This article's lead sectionmay be too short to adequately summarize the key points. Please consider expanding the lead to provide an accessible overview of all important aspects of the article.(April 2022)
This article may be very hard to understand. In particular, the article does not explain what a LightBasin is to a non-technical reader who is not a computer security specialist in persistent threats. Please help clarify it.(April 2022)
LightBasin, also called UNC1945 by Mandiant, is a suspected Chinese cyber espionage group, that has been described as an advanced persistent threat that has been attributed to multiple cyberattacks on telecommunications companies.[1][2][3] As an advanced persistent threat, they seek to gain unauthorized access to a computer network and remain undetected for an extended period. They have been attributed to attacks targeting Linux and Solaris systems.[1][2][3]
The LightBasin cyber espionage group has operated since 2016.[1][2] CrowdStrike say that they are based in China, though their exact location isn't known.[1] They have targeted 13 telecoms operators.[2]
Targetsedit
CrowdStrike says that the group is unusual in targeting protocols and technology of telecoms operators.[1] According to CrowdStrike's investigation of one such breach, LightBasin leveraged external Domain Name System (eDNS) servers — which are part of the General Packet Radio Service (GPRS) network and play a role in roaming between different mobile operators — to connect directly to and from other compromised telecommunication companies’ GPRS networks via Secure Shell and through previously established implants. Many of their tools are written for them rather than being off the shelf.[1]
After compromising a system, then installed a backdoor, known as SLAPSTICK, for the Solaris Pluggable authentication module.[2] They utilize TinyShell, which is a Pythoncommand shell used to control and execute commands through HTTP requests to a web shell,[4] to communicate with attackers' ip addresses. The scripts are tunneled through an SGSN emulator, which CrowdStrike says is to maintain OPSEC.[3] Serving GPRS Support Node (SGSN) is a main component of the GPRS network, which handles all packet switched data within the network, e.g. the mobility management and authentication of the users.[5] Utilizing this form of tunneling makes it less likely to be restricted or inspected by network security solutions.[1][3]
CrowdStrike recommends that firewalls dealing with GPRS traffic be configured to limit access to DNS or GPRS tunneling protocol traffic.[1]
Referencesedit
^ abcdefghNichols, Shaun (2021-10-20). "'LightBasin' hackers spent 5 years hiding on telco networks". TechTarget. Retrieved 2022-04-08.
^ abcdeIlascu, Ionut (2021-10-19). "LightBasin hacking group breaches 13 global telecoms in two years". Bleeping Computer. Retrieved 2022-04-08.
^ abcd"LightBasin: A Roaming Threat to Telecommunications Companies". CrowdStrike. 19 October 2021.
^"Day 27: Tiny SHell (SSH-like backdoor with full-pty terminal)". Medium. 26 January 2019.
lightbasin, this, article, lead, section, short, adequately, summarize, points, please, consider, expanding, lead, provide, accessible, overview, important, aspects, article, april, 2022, this, article, very, hard, understand, particular, article, does, explai. This article s lead section may be too short to adequately summarize the key points Please consider expanding the lead to provide an accessible overview of all important aspects of the article April 2022 This article may be very hard to understand In particular the article does not explain what a LightBasin is to a non technical reader who is not a computer security specialist in persistent threats Please help clarify it April 2022 LightBasin also called UNC1945 by Mandiant is a suspected Chinese cyber espionage group that has been described as an advanced persistent threat that has been attributed to multiple cyberattacks on telecommunications companies 1 2 3 As an advanced persistent threat they seek to gain unauthorized access to a computer network and remain undetected for an extended period They have been attributed to attacks targeting Linux and Solaris systems 1 2 3 Contents 1 History 2 Targets 3 References 4 External linksHistory editThe LightBasin cyber espionage group has operated since 2016 1 2 CrowdStrike say that they are based in China though their exact location isn t known 1 They have targeted 13 telecoms operators 2 Targets editCrowdStrike says that the group is unusual in targeting protocols and technology of telecoms operators 1 According to CrowdStrike s investigation of one such breach LightBasin leveraged external Domain Name System eDNS servers which are part of the General Packet Radio Service GPRS network and play a role in roaming between different mobile operators to connect directly to and from other compromised telecommunication companies GPRS networks via Secure Shell and through previously established implants Many of their tools are written for them rather than being off the shelf 1 After compromising a system then installed a backdoor known as SLAPSTICK for the Solaris Pluggable authentication module 2 They utilize TinyShell which is a Python command shell used to control and execute commands through HTTP requests to a web shell 4 to communicate with attackers ip addresses The scripts are tunneled through an SGSN emulator which CrowdStrike says is to maintain OPSEC 3 Serving GPRS Support Node SGSN is a main component of the GPRS network which handles all packet switched data within the network e g the mobility management and authentication of the users 5 Utilizing this form of tunneling makes it less likely to be restricted or inspected by network security solutions 1 3 CrowdStrike recommends that firewalls dealing with GPRS traffic be configured to limit access to DNS or GPRS tunneling protocol traffic 1 References edit a b c d e f g h Nichols Shaun 2021 10 20 LightBasin hackers spent 5 years hiding on telco networks TechTarget Retrieved 2022 04 08 a b c d e Ilascu Ionut 2021 10 19 LightBasin hacking group breaches 13 global telecoms in two years Bleeping Computer Retrieved 2022 04 08 a b c d LightBasin A Roaming Threat to Telecommunications Companies CrowdStrike 19 October 2021 Day 27 Tiny SHell SSH like backdoor with full pty terminal Medium 26 January 2019 SGSN Telecom ABC External links editCrowdstrike blog entry on LightBasin Beyond Trust blog entry on LightBasin Retrieved from https en wikipedia org w index php title LightBasin amp oldid 1179925742, wikipedia, wiki, book, books, library,
