Mastering 4G/5G

Telecom Threat
Intelligence
Igor Pigalitsyn - Telecom Security Researcher
Sergey Puzankov - Product Delivery Manager
Kirill Puzankov – Product Manager
Presenters

Igor Pigalitsyn Kirill Puzankov Sergey Puzankov

igor.pigalitsyn@security-gen.com kirill.puzankov@security-gen.com sergey.puzankov@security-gen.com

• 5 years in telecom security • 10 years in telecom security • Engaged in telecom security since
2013
• Author of the 5G SA Core • Product manager in SecurityGen
Security Research white paper • Research into SS7 security
• Exploring telco threats and vulnerabilities
• Telecom Security Researcher in vulnerabilities starting from SS7
SecurityGen up to 5G • Discovery of techniques to bypass
SS7 firewalls
• Responsible for 5G network • Growing solutions for protection
security research of mobile core networks as well • Contributed to non-commercial
as for providing visibility of the security organizations including
• Conducting telecom security network security posture GSMA and ITU-T
assessments for MNO for many
years • Presented as a speaker at
numerous security conferences.
1
MITRE ATT&CK framework

What is MITRE ATT&CK?

A knowledge base of adversary behavior

▪ Based on real-world observations

▪ Free, open, and globally accessible
▪ A common language
▪ Community-driven

3
MITRE ATT&CK overview

01 Matrix

02 Platform

03 Tactics, Technics, Procedures (TTP)

04 Groups

05 Software

06 Mitigations
 What is MITRE FiGHT (5G Hierarchy of Threats)?

Items designated with an & are ATT&CK Techniques or

Sub-techniques that have 5G relevance.

5
MITRE FiGHT use cases

Unified Security Prioritizing

language for Posture Controls
security and Assessment
network
professionals

6
MITRE FiGHT use cases

Threat Detection Red and Blue Vendor,

and Monitoring, Team Exercises Partner,
Incident Contractor
Response Evaluation

7
MITRE FiGHT updates
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Collection Command and Exfiltration Impact Fraud
Movement Control

1 technique 2 techniques 7 techniques 3 techniques 4 techniques 2 techniques 9 techniques 5 techniques 14 techniques 4 techniques 16 techniques 1 technique 2 techniques 11 techniques 5 techniques

Gather Victim Host Internal resource Acquire Fake Cellular Base DNS Manipulation Layer 2 Redirection Registration of Implant Internal Escape to Host & Malicious Bypass home Supply Chain SIM Credential Network Function Escape to Host & Network Flow Controller Standard Exfiltration Over Exfiltration Over Jamming or Denial Abuse of Inter-
Information & search Infrastructure & Station or Access of Encrypted DNS malicious network Image & privileged routing Compromise & Theft Service Discovery Manipulation Application Layer Alternative Unencrypted/Obfu of Service & operator Interfaces
Point functions container VNF Protocol & Protocol & scated Non-C2
Programable UE Unauthorized Software DNS Manipulation Layer 2 Redirection Valid Accounts & Shared Resource& Rootkit &
Cloud Accounts Network Sniffing & Network Flow Controller Unauthorized vSwitch Automated Protocol
Traffic & Redirection of Alter Subscriber
devices access to Network Deployment of Encrypted DNS Manipulation access to Network Exfiltration & Duplication & traffic via user Profile
Exposure Function Tools & Exposure Function plane network
Stage Configurability of (NEF)
Supplyvia token
Chain Compromise gNodeB Radio Intelligent Valid Accounts & Local Accounts & Network Boundary Manipulate Virtual Container Accessing vSwitch (NEF)
RemoteviaServices
token & Memory Scraping function
Tunnel Endpoint ID Falsify
Capabilities & Fake Base Station Compromise & Service Supply Component Controller (RIC) Bridging & Network Function Administration Terminated VNF (TEID) uniqueness interconnect
or Access Point Chain Manipulation (VNF) Command & failure invoice
Exploit Public- X-App Cloud Accounts & Configuration
Malicious co- Credentials from Hardware Security Remote Services & Software Redirection of Device Database SIM cloning
Facing tenancy exploit of Password Stores & Module Key Deployment traffic via user Manipulation
Application & NFVI (Network Signing Tools & plane network
Exploit Semi-public rApps Pre-OS Boot & Unauthorized Slice)
Network Slice Adversary-in-the- Roaming and Malicious VNF function
Fraudulent AMF Network Boundary Manipulate Virtual Charging fraud via
Facing Application software in NFVI infrastructure Middle & Interconnection Instantiation registration for UE Bridging & Network Function NF control
resource hijacking in UDM (VNF)
Trusted MNO Roaming Spoof network Radio interface Shared resource Malicious VNF Configuration
Network Slice
Relationship & Partners slice identifier discovery Instantiation application
resource hijacking
Valid Accounts & Cloud Accounts & Weaken Integrity Radio Interface Non-SBI Network Sniffing & Network Sniffing & Radio interface Vandalism of Cabling and
Network junction boxes
Infrastructure
Network Interfaces Service Based Remote System Abuse of Inter- Radio Access
Interface Discovery & operator Interfaces Hardware

Impair Defenses & Bid down UE Network Service Subscriber Profile Obtain subscriber Edge servers
Scanning & Identifier identifier via NF
Discovery
Valid Accounts & Cloud Accounts & Subscriber Profile Intercept Home Spoof network Theft of Assets

144, "how's", the methods attackers

Identifier Network via SUCI slice identifier
Discovery
Pre-OS Boot & Unauthorized Intercept bid-down Locate UE 5G-GUTI reuse Exploit Public-
software in NFVI SUPI Facing
Application &

use to achieve their tactical goals:

Weaken Radio Interface Intercept Core Network Endpoint Denial of Service Exhaustion
Encryption & unencrypted SUPI Function Signaling Service & Flood &

Network Interfaces Discover network Passive radio Consume data

83 covered
slice identifier signals observation allocation to deny
or degrade service
Locate UE 5G-GUTI reuse Self Location Trigger fraud alert
Measurement to deny service

16 requires verification
Core Network Shared Network DOS a UE via gNB
Function Signaling Function in slice or NF signaling

Passive radio NAS Exploit Trusted MNO Roaming

45 not covered
signals observation Relationship & Partners

Self Location Retrieve UE Network Denial of Flooding of core

Measurement subscription data Service & network
components
Shared Network Network-side SMS Shared slice
Function in slice collection common control
network function
NAS Exploit Charging Data Data resource
Transmitted Data
Record (CDR) Manipulation & Manipulation &
collection
Charging Data Exploit Public-
Record (CDR) Facing
collection Application &
Container Accessing Exploit Semi-public
Administration Terminated VNF Facing Application
Command &
Automated Traffic Adversary-in-the- Roaming and
Exfiltration & Duplication & Middle & Interconnection

Radio interface

Non-SBI
8
Service Based
Interface
5G attack Threat
Intelligence
Gather Victim Host Information: Internal
resource search

Post-Conditions

Name Description
IP addresses of core network functions
Discovered IP addresses
known

Reconnaissance Resource Development Initial Access Discovery Collection Impact

10
Obtain Capabilities: Tool
Implementation Examples
Name Description
There are many tools developed to test
Use of Open-source software & Testing
5G systems, same tools can be used
tools
for adversarial objective on a system

Reconnaissance Resource Development Initial Access Discovery Collection Impact

11
Trusted Relationship: MNO Roaming Partners
Pre-Conditions
Name Description
An adversary must already have compromised a trusted PLMN or
Compromised partner
one of their service providers, e.g. IPX, VAS, etc.

NSSF UDM PCF NRF

Interconnecti
SEPP on
APIs
Network
(HTTP/JSON)
AUSF AMF SMF

UE gNB UPF

Reconnaissance Resource Development Initial Access Discovery Collection Impact

12
Network Function Service Discovery
Pre-Conditions
Name Description
NRF is by design open to connections from other
Access to NRF network functions. Control of another NF in the
operator domain may be required.
Access to SCP SCP is compromised to hijack tokens.

Reconnaissance Resource Development Initial Access Discovery Collection Impact

13
Retrieve UE subscription data
Implementation Examples
Name Description
An AMF can extract subscription data (including NSSAIs)
for any given UE SUPI by asking the UDM (uses
Nudm_SDM_Get service
AMF retrieves subscription
(SDM=SubscriberDataManagement)). The UDM does not
data from UDM.
check that that AMF is the one serving the UE, i.e. the AMF
does not need to register itself first as serving the UE, via
the Nudm_UECM_Registration Request. Table 5.2.3.1-1 of [1]

Reconnaissance Resource Development Initial Access Discovery Collection Impact

14
Retrieve UE subscription data

Attacker as
NF UDM
GET /nudm-uecm/v1ueId}/registrations/amf-3gpp-access

200 Ok

Reconnaissance Resource Development Initial Access Discovery Collection Impact

15
Endpoint Denial of Service: DOS a UE via
gNB or NF signaling

Attacker as
NF AMF
POST Callback amf-3gpp-access

204 No Content

Reconnaissance Resource Development Initial Access Discovery Collection Impact

16
Experience.
Incident investigation cases
Problem

Mobile operator comes to us with the request of an incident investigation.

Clients complained their banking accounts were withdrawn. The banks claimed the user
credentials were entered correctly, including one-time passwords sent in SMS.

Operator asked us
- Find the way how the intruders were able to intercept SMS
- Identify how many subscribers were affected
- Estimate approximate amount of fraud

18
Investigation

Access to the internal signaling monitoring system

Reproduction of the attack from an external signaling connection

19
Gather Victim Host Information

Linking of the phone number with the bank account

Reconnaissance Resource Development Initial Access Defense Evasion Collection Impact

20
Acquire Infrastructure

Access SS7 via a fixed operator

Mobile Operator

Fixed Telephony SS7

Reconnaissance Resource Development Initial Access Defense Evasion Collection Impact

21
Trusted Relationship

Mobile Operator

Fixed Telephony SS7

Reconnaissance Resource Development Initial Access Defense Evasion Collection Impact

22
Bypass home routing

SendRoutingInfoForSM Req (MSISDN) Mobile Operator

SendRoutingInfoForSM Resp (IMSI)

Attacker SMS home routing HLR SMS-C Bank

Reconnaissance Resource Development Initial Access Defense Evasion Collection Impact

23
Subscriber Profile Identifier Discovery
Collecting subscriber IMSIs

SendRoutingInfoForSM Req (MSISDN) Mobile Operator

SendRoutingInfoForSM Resp (IMSI)

Attacker SMS home routing HLR SMS-C Bank

Reconnaissance Resource Development Initial Access Defense Evasion Collection Impact

24
Device Database Manipulation
Subscriber registration on the fake network

Mobile Operator

Attacker HLR SMS-C Bank

UpdateLocation
Registration in a bogus network
Acknowledge

Reconnaissance Resource Development Initial Access Defense Evasion Collection Impact

25
Redirection of traffic via user plane network
function
Money transfer request
1. Money transfer request via banking app (web or mobile)

Internet

Attacker HLR Bank

SMS-C

Mobile Operator

Reconnaissance Resource Development Initial Access Defense Evasion Collection Impact

26
Redirection of traffic via user plane network
function
OTP initiation
1. Money transfer request via banking app (web or mobile)

Internet

Attacker HLR Bank

SMS-C
2. OTP initiate

Mobile Operator

Reconnaissance Resource Development Initial Access Defense Evasion Collection Impact

27
Redirection of traffic via user plane network
function
Subscriber location request
1. Money transfer request via banking app (web or mobile)

Internet

Mobile Operator

Attacker HLR Bank

SMS-C
3. SRI4SM(MSISDN) 2. OTP initiate

Reconnaissance Resource Development Initial Access Defense Evasion Collection Impact

28
Redirection of traffic via user plane network
function
Fake location providing
1. Money transfer request via banking app (web or mobile)

Internet

Mobile Operator

Attacker HLR Bank

SMS-C
3. SRI4SM(MSISDN) 2. OTP initiate

4. SRI4SM(Fake Loc)

Reconnaissance Resource Development Initial Access Defense Evasion Collection Impact

29
Redirection of traffic via user plane network function
OTP SMS redirection
1. Money transfer request via
banking app (web or mobile)
Internet

Mobile Operator

Attacker HLR Bank

SMS-C
3. SRI4SM(MSISDN) 2. OTP initiate

4. SRI4SM(Fake Loc)

5. OTP SMS

Reconnaissance Resource Development Initial Access Defense Evasion Collection Impact

30
Redirection of traffic via user plane network function
Money transfer confirmation via OTP
1. Money transfer request via
banking app (web or mobile)
Internet

6. OTP

Mobile Operator

Attacker HLR Bank

SMS-C
3. SRI4SM(MSISDN) 2. OTP initiate

4. SRI4SM(Fake Loc)

5. OTP SMS

Reconnaissance Resource Development Initial Access Defense Evasion Collection Impact

31
Redirection of traffic via user plane network function
Money transfered
1. Money transfer request via
banking app (web or mobile)
Internet

6. OTP

Mobile Operator

Attacker HLR Bank

SMS-C
3. SRI4SM(MSISDN) 2. OTP initiate

4. SRI4SM(Fake Loc)

7. Money transferred
5. OTP SMS
$$$
Reconnaissance Resource Development Initial Access Defense Evasion Collection Impact

32
 Investigation. Findings

1. Intruders used a bypass technique to retrieve IMSI

2. Network was protected, but still it was possible to intercept OTP SMS
3. Intruders used a GT belonging to a fixed telephone network range
4. Shared information among customers
5. Recommendation was to improve security policies and processes to get better vision and
network protection.

33
 Catch an intruder before the Impact happens

Processing,
Analysis,
Integration

Info from:
Offensive testing
Security monitoring
Incident investigation TSG

Lab research
Industry collaboration Knowledgebase

34
 Isolate

5G DoS case SIEM/SOAR Bad guy

Alarms

Block
Attacker as
NF UDM
GET /nudm-uecm/v1ueId}/registrations/amf-3gpp-access

200 Ok

Reconnaissance Resource Development Initial Access Discovery Collection Impact

35
Incident investigation case Bad guy

Block Isolate

SendRoutingInfoForSM Req (MSISDN) Mobile Operator

Alarms SIEM/SOAR
SendRoutingInfoForSM Resp (IMSI)

Attacker SMS home routing HLR SMS-C Bank

Reconnaissance Resource Development Initial Access Defense Evasion Collection Impact

36
Incident Investigation case
Subscriber registration on the fake network

Mobile Operator

Attacker UpdateLocation HLR SMS-C Bank

Registration in a
bogus network

Reconnaissance Resource Development Initial Access Defense Evasion Collection Impact

37
 Infra Ecosystem Clients

Training Blockage

Training isolation

SIEM/SOAR
Training alarms Training alarms

38
Conclusion

TSG threat Threat

Threat
detection Intelligence
verification &
for 4G/5G sharing for
prioritization
and legacy FW, SIEM,
of response.
networks SOAR

Threat Detection Fast Response Continuous Readiness

Detects dangerous signaling Provides a fast response through Continuously ensures access to
activity, such as unusual traffic integration with enforcement the latest Threat Intelligence and
patterns or attempts to exploit systems, helping to cut the kill verifies threats for prioritization of
control plane vulnerabilities. chain before any negative security activities.
impact occurs.

39
Questions
contact@secgen.com

www.secgen.com