Atleast 86 ways ( MITRE's FiGHT) in which adversaries can hack into 5G.
Moreover, the diverse attack vectors present in LTE, vulnerabilities within legacy 2G/3G networks, and the susceptibility of IT technologies integrated into our telecom infrastructure has led to an expanded attack surface.
With ever-evolving threat landscape it is crucial to act smartly and prioritize security actions. Knowledge and threat intelligence are what help in this regard.
In this webinar dedicated to Telecom Threat Intelligence, we have:
• Explained what the telecom threat landscape is and how MITRE FiGHT assists in prioritization and planning of security activities.
• Reviewed incident investigation with combined phishing, OTP SMS interception, and bank account takeover.
• Deep dived into initial access, execution, and impact of an attack on 5G SA core resulting in Denial of Service.
• Shared the ways to anticipate attack, monitor and promptly break the kill chain in telecom infrastructures.
2. Presenters
1
Igor Pigalitsyn
igor.pigalitsyn@security-gen.com
• 5 years in telecom security
• Author of the 5G SA Core
Security Research white paper
• Telecom Security Researcher in
SecurityGen
• Responsible for 5G network
security research
• Conducting telecom security
assessments for MNO for many
years
Kirill Puzankov
kirill.puzankov@security-gen.com
• 10 years in telecom security
• Product manager in SecurityGen
• Exploring telco threats and
vulnerabilities starting from SS7
up to 5G
• Growing solutions for protection
of mobile core networks as well
as for providing visibility of the
network security posture
Sergey Puzankov
sergey.puzankov@security-gen.com
• Engaged in telecom security since
2013
• Research into SS7 security
vulnerabilities
• Discovery of techniques to bypass
SS7 firewalls
• Contributed to non-commercial
security organizations including
GSMA and ITU-T
• Presented as a speaker at
numerous security conferences.
3. MITRE ATT&CK framework
3
What is MITRE ATT&CK?
A knowledge base of adversary behavior
▪ Based on real-world observations
▪ Free, open, and globally accessible
▪ A common language
▪ Community-driven
10. Gather Victim Host Information: Internal
resource search
Post-Conditions
Name Description
Discovered IP addresses
IP addresses of core network functions
known
Reconnaissance Resource Development Initial Access Discovery Collection Impact
10
11. Obtain Capabilities: Tool
Implementation Examples
Name Description
Use of Open-source software & Testing
tools
There are many tools developed to test
5G systems, same tools can be used
for adversarial objective on a system
Reconnaissance Resource Development Initial Access Discovery Collection Impact
11
12. Trusted Relationship: MNO Roaming Partners
Pre-Conditions
Name Description
Compromised partner
An adversary must already have compromised a trusted PLMN or
one of their service providers, e.g. IPX, VAS, etc.
Reconnaissance Resource Development Initial Access Discovery Collection Impact
NSSF UDM PCF NRF
AUSF AMF SMF
SEPP
UPF
APIs
(HTTP/JSON)
gNB
UE
Interconnecti
on
Network
12
13. Network Function Service Discovery
Pre-Conditions
Name Description
Access to NRF
NRF is by design open to connections from other
network functions. Control of another NF in the
operator domain may be required.
Access to SCP SCP is compromised to hijack tokens.
Reconnaissance Resource Development Initial Access Discovery Collection Impact
13
14. 14
Retrieve UE subscription data
Implementation Examples
Name Description
AMF retrieves subscription
data from UDM.
An AMF can extract subscription data (including NSSAIs)
for any given UE SUPI by asking the UDM (uses
Nudm_SDM_Get service
(SDM=SubscriberDataManagement)). The UDM does not
check that that AMF is the one serving the UE, i.e. the AMF
does not need to register itself first as serving the UE, via
the Nudm_UECM_Registration Request. Table 5.2.3.1-1 of [1]
Reconnaissance Resource Development Initial Access Discovery Collection Impact
15. 15
Retrieve UE subscription data
UDM
Attacker as
NF
GET /nudm-uecm/v1ueId}/registrations/amf-3gpp-access
200 Ok
Reconnaissance Resource Development Initial Access Discovery Collection Impact
16. 16
Endpoint Denial of Service: DOS a UE via
gNB or NF signaling
Reconnaissance Resource Development Initial Access Discovery Collection Impact
AMF
Attacker as
NF
POST Callback amf-3gpp-access
204 No Content
18. 18
Problem
Mobile operator comes to us with the request of an incident investigation.
Clients complained their banking accounts were withdrawn. The banks claimed the user
credentials were entered correctly, including one-time passwords sent in SMS.
Operator asked us
- Find the way how the intruders were able to intercept SMS
- Identify how many subscribers were affected
- Estimate approximate amount of fraud
19. Investigation
Access to the internal signaling monitoring system
Reproduction of the attack from an external signaling connection
19
20. Gather Victim Host Information
Reconnaissance Resource Development Initial Access Defense Evasion Collection Impact
Linking of the phone number with the bank account
20
23. Bypass home routing
Attacker
SendRoutingInfoForSM Req (MSISDN)
SendRoutingInfoForSM Resp (IMSI)
SMS-C Bank
HLR
SMS home routing
Mobile Operator
Reconnaissance Resource Development Initial Access Defense Evasion Collection Impact
23
24. Subscriber Profile Identifier Discovery
Attacker
SendRoutingInfoForSM Req (MSISDN)
SendRoutingInfoForSM Resp (IMSI)
SMS-C Bank
HLR
SMS home routing
Mobile Operator
Reconnaissance Resource Development Initial Access Defense Evasion Collection Impact
Collecting subscriber IMSIs
24
25. Device Database Manipulation
Attacker SMS-C Bank
HLR
UpdateLocation
Registration in a bogus network
Acknowledge
Mobile Operator
Reconnaissance Resource Development Initial Access Defense Evasion Collection Impact
Subscriber registration on the fake network
25
26. Redirection of traffic via user plane network
function
Attacker
SMS-C
Bank
HLR
Mobile Operator
Internet
Reconnaissance Resource Development Initial Access Defense Evasion Collection Impact
1. Money transfer request via banking app (web or mobile)
Money transfer request
26
27. Redirection of traffic via user plane network
function
Attacker
SMS-C
Bank
HLR
Mobile Operator
Internet
2. OTP initiate
Reconnaissance Resource Development Initial Access Defense Evasion Collection Impact
1. Money transfer request via banking app (web or mobile)
OTP initiation
27
28. Redirection of traffic via user plane network
function
Attacker
SMS-C
Bank
HLR
Mobile Operator
Internet
2. OTP initiate
3. SRI4SM(MSISDN)
Reconnaissance Resource Development Initial Access Defense Evasion Collection Impact
1. Money transfer request via banking app (web or mobile)
Subscriber location request
28
29. Redirection of traffic via user plane network
function
Attacker
SMS-C
Bank
HLR
Mobile Operator
Internet
2. OTP initiate
3. SRI4SM(MSISDN)
4. SRI4SM(Fake Loc)
Reconnaissance Resource Development Initial Access Defense Evasion Collection Impact
1. Money transfer request via banking app (web or mobile)
Fake location providing
29
30. Redirection of traffic via user plane network function
Attacker
SMS-C
Bank
HLR
Mobile Operator
Internet
2. OTP initiate
3. SRI4SM(MSISDN)
4. SRI4SM(Fake Loc)
5. OTP SMS
Reconnaissance Resource Development Initial Access Defense Evasion Collection Impact
1. Money transfer request via
banking app (web or mobile)
OTP SMS redirection
30
31. Redirection of traffic via user plane network function
Attacker
SMS-C
Bank
HLR
Mobile Operator
Internet
1. Money transfer request via
banking app (web or mobile)
2. OTP initiate
3. SRI4SM(MSISDN)
4. SRI4SM(Fake Loc)
6. OTP
Money transfer confirmation via OTP
5. OTP SMS
Reconnaissance Resource Development Initial Access Defense Evasion Collection Impact
31
32. Redirection of traffic via user plane network function
Attacker
SMS-C
Bank
HLR
Mobile Operator
Internet
1. Money transfer request via
banking app (web or mobile)
2. OTP initiate
3. SRI4SM(MSISDN)
4. SRI4SM(Fake Loc)
6. OTP
$$$
7. Money transferred
5. OTP SMS
Reconnaissance Resource Development Initial Access Defense Evasion Collection Impact
Money transfered
32
33. Investigation. Findings
1. Intruders used a bypass technique to retrieve IMSI
2. Network was protected, but still it was possible to intercept OTP SMS
3. Intruders used a GT belonging to a fixed telephone network range
4. Shared information among customers
5. Recommendation was to improve security policies and processes to get better vision and
network protection.
33
34. Catch an intruder before the Impact happens
Info from:
Offensive testing
Security monitoring
Incident investigation
Lab research
Industry collaboration
Processing,
Analysis,
Integration
TSG
Knowledgebase
34
35. 35
5G DoS case
UDM
Attacker as
NF
GET /nudm-uecm/v1ueId}/registrations/amf-3gpp-access
200 Ok
Reconnaissance Resource Development Initial Access Discovery Collection Impact
SIEM/SOAR
Alarms
Bad guy
Isolate
Block
36. Incident investigation case
Attacker
SendRoutingInfoForSM Req (MSISDN)
SendRoutingInfoForSM Resp (IMSI)
SMS-C Bank
HLR
SMS home routing
Mobile Operator
Reconnaissance Resource Development Initial Access Defense Evasion Collection Impact
SIEM/SOAR
Alarms
Bad guy
Isolate
Block
36
37. Attacker SMS-C Bank
HLR
UpdateLocation
Registration in a
bogus network
Mobile Operator
Reconnaissance Resource Development Initial Access Defense Evasion Collection Impact
Subscriber registration on the fake network
Incident Investigation case
37
39. Detects dangerous signaling
activity, such as unusual traffic
patterns or attempts to exploit
control plane vulnerabilities.
TSG threat
detection
for 4G/5G
and legacy
networks
Threat
Intelligence
sharing for
FW, SIEM,
SOAR
Threat
verification &
prioritization
of response.
Threat Detection
Provides a fast response through
integration with enforcement
systems, helping to cut the kill
chain before any negative
impact occurs.
Fast Response
Continuously ensures access to
the latest Threat Intelligence and
verifies threats for prioritization of
security activities.
Continuous Readiness
Conclusion
39