A hacking team that security researchers call LightBasin for the past five years has compromised many mobile telecommunications systems around the world.
Since 2019, the team has hacked into more than a dozen telecommunications companies and maintained persistence through custom malware to steal data that would serve intelligence organizations.
The LightBasin team has been active since at least 2016 and usually targets Linux and Solaris servers, although it also interacts with Windows systems where necessary, in its mission to steal subscriber information.
In a report today, cybersecurity company CrowdStrike says the threat carrier is a sophisticated team with a strong operational security strategy (OPSEC).
Investigators have found evidence of LightBasin activity, starting with an incident they investigated at a telecommunications company. They learned that the adversary would go from one compromised network to another via an SSH connection and "installed implants".
Among the telecommunications systems targeted by LightBasin are External DNS (eDNS) servers, service platform (SDP) and SIM / IMEI provisioning systems, all of which are part of the General Packet Radio Service (GPRS) network that allows mobile roaming telephony.
During its investigation, CrowdStrike found that the threatening carrier first had access to an eDNS server via an SSH connection from another infringing company's network.
Researchers have found evidence that LightBasin does brut-forcing in the system by testing the default credentials for the target system.
After a successful breach, the malware installed and executed a custom malware referred to as SLAPSTICK - a backdoor for the Solaris Pluggable Authentication Module (PAM) that gives access to the system with a hardcoded password.
With backdoor access to the targeted Solaris system, LightBasin could steal passwords to invade other systems and create persistence with the same method.
Later, hackers gained access to multiple eDNS servers from a compromised telco through an implant that CrowdStrike named PingPong.
PingPong received commands at the request of ICMP to specify a reverse TCP shell at an IP address and port specified in the package.
The researchers say they noticed reverse shells created by the PingPong implant that "chatted" through TCP port 53 (default for DNS) with servers from other telecommunications companies in other parts of the world.
To maintain a low profile, LightBasin also added iptables rules to the eDNS server that allowed SSH communication from five companies that were compromised.
In addition, the hacker used a trojanized version of the iptables utility that removed the output containing the first two octets from IP addresses belonging to other hacked companies, making it more difficult for administrators to find the modified rules.
Source of information: bleepingcomputer.com