Upload
omer-coskun
View
283
Download
3
Embed Size (px)
Citation preview
Author: Ömer Coşkun
Why Nation-State Malwares Target Telco Networks: Dissecting Technical Capabilities of Regin and Its Counterparts – v2
The supreme art of war is to subdue the enemy without fighting. Sun Tzu
1 Apple versus FBI
2 Did you ever ask ‘Why’?
Author: Ömer Coşkun
Why Nation-State Malwares Target Telco Networks: Dissecting Technical Capabilities of Regin and Its Counterparts – v2
The supreme art of war is to subdue the enemy without fighting. Sun Tzu
$ whoami
Ömer Coşkun (@0xM3R) ¡ BEng. Computer Science
Research Assistant in Quantum Cryptography & Advanced Topics in AI
2
¡ Industry Experience
KPN – CISO , Ethical Hacking
Verizon – Threat & Vulnerability Management
IBM ISS – Threat Intelligence
¡ Interests
Algorithm Design, Programming, Reverse Engineering, Malware Analysis, OS Internals, Rootkits
Outline
¡ Overview
¡ Telecom Network Architecture
¡ Practical Attack Surfaces
¡ GRX/IPX Attack Vectors
¡ SS7 Attack Vectors
¡ Practical Attack Scenarios
¡ Unblocking Stolen Phones (*new)
¡ User Location Tracking in the LTE Network (*new)
¡ Rootkit Attacks: Regin and it’s counterparts
¡ Regin Instrumentation and Analysis
¡ Demo: Dynamic Regin Instrumentation (PoC || GTFO)
¡ Regin Evolution over the time Regin vs. Its Counterparts
¡ Demo: Regin Simulator Rootkit (PoC || GTFO)
¡ Questions ?
3
$ REDteam 4
Motivations 5 ¡ Analyze existing vulnerabilities and attack
surface of GSM networks
¡ Governments hack their own citizens
¡ Surveillance implants shifted focus to telecom networks and network devices
¡ European Telco companies are really paranoid after Regin attack
¡ Rootkits are fun : a lot to learn & challenge
¡ Reproduce the attack scenario and implement it!
GSM Network Architecture 6
GSM Network Architecture 7
GSM Network Architecture 8
GSM Network Architecture 9
GSM Network Architecture 10
GSM Network Architecture 11
GSM Network Architecture 12
GSM Network Architecture 13
GSM Network Architecture 14
GSM Network Architecture 15
GSM Network Architecture 16
GSM Network Architecture 17
GSM Network Architecture 18
Regin targets GSM Networks 19
Regin targets GSM Networks 20
Determining Attack Surface 21
Determining Attack Surface 22
Determining Attack Surface 23
Determining Attack Surface 24
Potential Attack Surfaces 25
Potential Attack Surfaces
¡ Absence of physical intrusion detection devices
¡ Vulnerable services running accessible from BTS
¡ Absence of cable/device tamper resistance and unauthorized access protection
¡ Improper network segmentation; inner non-routable segments of the Telco company could accessible.
¡ Core GPRS Network and Network Subsystem (NSS) running exploitable services!
26
Potential Attack Surfaces 27
GRX Networks 28
GRX versus IPX Networks 29
Similar to GRX but everything is on IP and operators can connect ISP, ASP etc.
GRX vs. IPX Networks 30 ¡ GRX designed for GPRS roaming and only mobile
operators can interconnect, IPX designed for IP interconnect.
¡ GRX transport is best effort traffic, IPX is managed
¡ GRX doesn’t have end-to-end service model for security, IPX has end-to-end model security and QoS.
¡ Both are trust-based, highly interconnected network, made for internet sharing
¡ In both , a failure or malicious activity would affect multiple connected machines
Regin targets GRX Networks 31
GRX Networks – Attack Vectors 32
GRX Networks – Network Flow 33
GRX Networks – Attack Vectors 34 Cellular communication when roaming
Cellular data communication when roaming
GRX/IPX Networks – Network Flow 35
PDP Structure -> IMSI, Subscriber Network, Tunnel Endpoint
Deadly Attacks – GTP Flooding 36
Source: McAfee’s 7 Deadly threats to 4G: 4G LTE Security Roadmap and Reference Design
Potential Attack Surfaces 37
Fighting Against Nation-State? 38
Meanwhile in the wild
Fighting Against Nation-State? 39
Potential Attack Surfaces 40
SS7 & SIGTRAN 41
SS7 & SIGTRAN 42
SS7 & SIGTRAN 43 SS7 Introduces procedures for
¡ User identification.
Routing
¡ Billing
¡ Call management
MTP + SCCP = Network Service Part 44
SS7 Protocol Analysis 45
SS7 Protocol Analysis 46 All the juicy info here :
ü Calling no.
ü Called no
ü Call duration
ü Call duration
ü Call status
47 SS7 Practical Attack Scenarios
1 • Intercepting subscribers calls
48 SS7 Practical Attack Scenarios
2 • Subscriber service change attacks
49 SS7 Practical Attack Scenarios
3 • Interception of SMS messages
4 • Interception of outgoing calls
5 • Redirection of incoming or outgoing calls
6 • Making changes in user bills or balance
50 SS7 Practical Attack Scenarios
51 SS7 Practical Attack Scenarios
52 SS7 Practical Attack Scenarios
53 SS7 Practical Attack Scenarios
54 SS7 Practical Attack Scenarios
55 SS7 Practical Attack Scenarios
56 SS7 Practical Attack Scenarios
8 • Unblocking stolen mobile devices
IEEE August 2015, Nokia Researchers Espoo, Finland.
Details: http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=7345408
57 SS7 Practical Attack Scenarios
8 • Unblocking stolen mobile devices
58 Unblocking a stolen phone
59 SS7 Practical Attack Scenarios
8 • Unblocking stolen mobile devices
60 SS7 Practical Attack Scenarios
1 • Access control for switching IMEI validation
2 • Logging of the activation of validation feature
3 • Filtering on MAP level the CHECK_IMEI request coming from (HLR, MSC)
4 • Layer cross checks – SCCP and MAP layers are consistent
5 • If SS7 run over IP (SIGTRAN) then use IPSec!
What GSM providers do NOT do:
61
Source: https://wikileaks.org/hackingteam/emails/emailid/343623
Hacking Team after SS7 Hacks
62 SS7 Practical Attack Scenarios
9 • User location tracking in LTE Roaming
Author(s) : Silke Holtmans, Nokia R&D & Omer Coskun , KPN REDteam
63 SS7 Practical Attack Scenarios
9 • User location tracking in LTE Roaming
64 SS7 Practical Attack Scenarios
9 • User location tracking in LTE Roaming
65 SS7 Practical Attack Scenarios
9 • User location tracking in LTE Roaming
First location tracking attack – Engel , CCC 2008
66 SS7 Practical Attack Scenarios
9 • User location tracking in LTE Roaming
First location tracking attack – Engel , CCC 2008
67 SS7 Practical Attack Scenarios
9 • User location tracking in LTE Roaming
First location tracking attack – Engel , CCC 2008
68 SS7 Practical Attack Scenarios
9 • User location tracking in LTE Roaming
Cell-ID location tracking attack – Positive Technologies , 2014
69 SS7 Practical Attack Scenarios
9 • User location tracking in LTE Roaming
Cell-ID location tracking attack – Positive Technologies , 2014
70 SS7 Practical Attack Scenarios
9 • User location tracking in LTE Roaming
Cell-ID location tracking attack – Positive Technologies , 2014
71 Location tracking in LTE Roaming
9 • What’s the issue in LTE Roaming ??
72 Location tracking in LTE Roaming
9 • What’s the issue in LTE Roaming ??
73 SS7 Practical Attack Scenarios
9 • User location tracking in LTE Roaming (new)
74 SS7 Practical Attack Scenarios
9 • User location tracking in LTE Roaming (new)
75 SS7 Practical Attack Scenarios
9 • User location tracking in LTE Roaming (new)
76 SS7 Practical Attack Scenarios
9 • User location tracking in LTE Roaming(new)
77 SS7 Practical Attack Scenarios
9 • User location tracking in LTE Roaming(new)
78 SS7 Practical Attack Scenarios
9 • What’s CELL-ID Location ?
79 SS7 Practical Attack Scenarios
1 • IPSec following 3GPP TS 33.201 to ensure end of the tunnels know
identities
2 • Proper SMS inboud and outbound routing to prevent operator network
sniffing
3 • Advanced ACL – whitelist/ blacklist partner nodes, anti-spoofing, origin-
realm
4 • Cross-layer checking for messages routed over SS7 and Diameter
What GSM providers do NOT do:
80 How hard could it be ?
v.s.
81 Rootkit Techniques
82 Regin Platform Structure
83 Regin Platform Analysis
• No one had the dropper when started analysis
• Multi stage and encrypted framework structure
• Modules are invoked via SOA structure by the framework
• Malware data are stored inside the VFS
• Researched GSM Networks had no indication of compromise J
¡ Challenges, Hurdles & Difficulties:
84 Regin Platform Analysis
¡ What is the solution ?
Regin instrumentation by Mattheiu Kaczmarek: http://artemonsecurity.com/regin_analysis.pdf
RE Orchestrator Memory dumps Static Analysis Instrumentation of Calls
Dynamic Analysis
85 Regin Platform Analysis
¡ IDA couldn’t resolve the imports
86 Regin Platform Analysis
¡ It seems this is not a valid file header
87 Regin Platform Analysis
¡ It seems this is not a valid file header
88 Regin Platform Analysis
¡ What is the solution ?
Fix file header
Determine sections
Align sections
Repair entry point
Runnable DLL
89 Regin Platform Analysis
¡ IDA and Debugger are happy this time J
90
Demo
91 Regin Platform Stages
92 Regin Platform – Stage 1
93 Regin Platform – Stage 2
94 Regin Platform – Stage 2
95 Regin Platform – Stage 3 & 4
96 Regin Platform – Stage 3 & 4
97 Regin Platform – Stage 3 & 4 – How to Weaponize it ?
1 • Register a call-back function to a process
2 • Log the PID of the target process
3 • Obtain PEB via ZwQueryInformation() for base
adresses of the modules
4 • Obtain the EP via PsLookupProcesByProcess()
5 • Get inside to the process context via
KeStackAttachProcess() referenced by EP
6 • Read PEB and other data in process context
98 Regin Platform – Stage 3 & 4 – How to Weaponize it ?
99 Uruborus < Regin < Duqu2
Uruborus Regin Duqu2
Encrypted VFS Encrypted VFS Encrypted VFS #2
PatchGuard Bypass Fake Certificate Stolen Certificate
Multiple Hooks Orchestrator SOA Orchestrator SOA
AES RC5 Camellia 256, AES, XXTEA
Backdoor/Keylogger Mod
Advanced Network/File Mods
More Advanced Network/File/USB Mods
99 Regin Attack Simulation
Mini Regin Attack Simulator
Covert Channel Data Exfiltration
Run as a thread of legitimate app’s address space
Orchestrator simulator and partial SOA
File system, registry and network calls hooking
Backdoor/Keylogger Mod
99
Demo
99
Questions ?
99
99 References
¡ http://denmasbroto.com/article-5-gprs-network-architecture.html
¡ http://docstore.mik.ua/univercd/cc/td/doc/product/wireless/moblwrls/cmx/mmg_sg/cmxgsm.htm
¡ http://4g-lte-world.blogspot.nl/2013/03/gprs-tunneling-protocol-gtp-in-lte.html
¡ http://labs.p1sec.com/2013/04/04/ss7-traffic-analysis-with-wireshark/
¡ http://www.gl.com/ss7_network.html
¡ http://www.slideshare.net/mhaviv/ss7-introduction-li-in
¡ http://www.gl.com/ss7.html