Bestand wählen

Why Nation-State Malwares Target Telco Networks: Dissection Technical Capabilities of Regin and Its Counterparts

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Erkannte Entitäten
outcome higher mining thank you for coming up a list in my talk to today and presented answer security network of classes that took security research related to the state attacks targeting communication networks are
just briefly what we are going to cover his introduction to the tell architectures and the natural protocol that are being highly targeted such as Jerry metric architecture and as 7 protocol and the main concern of this talk is 1 of the most credited government implants uh region before delving into 2 it is capability and I will try to briefly remind keep techniques as region is a multi company long term intelligence gathering which came after a severe abroad through the agent capabilities and then analyze how it could be with their penises in an offensive uh dissymmetric kicking it recently there are more technically complex implants discovered by the researcher you obliquely making comparision and finally I will presented them them or to show you how some of the techniques employed by the region implants could have could be implemented by a high-level programming usage as such as Windows Driver Development Kit and API programming in C C + + just briefly about myself my academical background is computer science I am currently working for KPN Telecom is the variety which is also known as Royal Dutch telecom I used to work for companies like Verizon IBM ideas I from security assessment on my day-to-day work and I am very interested in analysis and related techniques and is ready
based in Amsterdam and it's only 6 minutes that from the start most popular of the center course called as the red light district uh what
inspires us to carry the research was to analyze and determine optic services for GSM any energy expenditure governments are not only taking their own students but by on each other by comma at picking cooperation with tools like gradient and detailed monitors a surveillance programs reach a greater level recently it's from a omega conference that metabolizes telecom networks are the victims of that these uh programs or directly contribute to a once can campaigned revealed fitted to 3 to much each and every telecommunication company got colloids and try to make sure that they haven't been affected by the by the same attack and routes keeps are really fun that our economy a lot to learn about all the internals uh Chernobyl working principles and the computer architecture I'm sure uh not on understanding the incident but also to be able to reproduce and simulation of article mean a lot to the due to day-to-day work is to break systems i j
symmetric architecture is very complex I let us try to break it down the following core elements and Global System for Mobile Communication strategy is sound that Turkey developed for a digital mobile radio uh communication over wireless and of all was and the mobile communications and GPS and extension of GSM that provide mobile wireless data communication from the GSM network consist of the following can elements from a security perspective and the important ones are mobile station based the class receiver base station controller base station subsystem and mobile switching center complications centers home location register visitor location register and for a researcher reach of these components are highly being targeted are the mobile switching center and is the continent uh for digital identity as image that sets up connections to other more was imaging centers and to the base station controllers uh and more while switching centers are deformable wire take 1 of GSM network and cancer which cost to the public switched communication network equipment identity the register is they keep moment is a database that stores intonational acute identity is best known as a main numbers and all of the stations within natural use their equipment assignment to the registers manufacturers of mobile stations and you think you can either to register provides security features such as local calls from hand that have been stalled for example HLR of is the home location register is a central database for all users to register the register to the GSM network it stores static information about to subscribers such as international law was of could cry reside the subscribed services in a key for a time each authenticating subscribers DHL also stores dynamics subscriber information for instance tool complication of the mobile Subscriber physically and authentication uh center associated to H ilarity they'll complications center this database contains all good riddance for authenticating subscribers and the necessary key for encryption to say quark got users for authentication and lastly we allow the visitor location register is this the Real data with that temporarily stores information about the more workstations that are active in geographic area for each area LR responsible they really are associated with uh uh more while searching center in the natural many new subscribers almost into their location area the real are responsible for coping subscriber information from a lot of the to the local database of the GSM uses various interfaces for communicating among native metric elements communication also the tuple purist boarding interfaces to the management databases management database components and LR HLR authentication center and a Cuban and reduce to identify communication might try multiple uh MSE is that but ultimately must reach the gate and gate arrays this this separated interfaces exist between each pair of elements each interface across programming protocol the metrics original subsystem is the heart of the GSM system it connects wireless network to the standard wired network it is responsible for handoff calls from 1 base station system to another to perform services such as charging accounting the room and and different signal in a signaling protocol various interfaces some NSS interfaces in all in all the control signaling protocols with more traffic for example not traffic is generated form the interfaces between hlr ELR uh these interfaces generally signaling mobile application part on this 7 protocol so how these are related to DNA research the Reagan religion originality specifically targeted GSM networks that and 2 wires companies saying region has been developed to relaunch the type of molecule that can potentially be used in the espionage campaigns lasting several years since 2008 the company was only able to analyze it it is fictional deplete decrypting samples files discovering curative actions are particularly difficult to decipher the androgen related to the stealth taking campaigns are also confirmed by the recently he demanded the following picture was taken in Germany it group of activists protesting against gchq and NSA to get their data removed from the data databases on now no
1 has to deal and clear idea how to target GSM and other institutions for ICT so we try to determine the optics the possible attack scenarios and that exhaustive since our competences like high-profile organizations such like AGC gchq our approach pretty much look like similar to the old school techniques from North Korea to blink them their own needs so in order to
determine potential attack scenarios we decide to perform a large-scale terrorist enumeration from base stations uh for the valency have possibly top to GSM communication from residue-based stations every griped grief utilize Michael of passive natural tapping utility in our research institutes seeing the picture and the try to collect as much information as possible from different endpoints also to would 3 G and LTE communication it also included possible management services that were reachable from the base station and 2 metrics reaches so what
we have discovered during research from the BTS whilst the excess of physical intrusion systems I was basically talking about the signal linking to region where the wire tapping ketones or not and arises we also discovered that devices can be altered to a change in most is some companies don't don't take into consideration if somebody infiltration into and base station and we discovered the learner will federative learning untruthful from BTS no including management interfaces the default password public and private keys and F. themselves tamper-resistant than on autorités active protection that natural shouldn't have been possible and that's changed and in a nod and there is a big segmentation she and in their nominal segments the people reachable from the beach here and our conclusion and experimental revealed that it was possible to exploit the natural systems from the core GPS units from the beauty uh since stations are 1 of the most of all to reduce the that complement we want to see whether it is possible to optic other components based on jewish information such as authentication controller hl and vl are if you have a prayer from similar assessment you'd be surprised very change it infringes on natural very again gettin senator from the radio stations expressionistic segmentations are not correctly implemented this what we experience that and let's take a look on that for a company that could be targeted to remove the R. Geroch is the GPS rolling to exchange is x as top for GPR connections from Roman you there's a moment in need of this icated links between each GPS service providers is said natural causes to also appealing interconnects the manger GE GRH skaters are located for Europe in Amsterdam and for Asia in single single essentially when you travel abroad your sort with your strong verbs communicated through your pro either at home to these infrastructures Our GSM rule Roman kicks interconnected networks your linkish your eurocall GSM provided it drops trust highly interconnected made for Internet sharing if reader or malicious activity would affect multiple users and multiple missions multiple attack uh vectors that are available not limited to particle segment of very are originating from GPS Tunneling
Protocol is a group of IP-based communications protocols used to carry a general pockets the register it with the GSM UMTS and LT in that G T P Germany decomposed into separate protocol GT CGTP GPU and GDP GTP prime and G 2 C used within the GPS cone metric for signaling between GPS support and support non GTP you is used for changes the date it in the GPS core network between radio network and the conduct of G T P prime uses the same as the structure G T P C and D to be you but haven't into independent function that GDP can be used within the video the pure TCP UDP is either recommended on mandatory 1 of 2 most
important feature of GTP tunnel is that gene DNS on generic use for resolving the APS the set of GTP turn out and access point is the name of Gatorade between AGPS 3 G and 4 G mobile networks and another computer furniture for kind access to the public internet out in the following natural captures found out into people's pocket it's a load of producing formation such as in the subscriber natural terminal and for and these might be also useful to correlate with the person and his her activities to the rest of the world if you have enough information in TID the fields to prevent a G G T P C had using two-channel identified if DID is a fully qualified stromal endpoint identifier if you're not familiar with all these Jerry natural and protocol details you can imagine is if your chariot media setting from your phone cell phone was to set up and down and dusting still like determine the correct copy to to connect to and to connect to secure gateway and you need a private network like a VPN and according
to the former head of the National Security Agency Michael head he agreed to the idea that metadata the information collected by the NSA about phone calls and other communications that doesn't include the actual content Chantalle tell the government of about anyone it is targeting for surveillance of and making textual content communication is unnecessary and advances in in machine learning can artificial intelligence make it possible to predict potential human behavior if the non-state plays for Y wider
but it's what 2007 says that communicate common channel signalling systems that transporters has 7 messages or an SSM metric which is developed in 9 and 19 seventies and reached in this implementation didn't introduce in security of the features vector and then there is a fixed around fixed and the set of protocol extension officers 7 protocol defined to draft process telemessages alright on IP networks as the 7 introduces procedures for you uh identification rollicking billing and call management is 7 consist of 2 parts message path and T P 1 and T P 2 and T P 3 4 political signaling the connection control there's also signaling grew connection part transport capabilities application part telephone user Part II st and user prior some of 7 include flow control throughout the transmitted information traffic congestion control peer identities statistic diction traffic monitoring and monitoring measurement analysis 7 global communication protocols standards that defined procedures by the genetic elements within the public switched telephone telephone in natural exchange control information or digital links for setting managing and cheering down wireless wireline and wireless calls the synsets that someone is not application specific and works for IP it enables multiple network elements to work together this is but there are ready to use tools available for instance 1 experimentations 1 of them is that it's a 7 analysis tool that I use the during my research that is part of region Mali erotic surface analysis to be performed in the truck traffic analysis always assessment protocol uh day experimentation revealed that it was possible takes a trait that many folks a juicy information such as call now on information related to the data called a site is called the radiation cold start and times and the call status
and please remember that these are all information so-called metadata for rich people are being killed list
grows through some of the uh attack scenarios of their or it's the 2nd protocol whenever the subscriber reduce to each subscriber profile is copied from allowed to we allow a database from some from H a lot of the elevator is assuming an articular managed to make changes in the elevator reaches he can change parameters and fake subscriber in 4 so that victims can at a directed to a conference call to call each time and call made do you so all you gotta could constantly the court and listen to the call positively while there is a caller assuming that he's directed communicating critical uh by introducing 2 D Cory our units to this is 7 that an attacker can intercept SMS messages sent confirmation that the message was received to the recipient if the victim used more biological or another set of services that use one-time SMS aspects then he can recover lost to these buffers to make money transfer or the take home over the internet to account furthermore the following Arctic scenarios are also possible by manipulating the LR and HR lot units with and this is 7 interception of SMS messages intersection of ALD going cold redirecting incoming uh call for optical calls making changes in user real and balance there recently did not pure researchers discovered that it is possible through on blocks of strong uh by exploiting a draft relationship between me and in the for they keep identity register access an acute identity of the register simply checks that the main controller unit returns to in met take immediate uh structures and to therefore is is the white list so you can uh that really it's more about genetics scenario as the the socially is for public and available on the internet um an interesting many local revealed the hacking T in which is known for selling mechanized it's the surroundings tools that all oppressive governments are also interested in exploiting the SSM uh for user location fraction it is technically true that is to say on the circle electrical the location of mobile phone could be obtained during the time of quieter and village chiefs can be analyzed into categories Chernobyl and use lunch and would give them the same user or being treated gives the and referring to the executables that require linear system privileges however kernel rootkits in other areas individual will you from highly privileged there will also operating system these are also known as to why striving who can give their
technique function or a system call in changing the execution flow narrated think you can modify change were obtained what is being sent the change we can think is if it if a pirate hiding jinks the ship that they still treasure and let it should continue the intuitive explanation is stage cooking techniques
used by the malicious applications to monitor user actions on the application here it is a less legitimate application of for the same purpose for instance on hours applications use the cooking techniques to detect malicious user behavior in the system such as key-logging baked to tourists except and the same applies to the uh malicious applications sandboxes well good keys also uses these techniques from all issues for hiding their activities within the 6th system they affected most commonly known techniques for userland applications on the import other stable will change DLL injection stand in line hoping more up at the essence the trial of that accused user and the system state services table descriptive input-output recuse will change that in turn interrupt others staple descriptor and global others descriptor table hooking and lastly the center who can't but the use of techniques are widely documented and available on internet so we will not delve into the so I advise you to take a look on these on the internet and
and region is a very multiplet form very complex multiple-utterance looks kids that consisted of drop model and multistage shoes events Journal low-level components each level see into responsible of decryption can loading modules into the memory and executing them the most interesting feature of free-agent platform while debt each used orchestrator and it was very near to the researchers onto the date of discovering it can be taught an RPC calls to a specific kernel drivers to enable and activate them the standard paid all of that utilise short actually performing emotions actions in the system 1 of the most interesting malicious actions that was to be able to that there was a you employed by the original which due to us to be able to monitor GSM metric based commands is you may have the right on the on to either support so what
what are the challenges and a hard soft to the given research and no 1 had to drop a modular has started date of after analysis it's from multistage and encrypted at the very complex modular framework the modules are invoked by RPC calls by this framework to model the data sources storage which file system and also the encryption type was R C 5 not commonly seen in molly implementation of them up to that time and research GSM literature no indication of compromise so we cannot isolation on how to solve these problems that the best way to start to Austin reversing the encryption brain of defaming the Orchestrator an outcome company accompanied to then the memory down infected systems in collaboration to the different researchers and estimate cost to do dynamic analysis in that way a similar research has done by uh the russian the researcher and it has a more detailed explanation nation on the uh given link so governed the original framework stages the stage 1 2 and 3 of today's lateral mercilessly responsible of description of preceding stages
stage 1 is tempted to appraise the execution of stage true reaches developed as a kernel module in this in this stage 1 simply use memory eternal calls to allocate memory pool for stage 2 consequently it makes sense since the preceding model is a kernel driver stage
to when the conflagration blocks uh block contains the name files to a system directed read that halting crypted tossed stage in the extended up tributes so to stage in the chart sensor signal stage to gender latest start of called off the regions that would make to their own uh detection much more harder and the
2nd stage also creates the marker file that can be used to identify infected machine it can simply previous stages and creates an encryption file encrypted file which applies to this used for chronic pain also actually do kernel payloads are stored in a file containing which you follow contain so stage
tree is kernel driver manager and stage 4 in the brain of the region framework that is or just the data responsible for small internal models that she's that
attached presents an interesting thing API call this routine annotated contract to do other space of target process that he observes analyzing trading platform now has since our
goal was to reproduce and the simulated region functionality of an instrument instrument panels I created a simple routine that they that and H to an the cation and intercept system calls and change them in any way that use this is a very
simple courts in a bridge showing comfortable being processed environment local for process and then obtain Bayes is all modules and attaching to to eat and this may not
be very concrete cooperation among your borrows Virginian do good to me but do 2 things to the most complex should discourage untill now and also modules and their approach how to operate malicious actions on the target this is then changed all words at time for instance due to worries minute break in the past by the thing patch pitch got about the region and to do good you were using stolen than legitimate certificates in order to simulate the region should be here I created this small framework consists of 2 modules the eternal and user-level model and simulates or just behavior that is implemented in in a similar range implemented in the region framework and the features of the simulated include cowards food they take filtration uh run as a threat of the legitimate application address space and totally make it invisible to the users the orchestrators simulated and have partial RPC calls same as it in an eRegion framework monitor all file system reduces to the unnatural call who change vector and trainable modules pretty much do uh a modest that you can see you know from some very critical current except some time for them I hope it won't fail and yet so I
707 box stripes implemented for both 64 bit enter to to reach I'm going to show you the total to its aging written in C C + + and Windows development acute driver development you I have
a true modules which is executable here's a user land and the kernel driver and this is that batch file simply walks to I will show the content of the budget then this
simply as a lot still executable we talked the planets and in walks through the system controller and it executes as a file a system kernel driver and that's passes and then executes through the use of amount of too few framework so sensitive that it is not jeopardized at interval data or part in an executable a simple executable justice for demonstration purposes I mated a very simple but I'm going to do is
I will just copies 3
to In this not so it's a normal
user and item that you will need to use the and In the content of
our infrastructure I will simply run it saw what
it does it's simply home no inference he rooms and right now system infected likewise in original and I'll show you
since this mother is implemented by simple assisted the call right now the Hawking types so it can be clearly seen that these are uh who looks kernel-level hooks that intercepts and change of behavior in the system
and the events that did on privileged user I have a client
so I can work it connects and depending on final conservation I could change the port but is for the sake of simplicity i will show here capabilities so it's a client it can connect to the infected machine by simply providing IP address I have to go that's the the port number for the sake of simplicity so it connects the user shell you can just look around some of activities on the system and by the way this is
totally so as to total updated on on molar pass on 2 hours and it's cannot detect the execution of it because the intercept some calls and hide itself from the underwater and I want to just
demonstrate to some of the simple our homes behavior the client comments I can't send to system I can run executable and the system invokes some file I can encrypt and tired this and I can kill this system by simply writing some the changes in the 5 structure of the system for example that demonstrates like to use I
think I don't know what to maybe I can demonstrate to you some more issues concerning unsuccessfully will return to this and I try to respond to system
the the thing that it
is we the you know you you shouldn't able to find to operating system yeah this is this model can and by doing
this it never any questions were thank much
Betrag <Mathematik>
GSM-Software-Management AG
Service provider
Radikal <Mathematik>
Array <Informatik>
Reverse Engineering
Profil <Aerodynamik>
Natürliche Sprache
Quantisierung <Physik>
Kollaboration <Informatik>
Einheit <Mathematik>
Ordnung <Mathematik>
Drahtloses lokales Netz
Tabelle <Informatik>
Selbst organisierendes System
Interrupt <Informatik>
Virtuelle Maschine
Reelle Zahl
Diskrete Simulation
Determiniertheit <Informatik>
Direkte numerische Simulation
Endogene Variable
Architektur <Informatik>
Binder <Informatik>
Wort <Informatik>
Prozess <Physik>
Inferenz <Künstliche Intelligenz>
Natürliche Zahl
Element <Mathematik>
Technische Optik
Kernel <Informatik>
Hook <Programmierung>
Mapping <Computergraphik>
Lineares Funktional
Physikalischer Effekt
Algorithmische Programmiersprache
Varietät <Mathematik>
Web Site
Gerichteter Graph
Total <Mathematik>
Data Mining
Physikalisches System
Puffer <Netzplantechnik>
Speicher <Informatik>
Bildgebendes Verfahren
Einfach zusammenhängender Raum
Elektronischer Datenaustausch
Physikalisches System
Design by Contract
Innerer Punkt
Nabel <Mathematik>
Bridge <Kommunikationstechnik>
Gesetz <Physik>
Deskriptive Statistik
Protokoll <Datenverarbeitungssystem>
Neuronales Netz
App <Programm>
Kategorie <Mathematik>
Singularität <Mathematik>
Mobiles Internet
Wurm <Informatik>
Software Development Kit
Motion Capturing
Dienst <Informatik>
Wurzel <Mathematik>
Rechter Winkel
Stabilitätstheorie <Logik>
Klasse <Mathematik>
Content <Internet>
Dienst <Informatik>
Open Source
Service provider
Spannweite <Stochastik>
Inhalt <Mathematik>
Algorithmische Lerntheorie
Demo <Programm>
Protokoll <Datenverarbeitungssystem>
Home location register
Elektronische Publikation
Neuronales Netz
Kartesische Koordinaten
Einheit <Mathematik>
American Physical Society
Soft Computing
Funktion <Mathematik>
Strategisches Spiel
Kombinatorische Gruppentheorie
Framework <Informatik>
Zusammenhängender Graph
Digitales Zertifikat
Diskretes System
Einfache Genauigkeit


Formale Metadaten

Titel Why Nation-State Malwares Target Telco Networks: Dissection Technical Capabilities of Regin and Its Counterparts
Alternativer Titel Why nation-state malwares target Telco Networks: Regin and its counterparts
Serientitel Hacktivity 2015
Teil 22
Anzahl der Teile 29
Autor Coskun, Omer
Lizenz CC-Namensnennung 3.0 Deutschland:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
DOI 10.5446/18849
Herausgeber Hacktivity
Erscheinungsjahr 2015
Sprache Englisch

Inhaltliche Metadaten

Fachgebiet Informatik
Abstract The recent research in malware analysis suggests state actors allegedly use cyber espionage campaigns against GSM networks. Analysis of state-sponsored malwares such as Flame, Duqu, Uruborus and the Regin revealed that these were designed to sustain long-term intelligence-gathering operations by remaining under the radar. Antivirus companies made a great job in revealing technical details of the attack campaigns, however, they have almost exclusively focused on the executables or the memory dump of the infected systems - the research hasn't been simulated in a real environment. In this talk, we are going to break down the Regin framework stages from a reverse engineering perspective - kernel driver infection scheme, virtual file system and its encryption scheme, kernel mode manager- while analyzing its behaviors on a GSM network and making technical comparison of its counterparts - such as TDL4, Uruborus, Duqu2.

Zugehöriges Material

Ähnliche Filme