Atleast 86 ways ( MITRE's FiGHT) in which adversaries can hack into 5G. Moreover, the diverse attack vectors present in LTE, vulnerabilities within legacy 2G/3G networks, and the susceptibility of IT technologies integrated into our telecom infrastructure has led to an expanded attack surface. With ever-evolving threat landscape it is crucial to act smartly and prioritize security actions. Knowledge and threat intelligence are what help in this regard. In this webinar dedicated to Telecom Threat Intelligence, we have: • Explained what the telecom threat landscape is and how MITRE FiGHT assists in prioritization and planning of security activities. • Reviewed incident investigation with combined phishing, OTP SMS interception, and bank account takeover. • Deep dived into initial access, execution, and impact of an attack on 5G SA core resulting in Denial of Service. • Shared the ways to anticipate attack, monitor and promptly break the kill chain in telecom infrastructures.

1. Mastering 4G/5G
Telecom Threat
Intelligence
Igor Pigalitsyn - Telecom Security Researcher
Sergey Puzankov - Product Delivery Manager
Kirill Puzankov – Product Manager

2. Presenters
1
Igor Pigalitsyn
igor.pigalitsyn@security-gen.com
• 5 years in telecom security
• Author of the 5G SA Core
Security Research white paper
• Telecom Security Researcher in
SecurityGen
• Responsible for 5G network
security research
• Conducting telecom security
assessments for MNO for many
years
Kirill Puzankov
kirill.puzankov@security-gen.com
• 10 years in telecom security
• Product manager in SecurityGen
• Exploring telco threats and
vulnerabilities starting from SS7
up to 5G
• Growing solutions for protection
of mobile core networks as well
as for providing visibility of the
network security posture
Sergey Puzankov
sergey.puzankov@security-gen.com
• Engaged in telecom security since
2013
• Research into SS7 security
vulnerabilities
• Discovery of techniques to bypass
SS7 firewalls
• Contributed to non-commercial
security organizations including
GSMA and ITU-T
• Presented as a speaker at
numerous security conferences.

3. MITRE ATT&CK framework
3
What is MITRE ATT&CK?
A knowledge base of adversary behavior
▪ Based on real-world observations
▪ Free, open, and globally accessible
▪ A common language
▪ Community-driven

4. MITRE ATT&CK overview
Matrix
Platform
Platform
Tactics, Technics, Procedures (TTP)
Groups
Software
Mitigations
01
02
03
04
05
06

5. What is MITRE FiGHT (5G Hierarchy of Threats)?
5
Items designated with an & are ATT&CK Techniques or
Sub-techniques that have 5G relevance.

6. MITRE FiGHT use cases
Unified
language for
security and
network
professionals
Security
Posture
Assessment
Prioritizing
Controls
6

7. MITRE FiGHT use cases
Threat Detection
and Monitoring,
Incident
Response
Red and Blue
Team Exercises
Vendor,
Partner,
Contractor
Evaluation
7

8. Lateral
Movement
Command and
Control
Fraud
4 techniques 1 technique 5 techniques
Gather Victim Host
Information &
Internal resource
search
Fake Cellular Base
Station or Access
Point
DNS Manipulation Layer 2 Redirection
of Encrypted DNS
Registration of
malicious network
functions
Implant Internal
Image &
Escape to Host & Malicious
privileged
container VNF
Shared Resource
Bypass home
routing
Supply Chain
Compromise &
SIM Credential
Theft
Network Function
Service Discovery
Escape to Host & Controller Standard
Application Layer
Protocol &
Exfiltration Over
Alternative
Protocol &
Exfiltration Over
Unencrypted/Obfu
scated Non-C2
Protocol &
Jamming or Denial
of Service &
Abuse of Inter-
operator Interfaces
Programable UE
devices
Unauthorized
access to Network
Exposure Function
(NEF) via token
Software
Deployment
Tools &
DNS Manipulation Layer 2 Redirection
of Encrypted DNS
Valid Accounts & Cloud Accounts & Rootkit & Network Sniffing & Controller Unauthorized
access to Network
Exposure Function
(NEF) via token
vSwitch Automated
Exfiltration &
Traffic
Duplication &
Redirection of
traffic via user
plane network
function
Alter Subscriber
Profile
Stage
Capabilities &
Configurability of
Fake Base Station
or Access Point
Supply Chain
Compromise &
Compromise
Service Supply
Chain
Radio Intelligent
Controller (RIC)
Local Accounts & Manipulate Virtual
Network Function
(VNF)
Configuration
Container
Administration
Command &
Accessing
Terminated VNF
vSwitch Remote Services & Memory Scraping Tunnel Endpoint ID
(TEID) uniqueness
failure
Falsify
interconnect
invoice
Exploit Public-
Facing
Application &
X-App Cloud Accounts & Malicious co-
tenancy exploit of
NFVI (Network
Slice)
Credentials from
Password Stores &
Hardware Security
Module Key
Signing
Remote Services & Software
Deployment
Tools &
Redirection of
traffic via user
plane network
function
Device Database
Manipulation
SIM cloning
Exploit Semi-public
Facing Application
rApps Pre-OS Boot & Unauthorized
software in NFVI
Network Slice
infrastructure
resource hijacking
Roaming and
Interconnection
Malicious VNF
Instantiation
Fraudulent AMF
registration for UE
in UDM
Manipulate Virtual
Network Function
(VNF)
Configuration
Charging fraud via
NF control
Trusted
Relationship &
MNO Roaming
Partners
Spoof network
slice identifier
Radio interface Shared resource
discovery
Malicious VNF
Instantiation
Network Slice
application
resource hijacking
Valid Accounts & Cloud Accounts & Radio Interface Non-SBI Network Sniffing & Network Sniffing & Radio interface Cabling and
junction boxes
Network Interfaces Service Based
Interface
Remote System
Discovery &
Abuse of Inter-
operator Interfaces
Radio Access
Hardware
Impair Defenses & Bid down UE Network Service
Scanning &
Subscriber Profile
Identifier
Discovery
Obtain subscriber
identifier via NF
Edge servers
Valid Accounts & Cloud Accounts & Intercept Home
Network via SUCI
Spoof network
slice identifier
Theft of Assets
Pre-OS Boot & Unauthorized
software in NFVI
Intercept bid-down
SUPI
5G-GUTI reuse Exploit Public-
Facing
Application &
Radio Interface Intercept
unencrypted SUPI
Core Network
Function Signaling
Service Exhaustion
Flood &
Network Interfaces Discover network
slice identifier
Passive radio
signals observation
Consume data
allocation to deny
or degrade service
5G-GUTI reuse Self Location
Measurement
Trigger fraud alert
to deny service
Core Network
Function Signaling
Shared Network
Function in slice
DOS a UE via gNB
or NF signaling
Passive radio
signals observation
NAS Exploit Trusted
Relationship &
MNO Roaming
Partners
Self Location
Measurement
Retrieve UE
subscription data
Flooding of core
network
components
Shared Network
Function in slice
Network-side SMS
collection
Shared slice
common control
network function
resource
NAS Exploit Charging Data
Record (CDR)
collection
Data
Manipulation &
Transmitted Data
Manipulation &
Charging Data
Record (CDR)
collection
Exploit Public-
Facing
Application &
Container
Administration
Command &
Accessing
Terminated VNF
Exploit Semi-public
Facing Application
Automated
Exfiltration &
Traffic
Duplication &
Roaming and
Interconnection
Radio interface
Non-SBI
Service Based
Interface
Adversary-in-the-
Middle &
Network Boundary
Bridging &
Weaken Integrity Vandalism of
Network
Infrastructure
Subscriber Profile
Identifier
Discovery
Locate UE
Weaken
Encryption &
Endpoint Denial of
Service &
Locate UE
Network Denial of
Service &
Acquire
Infrastructure &
Network Flow
Manipulation
Network Flow
Manipulation
gNodeB
Component
Manipulation
Valid Accounts & Network Boundary
Bridging &
Adversary-in-the-
Middle &
11 techniques
1 technique 2 techniques 7 techniques 3 techniques 4 techniques 2 techniques 9 techniques 5 techniques 14 techniques 16 techniques 2 techniques
Impact
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Collection Exfiltration
144, "how's", the methods attackers
use to achieve their tactical goals:
83 covered
16 requires verification
45 not covered
MITRE FiGHT updates
8

9. 5G attack Threat
Intelligence

10. Gather Victim Host Information: Internal
resource search
Post-Conditions
Name Description
Discovered IP addresses
IP addresses of core network functions
known
Reconnaissance Resource Development Initial Access Discovery Collection Impact
10

11. Obtain Capabilities: Tool
Implementation Examples
Name Description
Use of Open-source software & Testing
tools
There are many tools developed to test
5G systems, same tools can be used
for adversarial objective on a system
Reconnaissance Resource Development Initial Access Discovery Collection Impact
11

12. Trusted Relationship: MNO Roaming Partners
Pre-Conditions
Name Description
Compromised partner
An adversary must already have compromised a trusted PLMN or
one of their service providers, e.g. IPX, VAS, etc.
Reconnaissance Resource Development Initial Access Discovery Collection Impact
NSSF UDM PCF NRF
AUSF AMF SMF
SEPP
UPF
APIs
(HTTP/JSON)
gNB
UE
Interconnecti
on
Network
12

13. Network Function Service Discovery
Pre-Conditions
Name Description
Access to NRF
NRF is by design open to connections from other
network functions. Control of another NF in the
operator domain may be required.
Access to SCP SCP is compromised to hijack tokens.
Reconnaissance Resource Development Initial Access Discovery Collection Impact
13

14. 14
Retrieve UE subscription data
Implementation Examples
Name Description
AMF retrieves subscription
data from UDM.
An AMF can extract subscription data (including NSSAIs)
for any given UE SUPI by asking the UDM (uses
Nudm_SDM_Get service
(SDM=SubscriberDataManagement)). The UDM does not
check that that AMF is the one serving the UE, i.e. the AMF
does not need to register itself first as serving the UE, via
the Nudm_UECM_Registration Request. Table 5.2.3.1-1 of [1]
Reconnaissance Resource Development Initial Access Discovery Collection Impact

15. 15
Retrieve UE subscription data
UDM
Attacker as
NF
GET /nudm-uecm/v1ueId}/registrations/amf-3gpp-access
200 Ok
Reconnaissance Resource Development Initial Access Discovery Collection Impact

16. 16
Endpoint Denial of Service: DOS a UE via
gNB or NF signaling
Reconnaissance Resource Development Initial Access Discovery Collection Impact
AMF
Attacker as
NF
POST Callback amf-3gpp-access
204 No Content

17. Experience.
Incident investigation cases

18. 18
Problem
Mobile operator comes to us with the request of an incident investigation.
Clients complained their banking accounts were withdrawn. The banks claimed the user
credentials were entered correctly, including one-time passwords sent in SMS.
Operator asked us
- Find the way how the intruders were able to intercept SMS
- Identify how many subscribers were affected
- Estimate approximate amount of fraud

19. Investigation
Access to the internal signaling monitoring system
Reproduction of the attack from an external signaling connection
19

20. Gather Victim Host Information
Reconnaissance Resource Development Initial Access Defense Evasion Collection Impact
Linking of the phone number with the bank account
20

21. Acquire Infrastructure
Fixed Telephony
Mobile Operator
SS7
Reconnaissance Resource Development Initial Access Defense Evasion Collection Impact
Access SS7 via a fixed operator
21

22. Trusted Relationship
Fixed Telephony
Mobile Operator
SS7
Reconnaissance Resource Development Initial Access Defense Evasion Collection Impact
22

23. Bypass home routing
Attacker
SendRoutingInfoForSM Req (MSISDN)
SendRoutingInfoForSM Resp (IMSI)
SMS-C Bank
HLR
SMS home routing
Mobile Operator
Reconnaissance Resource Development Initial Access Defense Evasion Collection Impact
23

24. Subscriber Profile Identifier Discovery
Attacker
SendRoutingInfoForSM Req (MSISDN)
SendRoutingInfoForSM Resp (IMSI)
SMS-C Bank
HLR
SMS home routing
Mobile Operator
Reconnaissance Resource Development Initial Access Defense Evasion Collection Impact
Collecting subscriber IMSIs
24

25. Device Database Manipulation
Attacker SMS-C Bank
HLR
UpdateLocation
Registration in a bogus network
Acknowledge
Mobile Operator
Reconnaissance Resource Development Initial Access Defense Evasion Collection Impact
Subscriber registration on the fake network
25

26. Redirection of traffic via user plane network
function
Attacker
SMS-C
Bank
HLR
Mobile Operator
Internet
Reconnaissance Resource Development Initial Access Defense Evasion Collection Impact
1. Money transfer request via banking app (web or mobile)
Money transfer request
26

27. Redirection of traffic via user plane network
function
Attacker
SMS-C
Bank
HLR
Mobile Operator
Internet
2. OTP initiate
Reconnaissance Resource Development Initial Access Defense Evasion Collection Impact
1. Money transfer request via banking app (web or mobile)
OTP initiation
27

28. Redirection of traffic via user plane network
function
Attacker
SMS-C
Bank
HLR
Mobile Operator
Internet
2. OTP initiate
3. SRI4SM(MSISDN)
Reconnaissance Resource Development Initial Access Defense Evasion Collection Impact
1. Money transfer request via banking app (web or mobile)
Subscriber location request
28

29. Redirection of traffic via user plane network
function
Attacker
SMS-C
Bank
HLR
Mobile Operator
Internet
2. OTP initiate
3. SRI4SM(MSISDN)
4. SRI4SM(Fake Loc)
Reconnaissance Resource Development Initial Access Defense Evasion Collection Impact
1. Money transfer request via banking app (web or mobile)
Fake location providing
29

30. Redirection of traffic via user plane network function
Attacker
SMS-C
Bank
HLR
Mobile Operator
Internet
2. OTP initiate
3. SRI4SM(MSISDN)
4. SRI4SM(Fake Loc)
5. OTP SMS
Reconnaissance Resource Development Initial Access Defense Evasion Collection Impact
1. Money transfer request via
banking app (web or mobile)
OTP SMS redirection
30

31. Redirection of traffic via user plane network function
Attacker
SMS-C
Bank
HLR
Mobile Operator
Internet
1. Money transfer request via
banking app (web or mobile)
2. OTP initiate
3. SRI4SM(MSISDN)
4. SRI4SM(Fake Loc)
6. OTP
Money transfer confirmation via OTP
5. OTP SMS
Reconnaissance Resource Development Initial Access Defense Evasion Collection Impact
31

32. Redirection of traffic via user plane network function
Attacker
SMS-C
Bank
HLR
Mobile Operator
Internet
1. Money transfer request via
banking app (web or mobile)
2. OTP initiate
3. SRI4SM(MSISDN)
4. SRI4SM(Fake Loc)
6. OTP
$$$
7. Money transferred
5. OTP SMS
Reconnaissance Resource Development Initial Access Defense Evasion Collection Impact
Money transfered
32

33. Investigation. Findings
1. Intruders used a bypass technique to retrieve IMSI
2. Network was protected, but still it was possible to intercept OTP SMS
3. Intruders used a GT belonging to a fixed telephone network range
4. Shared information among customers
5. Recommendation was to improve security policies and processes to get better vision and
network protection.
33

34. Catch an intruder before the Impact happens
Info from:
Offensive testing
Security monitoring
Incident investigation
Lab research
Industry collaboration
Processing,
Analysis,
Integration
TSG
Knowledgebase
34

35. 35
5G DoS case
UDM
Attacker as
NF
GET /nudm-uecm/v1ueId}/registrations/amf-3gpp-access
200 Ok
Reconnaissance Resource Development Initial Access Discovery Collection Impact
SIEM/SOAR
Alarms
Bad guy
Isolate
Block

36. Incident investigation case
Attacker
SendRoutingInfoForSM Req (MSISDN)
SendRoutingInfoForSM Resp (IMSI)
SMS-C Bank
HLR
SMS home routing
Mobile Operator
Reconnaissance Resource Development Initial Access Defense Evasion Collection Impact
SIEM/SOAR
Alarms
Bad guy
Isolate
Block
36

37. Attacker SMS-C Bank
HLR
UpdateLocation
Registration in a
bogus network
Mobile Operator
Reconnaissance Resource Development Initial Access Defense Evasion Collection Impact
Subscriber registration on the fake network
Incident Investigation case
37

38. Infra Ecosystem Clients
SIEM/SOAR
Training alarms Training alarms
Training Blockage
Training isolation
38

39. Detects dangerous signaling
activity, such as unusual traffic
patterns or attempts to exploit
control plane vulnerabilities.
TSG threat
detection
for 4G/5G
and legacy
networks
Threat
Intelligence
sharing for
FW, SIEM,
SOAR
Threat
verification &
prioritization
of response.
Threat Detection
Provides a fast response through
integration with enforcement
systems, helping to cut the kill
chain before any negative
impact occurs.
Fast Response
Continuously ensures access to
the latest Threat Intelligence and
verifies threats for prioritization of
security activities.
Continuous Readiness
Conclusion
39

40. Questions
contact@secgen.com
www.secgen.com