March 4, 2024 at 02:08AM
Security researcher HaxRob discovered a new Linux backdoor named GTPDOOR, targeting mobile carrier networks with a focus on GRX components. This tool, attributed to the ‘LightBasin’ threat group, can covertly communicate over GPRS Tunnelling Protocol Control Plane, bypassing traditional security solutions. The backdoor’s capabilities and detection strategies are detailed, along with proposed defense measures against it.
Here are the key takeaways from the meeting notes:
1. Security researcher HaxRob discovered a previously unknown Linux backdoor named GTPDOOR, designed for covert operations within mobile carrier networks.
2. The threat actors behind GTPDOOR are targeting systems adjacent to the GPRS roaming eXchange (GRX), such as SGSN, GGSN, and P-GW, which can provide them direct access to a telecom’s core network.
3. GTPDOOR belongs to the ‘LightBasin’ threat group (UNC1945), known for intelligence-collection operations targeting telcos worldwide.
4. Two versions of the backdoor were found in late 2023, both passing largely undetected by antivirus engines. They targeted a very old Red Hat Linux version, indicating an outdated target.
5. GTPDOOR is a sophisticated backdoor malware tailored for telecommunications networks, leveraging the GPRS Tunnelling Protocol Control Plane (GTP-C) for covert command and control (C2) communications.
6. It listens for specific GTP-C echo request messages to wake up and execute given commands, sending the output back to its operators.
7. GTPDOOR v1 supports setting a new encryption key, writing data to a local file named ‘system.conf’, and executing shell commands.
8. GTPDOOR v2 supports the operations above plus specifying IP addresses or subnets allowed to communicate with the compromised host through an Access Control List (ACL) mechanism.
9. Detection strategies involve monitoring for unusual raw socket activities, unexpected process names, and specific malware indicators.
10. Defense measures proposed include GTP firewalls with strict rules and adherence to GSMA security guidelines to block or filter out malicious packets and connections.
Let me know if there is any additional information needed or if there are any specific actions required based on the meeting notes.