defcon 23 why nation-state malwares target telco networks - omer coskun
TRANSCRIPT
![Page 1: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/1.jpg)
Author: Ömer Coşkun
Why Nation-State Malwares Target Telco Networks: Dissecting Technical Capabilities of Regin and Its Counterparts
The supreme art of war is to subdue the enemy without fighting. Sun Tzu
![Page 2: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/2.jpg)
Outline
¡ Overview
¡ Telecom Network Architecture
¡ Practical Attack Surfaces
¡ GRX Attack Vectors
¡ SS7 Attack Vectors
¡ Practical Attack Scenarios
¡ Rootkit Attacks: Regin and it’s counterparts
¡ Common Rootkit Techniques and Regin
¡ Regin vs. Uruborus and Duqu
¡ Demo: PoC || GTFO
¡ Questions ?
1
![Page 3: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/3.jpg)
$ whoami
Ömer Coşkun (@0xM3R) ¡ BEng. Computer Science
Research Assistant in Quantum Cryptography & Advanced Topics in AI
2
¡ Industry Experience
KPN – CISO , Ethical Hacking
Verizon – Threat & Vulnerability Management
IBM ISS – Threat Intelligence
¡ Interests
Algorithm Design, Programming, Cryptography, Reverse Engineering, Malware Analysis, OS Internals, Rootkits
![Page 4: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/4.jpg)
$ REDteam 3
![Page 5: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/5.jpg)
Motivations 4 ¡ Analyze existing vulnerabilities and attack
surface of GSM networks
¡ Governments hack their own citizens
¡ Surveillance implants shifted focus to telecom networks and network devices
¡ European Telco companies are really paranoid after Regin attack
¡ Rootkits are fun : a lot to learn & challenge
¡ Reproduce the attack scenario and implement it!
![Page 6: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/6.jpg)
GSM Network Architecture 5
![Page 7: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/7.jpg)
GSM Network Architecture 6
![Page 8: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/8.jpg)
Regin targets GSM Networks 7
![Page 9: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/9.jpg)
Determining Attack Surface 8
![Page 10: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/10.jpg)
Determining Attack Surface 9
![Page 11: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/11.jpg)
Determining Attack Surface 10
![Page 12: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/12.jpg)
Potential Attack Surfaces 11 ¡ Absence of physical intrusion detection devices
¡ Vulnerable services running accessible from BTS
¡ Absence of tamper resistance and unauthorized access protection
¡ Improper network segmentation; inner non-routable segments of the Telco company could accessible.
¡ Core GPRS Network and Network Subsystem (NSS) could be exploitable!
![Page 13: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/13.jpg)
Potential Attack Surfaces 12
![Page 14: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/14.jpg)
GRX Networks 13
![Page 15: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/15.jpg)
GRX Networks 14 ¡ GPRS roaming exchange,
interconnecting networks.
¡ Your local GSM provider abroad
¡ Trust-based, highly interconnected network, made for internet sharing
¡ A failure or malicious activity would affect multiple connected machines
¡ Multiple attacks vectors, not limited to a particular segment where you are originating from.
![Page 16: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/16.jpg)
GRX Networks – Attack Vectors 15
![Page 17: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/17.jpg)
GRX Networks – Attack Vectors 16 ¡ GPRS roaming
exchange, interconnecting networks.
¡ Your local GSM provider abroad
¡ Trust-based, highly interconnected network, made for internet sharing
¡ Multiple attacks vectors, not limited to a particular segment where you are originating from.
![Page 18: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/18.jpg)
GRX Networks – Network Flow 17
![Page 19: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/19.jpg)
GRX Networks – Network Flow 18
Juicy information is here.
![Page 20: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/20.jpg)
GRX Networks – Network Flow 19 And more juicy information is here.
![Page 21: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/21.jpg)
GRX Networks – Attacks & Flaws 20 Are you telling me all your communication intercepted and logged including your physical location?.
![Page 22: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/22.jpg)
SS7 & SIGTRAN 21
![Page 23: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/23.jpg)
SS7 & SIGTRAN 22 SS7 Introduces procedures for
¡ User identification.
Routing
¡ Billing
¡ Call management
![Page 24: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/24.jpg)
SS7 & SIGTRAN 23 • Flow control of transmitted information
• Traffic congestion controls
• Peer entity status detection (GT + PC or SPC)
• Traffic Monitoring and monitoring measuremen
¡ SS7 Features:
![Page 25: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/25.jpg)
SS7 & SIGTRAN 24
![Page 26: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/26.jpg)
SS7 & SIGTRAN 25
![Page 27: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/27.jpg)
SS7 Protocol Analysis 26
![Page 28: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/28.jpg)
SS7 Protocol Analysis 27 All the juicy info here :
ü Calling no.
ü Called no
ü Call duration
ü Call duration
ü Call status
![Page 29: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/29.jpg)
28 Feel confident that NSA not interested in ‘Good’ people?.
SS7 Protocol Attacks & Flows
![Page 30: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/30.jpg)
29 SS7 Practical Attack Scenarios
1 • Intercepting subscribers calls
![Page 31: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/31.jpg)
30 SS7 Practical Attack Scenarios
2 • Subscriber service change attacks
![Page 32: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/32.jpg)
31 SS7 Practical Attack Scenarios
3 • Interception of SMS messages
4 • Interception of outgoing calls
5 • Redirection of incoming or outgoing calls
6 • Making changes in user bills or balance
![Page 33: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/33.jpg)
32 SS7 Practical Attack Scenarios
7 • Unblocking stolen mobile devices
IEEE August 2015, Nokia Researchers Espoo, Finland.
![Page 34: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/34.jpg)
33 SS7 Practical Attack Scenarios
IEEE August 2015, Nokia Researchers Espoo, Finland.
7 • Unblocking stolen mobile devices
![Page 35: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/35.jpg)
34
Source: https://wikileaks.org/hackingteam/emails/emailid/343623
Hacking Team after SS7 Hacks
![Page 36: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/36.jpg)
35 Rootkit Techniques
![Page 37: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/37.jpg)
Hardware/Software Interception: Captain Hook Style Hacking 36
Captain Hook Style Hacking: Intercepts every function, keeps a copy of the content for herself, and then let the function continue as it was supposed to …
![Page 38: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/38.jpg)
37 Rootkit Techniques
![Page 39: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/39.jpg)
38 Regin Platform Structure
![Page 40: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/40.jpg)
39 Regin Platform Analysis
• No one had the dropper when started analysis
• Multi stage and encrypted framework structure
• Modules are invoked via SOA structure by the framework
• Malware data are stored inside the VFS
• Researched GSM Networks had no indication of compromise J
¡ Challenges, Hurdles & Difficulties:
![Page 41: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/41.jpg)
40 Regin Platform Analysis
¡ What is the solution ?
Check similar work & the write up: http://artemonsecurity.com/regin_analysis.pdf
RE Orchestrator Memory dumps Static Analysis Instrumentation of Calls
Dynamic Analysis
![Page 42: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/42.jpg)
41 Regin Platform Stages
![Page 43: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/43.jpg)
42 Regin Platform – Stage 1
![Page 44: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/44.jpg)
43 Regin Platform – Stage 2
![Page 45: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/45.jpg)
44 Regin Platform – Stage 2
![Page 46: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/46.jpg)
45 Regin Platform – Stage 3 & 4
![Page 47: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/47.jpg)
46 Regin Platform – Stage 3 & 4
![Page 48: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/48.jpg)
47 Regin Platform – Stage 3 & 4 – How to Weaponize it ?
1 • Register a call-back function to a process
2 • Log the PID of the target process
3 • Obtain PEB via ZwQueryInformation() for base
adresses of the modules
4 • Obtain the EP via PsLookupProcesByProcess()
5 • Get inside to the process context via
KeStackAttachProcess() referenced by EP
6 • Read PEB and other data in process context
![Page 49: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/49.jpg)
48 Regin Platform – Stage 3 & 4 – How to Weaponize it ?
![Page 50: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/50.jpg)
49 Uruborus < Regin < Duqu2
Uruborus Regin Duqu2
Encrypted VFS Encrypted VFS Encrypted VFS #2
PatchGuard Bypass Fake Certificate Stolen Certificate
Multiple Hooks Orchestrator SOA Orchestrator SOA
AES RC5 Camellia 256, AES, XXTEA
Backdoor/Keylogger Mod
Advanced Network/File Mods
More Advanced Network/File/USB Mods
![Page 51: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/51.jpg)
50 Regin Attack Simulation
Mini Regin Attack Simulator
Covert Channel Data Exfiltration
Run as a thread of legitimate app’s address space
Orchestrator simulator and partial SOA
File system, registry and network calls hooking
Backdoor/Keylogger Mod
![Page 52: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/52.jpg)
51
Demo
![Page 53: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/53.jpg)
52
Questions ?
![Page 54: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/54.jpg)
53
![Page 55: DEFCON 23 Why Nation-State Malwares Target Telco Networks - OMER COSKUN](https://reader034.vdocuments.mx/reader034/viewer/2022042615/55d39fdcbb61eb026b8b4663/html5/thumbnails/55.jpg)
54 References
¡ http://denmasbroto.com/article-5-gprs-network-architecture.html
¡ http://docstore.mik.ua/univercd/cc/td/doc/product/wireless/moblwrls/cmx/mmg_sg/cmxgsm.htm
¡ http://4g-lte-world.blogspot.nl/2013/03/gprs-tunneling-protocol-gtp-in-lte.html
¡ http://labs.p1sec.com/2013/04/04/ss7-traffic-analysis-with-wireshark/
¡ http://www.gl.com/ss7_network.html
¡ http://www.slideshare.net/mhaviv/ss7-introduction-li-in
¡ http://www.gl.com/ss7.html