Security researcher HaxRob has unveiled a stealthy Linux backdoor known as GTPDOOR, strategically crafted to infiltrate mobile carrier networks discreetly. This covert operation poses a serious threat to the security infrastructure of telecom operators.
Targeted Components within Mobile Networks
Cybercriminals are currently exploiting GTPDOOR, a Linux backdoor that can allow access to a mobile operator network. It could breach the system and expose the public data if this happens.
GTPDOOR is strategically aimed at exploiting vulnerabilities within components adjacent to the GPRS roaming eXchange (GRX), including the Serving GPRS Support Node (SGSN), Gateway GPRS Support Node (GGSN), and P-GW. These critical network elements are gateways to a telecom's core infrastructure, providing attackers with direct access to sensitive data and network resources.
Related Article: Researchers Discover Key-Stealing SSH-Snake Malware-Goes Undetected, Spreads Infections to New Systems
Understanding the GRX and Network Components
According to HaxRob, GRX serves as a vital component in mobile telecommunications, facilitating seamless data roaming services across diverse geographical regions and networks.
Meanwhile, the SGSN, GGSN, and P-GW play pivotal roles in managing and routing mobile communications within an operator's network infrastructure.
Identifying Vulnerable Network Components
Given their exposure to the public domain, with IP addresses readily available in public documents, the SGSN, GGSN, and P-GW are prime targets for initial access into a mobile operator's network, per HaxRob's analysis.
Insights into GTPDOOR
HaxRob attributes GTPDOOR to the "LightBasin'' threat group (UNC1945), notorious for conducting intelligence-collection operations targeting telecommunications firms worldwide. The backdoor was detected in two versions uploaded to VirusTotal in late 2023, evading detection by conventional antivirus software.
Operation Mechanisms of GTPDOOR
GTPDOOR operates as a sophisticated backdoor malware leveraging the GPRS Tunnelling Protocol Control Plane (GTP-C) for covert command and control (C2) communications.
By exploiting legitimate network traffic and utilizing permitted ports, GTPDOOR evades standard security solutions. The malware can modify its process name to mimic legitimate system processes for added stealth, Bleeping Computer writes.
Functionality of GTPDOOR
GTPDOOR v1 facilitates operations such as setting encryption keys, writing data to local files, and executing shell commands. Meanwhile, GTPDOOR v2 enhances these capabilities with additional features like Access Control Lists (ACLs) for network permissions management.
How to Detect This Linux Backdoor
To combat GTPDOOR, detection efforts should focus on monitoring raw socket activities, identifying unusual process names, and detecting specific malware indicators.
Employing GTP firewalls and adhering to GSMA security guidelines are recommended defense measures to mitigate the threat posed by GTPDOOR.
The emergence of GTPDOOR alarms the critical need for secure cybersecurity measures within mobile carrier networks. Proactive detection and stringent defense strategies are essential to protecting a system against sophisticated threats like GTPDOOR and ensuring the integrity and security of the telecom sector.
For more news about malware and other cyber threats you are curious about, just click here to read the latest updates.
