Search # LightBasin: A Roaming Threat to Telecommunications Companies October 19, 2021 [Jamie Harries and Dan Mayer](https://www.crowdstrike.com/blog/author/jamie-harries-and-dan-mayer/) [From The Front Lines](https://www.crowdstrike.com/blog/category/from-the-front-lines/) LightBasin (aka UNC1945) is an activity cluster that has been consistently targeting the telecommunications sector at a global scale since at least 2016, leveraging custom tools and an in-depth knowledge of telecommunications network architectures. Recent findings highlight this cluster’s extensive knowledge of telecommunications protocols, including the emulation of these protocols to facilitate command and control (C2) and utilizing scanning/packet-capture tools to retrieve highly specific information from mobile communication infrastructure, such as subscriber information and call metadata. The nature of the data targeted by the actor aligns with information likely to be of significant interest to signals intelligence organizations. ----- intrusion actor that will continue to target the telecommunications sector. This assessment is made with high confidence and is based on tactics, techniques and procedures (TTPs), target scope, and objectives exhibited by this activity cluster. There is currently not enough available evidence to link the cluster’s activity to a specific country nexus. ### Background CrowdStrike Services, CrowdStrike Intelligence and Falcon OverWatch™ have investigated multiple intrusions within the telecommunications sector from a sophisticated actor tracked as the LightBasin activity cluster, also publicly known as UNC1945. Active since at least 2016, LightBasin employs significant operational security (OPSEC) measures, primarily establishing implants across Linux and Solaris servers, with a particular focus on specific telecommunications systems, and only1 interacting with Windows systems as needed. LightBasin’s focus on Linux and Solaris systems is likely due to the combination of critical telecommunications infrastructure running on those operating systems, in addition to the comparatively lax security measures and monitoring solutions on Linux/Solaris systems that are typically in place on Windows operating systems within an organization. LightBasin managed to initially compromise one of the telecommunication companies in a recent CrowdStrike Services investigation by leveraging external DNS (eDNS) servers — which are part of the General Packet Radio Service (GPRS) network and play a role in roaming between different mobile operators — to connect directly to and from other compromised telecommunication companies’ GPRS networks via SSH and through previously established implants. CrowdStrike identified evidence of at least 13 telecommunication companies across the world compromised by LightBasin dating back to at least 2019. ### GPRS eDNS Servers LightBasin initially accessed the first eDNS server via SSH from one of the other compromised telecommunications companies, with evidence uncovered indicative of password-spraying attempts using both extremely weak and third-party-focused passwords (e.g., `huawei` ), potentially helping to facilitate the initial compromise. Subsequently, LightBasin deployed their SLAPSTICK PAM backdoor on the system to siphon credentials to an obfuscated text file. As part of early lateral movement operations to further their access across the network, LightBasin then pivoted to additional systems to set up more SLAPSTICK backdoors. Later, LightBasin returned to access several eDNS servers from one of the compromised telecommunications companies while deploying an ICMP traffic signalling implant tracked by CrowdStrike as PingPong under the filename `/usr/bin/pingg`, with persistence established through the modified SysVinit script ``` /etc/rc d/init d/sshd through the following additional line: ``` ----- This implant waits for a magic ICMP echo request, which, when sent to the system, established a TCP reverse shell to an IP address and port specified within the magic packet. The `/bin/bash` process spawned by PingPong masquerades under the process name `httpd` . eDNS servers are usually protected from general external internet access by firewalls; the magic packet that PingPong listens for would most likely have to be sent from other compromised GPRS network infrastructure. CrowdStrike Services observed reverse shells that had been spawned from this implant, which communicated with a server owned by a different compromised telecommunications company in another part of the world — typically connecting to the remote system on TCP port 53, which is the port primarily used for DNS. These efforts further indicate the actor’s continued attempts to disguise their activity as legitimate traffic. Alongside the deployment of the PingPong implant, LightBasin added `iptables` rules to the eDNS server that ensured SSH access to the server from five of the compromised telecommunications companies. The actor also replaced the legitimate `iptables` binary with a trojanized version (SHA256: `97d4c9b5750d614face73d11ba8532e53594332af53f4c07c1543195225b76eb` ) that would filter out output from `iptables` that included the first two octets of the IP addresses belonging to the compromised telecommunications companies. These actions make it more difficult for administrators and analysts to identify the firewall rules through review of `iptables` output alone. Indicators relating to this utility are highlighted in Table 1. **File Path** **Description** `/usr/local/sbin/iptables` Trojanized `iptables` binary that rep ``` /usr/sbin/iptablesDir/iptables /usr/sbin/iptablesDir/iptables-apply /usr/sbin/iptablesDir/iptables-batch ``` Legitimate `iptables` binaries in a n ``` /usr/sbin/iptablesDir/iptables-multi /usr/sbin/iptablesDir/iptables-restore /usr/sbin/iptablesDir/iptables-save ``` Table 1. Trojanized and legitimate iptables file details ### Serving GPRS Support Node (SGSN) Emulation LightBasin uses a novel technique involving the use of SGSN emulation software to support C2 activities in concert with TinyShell. SGSNs are essentially GPRS network access points, and the emulation software allows the adversary to tunnel traffic via this telecommunications network. ----- g q y p p y emulator `sgsnemu through a bash script. This script constantly ran on the system,2` but only executed certain steps between 2:15 and 2:45 UTC each day. This window was specified via command-line arguments. During this window, the script performed the following steps in a loop: 1. Execute TinyShell to communicate with an actor-controlled C2 IP address hosted by the virtual private server (VPS) provider Vultr. 2. Add a route to the TinyShell C2 on the interface `tun0` . 3. Check for connectivity to the TinyShell C2 via `ping` . 4. If connectivity to the IP address fails, the script executes the SGSN emulator in a loop, attempting to connect to a set of nine pairs of International Mobile Subscriber Identity (IMSI) and Mobile Subscriber Integrated Services Digital Network (MSISDN) numbers that are used as arguments to the SGSN emulator. These numbers are required to generate Packet Data Protocol (PDP) context requests for connection to a Gateway GPRS Support Node (GGSN), which will then forward traffic to the C2 IP address. Once a connection is established, the SGSN emulator creates a connection to the GGSN via the GPRS Tunnelling Protocol (GTP), and utilizes the interface `tun0` for the connection. The TinyShell implant then uses `tun0`, as mentioned above. 3 5. If a successful connection has not been made by the end of the 30 minute window, the script kills both the SGSN emulator and the TinyShell implant. In short, the SGSN emulator is used to tunnel TinyShell C2 traffic between the C2 server and the infected host via GTP through a GGSN. The script is used as a4 persistence mechanism; it runs continually, but attempts to establish a tunnel to each of the specified mobile stations, which, in turn, act as tunnels to the TinyShell C2 server. The script runs for only 30 minutes each day, culminating in a similar effect to a scheduled job. CrowdStrike Intelligence assesses that this sophisticated form of C2 is likely an OPSEC measure. This assessment carries moderate confidence, as GTP-encapsulated TinyShell C2 traffic is less anomalous within the environment of a global mobile communications network due to its use of a protocol native to the telecommunications infrastructure that is compromised. Additionally, GTPencapsulated traffic is potentially subject to less inspection and restrictions by network security solutions. ### Additional Malware and Utilities **CordScan:** This executable is a network scanning and packet capture utility that t i b ilt i l i l ti t th li ti l f t l i ti ----- g y y, y responsible for packet data delivery to and from mobile stations and also hold location information for registered GPRS users. CrowdStrike identified multiple versions of this utility, including a cross-compiled version for systems running on ARM architecture, such as Huawei’s commercial CentOS-based operating system EulerOS. LightBasin’s ability to fingerprint various brands of telecommunications products and compile tools for various architectures likely indicates robust research and development capabilities to target vendor-specific infrastructure commonly seen in telecommunications environments. This range of capability would also be consistent with a signals intelligence organization with a need to respond to collection requirements against a diverse set of target environments. **SIGTRANslator:** This executable provides LightBasin with the ability to transmit data via telecommunication-specific protocols, while monitoring the data being transmitted. SIGTRANslator is a Linux ELF binary capable of sending and receiving data via various SIGTRAN protocols, which are used to carry public switched telephone network (PSTN) signaling over IP networks. This signaling data includes valuable metadata such as telephone numbers called by a specific mobile station. Data transmitted to and from SIGTRANslator via these protocols is also sent to a remote C2 host that connects to a port opened by the binary. This allows the remote C2 server to siphon data flowing through the binary and send data to SIGTRANslator from the C2 to be re-sent via a SIGTRAN protocol. Notably, data that is sent to and from the remote C2 is encrypted with the hardcoded XOR key `wuxianpinggu507` . This Pinyin translates to “unlimited evaluation 507” or “wireless evaluation 507.” “Wireless evaluation” is likely the correct translation, as the malware is targeting telecommunications systems. The identification of a Pinyin artifact indicates the developer of this tool has some knowledge of the Chinese language; however, CrowdStrike Intelligence does not assert a nexus between LightBasin and China. **Fast Reverse Proxy:** This open-source utility is a reverse proxy used by LightBasin to permit general access to the eDNS server via an actor-controlled C2 IP address hosted by the VPS provider Vultr. **Microsocks Proxy** : This open-source utility is a lightweight SOCKS5 proxy server, typically used by LightBasin to pivot to systems internally. **ProxyChains:** This open-source utility is capable of chaining proxies together and forcing network traffic through said chain of proxies, even if the program generating the traffic does not have proxy support. It utilizes a configuration file to specify proxies in use. The recovered configuration file contained a mixture of local IP addresses, IP addresses belonging to Vultr, and IP addresses belonging to eight different telecommunication organizations from around the world. Some of the tools and TTPs observed by CrowdStrike Services during investigations deviate from the more sophisticated, OPSEC-aware behavior of LightBasin observed in the past, such as by not encrypting binaries using LightBasin’s binary packer publicly known as STEELCORGI. The tools and TTPs cataloged in this blog post were observed in congruence with the the usage of SLAPSTICK on select eDNS servers at the start of the intrusion, as well as during periods of strong time correlation, when SSH access from multiple compromised telecommunications company and artifacts indicative of LightBasin tool usage overlapped. ### d i ----- p g g p ;, LightBasin’s ability to pivot between multiple telecommunications companies stems from permitting all traffic between these organizations without identifying the protocols that are actually required. As such, the key recommendation here is for any telecommunications company to ensure that firewalls responsible for the GPRS network have rules in place to restrict network traffic to only those protocols that are expected, such as DNS or GTP. If already the victim of a LightBasin intrusion, simply restricting network traffic will not solve the problem as LightBasin has displayed the ability to utilize common telecommunications protocols such as GTP for command and control. In this event, CrowdStrike recommends an [incident response investigation](https://www.crowdstrike.com/services/am-i-breached/incident-response/) that includes the review of all partner systems alongside all systems managed by the organization itself. Similarly, if an organization wishes to determine whether they’ve fallen victim to LightBasin, any compromise assessment must also include a review of all of the aforementioned systems. Further, as it is a common situation where parts of the network may in fact be managed by a third-party managed service provider as opposed to the telecommunications company itself, an evaluation of security controls in place with the partner should be undertaken to ensure that the systems are sufficiently protected. CrowdStrike Services investigations commonly reveal a lack of any monitoring or security tooling on telecommunications core network systems. While the deployment of security tooling to real-time operating systems is generally limited, other Unix-based operating systems that support the core telecommunications network services are typically targeted by LightBasin and should have some basic security controls and logging in place (e.g., SSH logging forwarded to a SIEM, [endpoint detection and response (EDR)](https://www.crowdstrike.com/cybersecurity-101/endpoint-security/endpoint-detection-and-response-edr/) for process execution, file integrity monitoring (FIM) for recording file changes of key configuration files). It is also important to ensure that appropriate incident response plans are in place that take into account situations involving partner-managed systems within the network in the event that such an incident is identified. This [incident response plan](https://www.crowdstrike.com/cybersecurity-101/incident-response) should contain the roles and responsibilities of third-party managed service providers to ensure acquisition of forensic artifacts from third-party equipment not directly under the management of the telecommunication operator themselves. Finally, given that companies within the telecommunications vertical are extensively targeted by highly advanced state-sponsored adversaries on a constant basis, these organizations need to have access to up-to-date and comprehensive threat intelligence resources so they can understand the threats facing the industry. This intelligence should also provide insights into the TTPs of adversaries that telecommunications companies are likely to encounter, across both the corporate network and critical telecommunications infrastructure, so that these insights can then be used to further augment detection mechanisms and inform on decisions regarding existing security controls. ### Conclusion Securing a telecommunications organization is by no means a simple task, especially with the partner-heavy nature of such networks and the focus on highavailability systems; however, with the clear evidence of a highly sophisticated adversary abusing these systems and the trust between different organizations, focusing on improving the security of these networks is of the utmost importance. Given the significant intelligence value to any state-sponsored adversary that’s ----- g y g p infrastructure beyond simply focusing on the corporate network alone. ### Indicators of Compromise **Indicator** **SHA256 Hashes** ``` e9c0f00c34dcd28fc3cc53c9496bf 4668561d60daeb7a4a50a9c3e210a ``` ``` 3a259ad7e5c19a782f7736b5ac50a 65143ccb5a955a22d6004033d073e ``` ``` 05537c1c4e29db76a24320fb7cb80 16294086be1cc853f75e864a405f3 ``` `/usr/lib/frpc.ini` N/A ``` 6d3759b3621f3e4791ebcd28e6ea6 c5ddd616e127df91418aeaa595ac7 9973edfef797db84cd17300b53a7a 4480b58979cc913c27673b2f68133 ad9fef1b86b57a504cfa1cfbda2e2 ``` ``` /home/ REDACTED /cordscan_raw_arm cdf230a7e05c725a98ce95ad8f3e2 /usr/lib/javacee 917495c2fd919d4d4baa2f8a3791b ``` ``` bf5806cebc5d1a042f87abadf686f 78c579319734a81c0e6d08f1b9ac5 b06f52e2179ec9334f8a3fe915d26 ``` ``` /usr/lib/tshd a388e2ac588be6ab73d7e7bbb61d8 ``` N/A `/var/tmp/.font-unix` N/A ----- N/A `45.76.215.0/24` N/A `167.179.91.0/24` N/A `45.32.116.0/24` N/A `207.148.24.0/24` N/A `172.104.79.0/24` N/A `45.33.77.0/24` N/A `139.162.156.0/24` N/A `172.104.236.0/24` N/A `172.104.129.0/24` N/A Table 2. LightBasin indicators of compromise ### Endnotes 1. Key examples of telecommunications-specific systems targeted include systems involved in the GPRS network such as External DNS (eDNS) servers, Service Delivery Platform (SDP) systems, and SIM/IMEI provisioning, as well as Operations Support Systems (OSS), and Operation and Maintenance Units (OMU). 2. https[:]//osmocom[.]org/projects/openggsn/wiki/Sgsnemu 3. Correction at 3 p.m. EST 10/20/2021: Clarified the methodology through which an SGSN emulator creates a GTP-encapsulated connection to an IP address. 4. Ibid. ###### Additional Resources ----- Kaseya Attack in the CrowdStrike blog. Download the [CrowdStrike 2021 Global Threat Report for more](https://www.crowdstrike.com/resources/reports/global-threat-report/) information about adversaries tracked by CrowdStrike Intelligence in 2020. See how the powerful, cloud-native [CrowdStrike Falcon® platform](https://www.crowdstrike.com/endpoint-security-products/) protects customers from DarkSide ransomware in this blog: DarkSide Goes Dark: How CrowdStrike Falcon Customers Were Protected. [Get a full-featured free trial of CrowdStrike Falcon Prevent™ and learn](https://go.crowdstrike.com/try-falcon-prevent.html) how true next-gen AV performs against today’s most sophisticated threats. [Tweet](https://twitter.com/share?text=LightBasin%3A+A+Roaming+Threat+to+Telecommunications+Companies&url=https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks/) [Share](https://www.linkedin.com/shareArticle?mini=true&url=https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks/&title=LightBasin%3A+A+Roaming+Threat+to+Telecommunications+Companies) ##### Related Content ----- #### The Myth of Part-time Threat Hunting, Part 2: Leveraging the Power of Human Ingenuity The race between hunter and hunted is defined as much by stealth as it is by speed. In Part 2 of this two-part blog series, we dive into why having hunters immersed full time in the threat hunting mission is critical to building out a hunting program capable of detecting stealthy and novel tradecraft before […] ----- ## CATEGORIES CONNECT WITH US #### SuperMem: A Free CrowdStrike Incident Response Tool for Automating Memory Image Processing Performing memory analysis in incident response investigations can be tedious and challenging because of the lack of commercial options for processing memory samples, no all-in-one open-source tools to process samples, and a shortage of the knowledge and skill to do so. Recognizing this, CrowdStrike Services created SuperMem, an open-source Windows memory processing script that helps […] ## CATEGORIES ----- ##### SUBSCRIBE Sign up now to receive the latest notifications and updates from CrowdStrike. ###### Sign Up ##### See CrowdStrike Falcon in Action Detect, prevent, and respond to attacks— even malware-free intrusions—at any stage, with next generation endpoint protection. ###### See Demo ----- Improving Performance and Reliability of Internal [Communication Among Microservices: The Story](https://www.crowdstrike.com/blog/improving-performance-and-reliability-of-microservices-communication-with-grpc/) Behind the Falcon Sandbox Team’s gRPC Journey Log Management vs. SIEM: See How Security Solutions Compare **TRY** # CROWDSTRIKE FREE FOR 15 DAYS ###### GET STARTED WITH A FREE TRIAL Copyright © 2021 CrowdStrike | [Privacy](https://www.crowdstrike.com/privacy-notice/) | [Request Info](https://www.crowdstrike.com/request-information/) | [Blog](https://www.crowdstrike.com/blog) | [Contact Us](https://www.crowdstrike.com/contact-us/) | 1.888.512.8906 -----