wikileaks.org/hackingteam/emails/emailid/343623
Hacking Team after SS7 Hacks
![Page 65: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/65.jpg)
62 SS7 Practical Attack Scenarios
9 • User location tracking in LTE Roaming
Author(s) : Silke Holtmans, Nokia R&D & Omer Coskun , KPN REDteam
![Page 66: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/66.jpg)
63 SS7 Practical Attack Scenarios
9 • User location tracking in LTE Roaming
![Page 67: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/67.jpg)
64 SS7 Practical Attack Scenarios
9 • User location tracking in LTE Roaming
![Page 68: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/68.jpg)
65 SS7 Practical Attack Scenarios
9 • User location tracking in LTE Roaming
First location tracking attack – Engel , CCC 2008
![Page 69: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/69.jpg)
66 SS7 Practical Attack Scenarios
9 • User location tracking in LTE Roaming
First location tracking attack – Engel , CCC 2008
![Page 70: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/70.jpg)
67 SS7 Practical Attack Scenarios
9 • User location tracking in LTE Roaming
First location tracking attack – Engel , CCC 2008
![Page 71: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/71.jpg)
68 SS7 Practical Attack Scenarios
9 • User location tracking in LTE Roaming
Cell-ID location tracking attack – Positive Technologies , 2014
![Page 72: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/72.jpg)
69 SS7 Practical Attack Scenarios
9 • User location tracking in LTE Roaming
Cell-ID location tracking attack – Positive Technologies , 2014
![Page 73: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/73.jpg)
70 SS7 Practical Attack Scenarios
9 • User location tracking in LTE Roaming
Cell-ID location tracking attack – Positive Technologies , 2014
![Page 74: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/74.jpg)
71 Location tracking in LTE Roaming
9 • What’s the issue in LTE Roaming ??
![Page 75: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/75.jpg)
72 Location tracking in LTE Roaming
9 • What’s the issue in LTE Roaming ??
![Page 76: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/76.jpg)
73 SS7 Practical Attack Scenarios
9 • User location tracking in LTE Roaming (new)
![Page 77: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/77.jpg)
74 SS7 Practical Attack Scenarios
9 • User location tracking in LTE Roaming (new)
![Page 78: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/78.jpg)
75 SS7 Practical Attack Scenarios
9 • User location tracking in LTE Roaming (new)
![Page 79: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/79.jpg)
76 SS7 Practical Attack Scenarios
9 • User location tracking in LTE Roaming(new)
![Page 80: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/80.jpg)
77 SS7 Practical Attack Scenarios
9 • User location tracking in LTE Roaming(new)
![Page 81: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/81.jpg)
78 SS7 Practical Attack Scenarios
9 • What’s CELL-ID Location ?
![Page 82: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/82.jpg)
79 SS7 Practical Attack Scenarios
1 • IPSec following 3GPP TS 33.201 to ensure end of the tunnels know
identities
2 • Proper SMS inboud and outbound routing to prevent operator network
sniffing
3 • Advanced ACL – whitelist/ blacklist partner nodes, anti-spoofing, origin-
realm
4 • Cross-layer checking for messages routed over SS7 and Diameter
What GSM providers do NOT do:
![Page 83: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/83.jpg)
80 How hard could it be ?
v.s.
![Page 84: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/84.jpg)
81 Rootkit Techniques
![Page 85: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/85.jpg)
82 Regin Platform Structure
![Page 86: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/86.jpg)
83 Regin Platform Analysis
• No one had the dropper when started analysis
• Multi stage and encrypted framework structure
• Modules are invoked via SOA structure by the framework
• Malware data are stored inside the VFS
• Researched GSM Networks had no indication of compromise J
¡ Challenges, Hurdles & Difficulties:
![Page 87: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/87.jpg)
84 Regin Platform Analysis
¡ What is the solution ?
Regin instrumentation by Mattheiu Kaczmarek: http://artemonsecurity.com/regin_analysis.pdf
RE Orchestrator Memory dumps Static Analysis Instrumentation of Calls
Dynamic Analysis
![Page 88: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/88.jpg)
85 Regin Platform Analysis
¡ IDA couldn’t resolve the imports
![Page 89: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/89.jpg)
86 Regin Platform Analysis
¡ It seems this is not a valid file header
![Page 90: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/90.jpg)
87 Regin Platform Analysis
¡ It seems this is not a valid file header
![Page 91: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/91.jpg)
88 Regin Platform Analysis
¡ What is the solution ?
Fix file header
Determine sections
Align sections
Repair entry point
Runnable DLL
![Page 92: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/92.jpg)
89 Regin Platform Analysis
¡ IDA and Debugger are happy this time J
![Page 93: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/93.jpg)
90
Demo
![Page 94: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/94.jpg)
91 Regin Platform Stages
![Page 95: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/95.jpg)
92 Regin Platform – Stage 1
![Page 96: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/96.jpg)
93 Regin Platform – Stage 2
![Page 97: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/97.jpg)
94 Regin Platform – Stage 2
![Page 98: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/98.jpg)
95 Regin Platform – Stage 3 & 4
![Page 99: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/99.jpg)
96 Regin Platform – Stage 3 & 4
![Page 100: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/100.jpg)
97 Regin Platform – Stage 3 & 4 – How to Weaponize it ?
1 • Register a call-back function to a process
2 • Log the PID of the target process
3 • Obtain PEB via ZwQueryInformation() for base
adresses of the modules
4 • Obtain the EP via PsLookupProcesByProcess()
5 • Get inside to the process context via
KeStackAttachProcess() referenced by EP
6 • Read PEB and other data in process context
![Page 101: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/101.jpg)
98 Regin Platform – Stage 3 & 4 – How to Weaponize it ?
![Page 102: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/102.jpg)
99 Uruborus < Regin < Duqu2
Uruborus Regin Duqu2
Encrypted VFS Encrypted VFS Encrypted VFS #2
PatchGuard Bypass Fake Certificate Stolen Certificate
Multiple Hooks Orchestrator SOA Orchestrator SOA
AES RC5 Camellia 256, AES, XXTEA
Backdoor/Keylogger Mod
Advanced Network/File Mods
More Advanced Network/File/USB Mods
![Page 103: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/103.jpg)
99 Regin Attack Simulation
Mini Regin Attack Simulator
Covert Channel Data Exfiltration
Run as a thread of legitimate app’s address space
Orchestrator simulator and partial SOA
File system, registry and network calls hooking
Backdoor/Keylogger Mod
![Page 104: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/104.jpg)
99
Demo
![Page 105: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/105.jpg)
99
Questions ?
![Page 106: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/106.jpg)
99
![Page 107: InfiltrateCon 2016 - Why Nation-State Hack Telco Networks](https://reader031.fdocuments.net/reader031/viewer/2022030305/587230111a28ab3b7a8b76b5/html5/thumbnails/107.jpg)
99 References
¡ http://denmasbroto.com/article-5-gprs-network-architecture.html
¡ http://docstore.mik.ua/univercd/cc/td/doc/product/wireless/moblwrls/cmx/mmg_sg/cmxgsm.htm
¡ http://4g-lte-world.blogspot.nl/2013/03/gprs-tunneling-protocol-gtp-in-lte.html
¡ http://labs.p1sec.com/2013/04/04/ss7-traffic-analysis-with-wireshark/
¡ http://www.gl.com/ss7_network.html
¡ http://www.slideshare.net/mhaviv/ss7-introduction-li-in
¡ http://www.gl.com/ss7.html