CL-STA-0969’s Targeted Campaign Against Telecom Providers

Unit 42 uncovered a sophisticated cyber-espionage campaign, labeled CL-STA-0969, targeting global telecommunications infrastructure, especially mobile roaming networks, in Southwest and East Asia. The threat actor, with strong overlaps to Liminal Panda, utilized advanced operational security (OPSEC), custom implants, DNS/ICMP tunneling, and compromised interconnectivity between telecom vendors to maintain long-term persistence and covert control.

Severity Level: High

Malware Involved

• Custom Backdoors: AuthDoor, GTPDoor, EchoBackdoor, ChronosRAT, NoDepDNS
• Network Tools: Cordscan, SGSN Emulator, Microsocks, FScan, Responder
• Exploit Kits: exploit_userspec.py (for CVE-2021-3156), PwnKit (for CVE-2021-4034)

Threat Actor

• Attributed to Liminal Panda, with shared tooling traits seen in UNC1945, UNC2891, UNC3886, and Light Basin.
• Likely nation-state sponsored, based on tactics, victimology, and persistence.

Campaign Scale

• Activity observed from February to November 2024.
• Targeted multiple telecoms globally, primarily in Asia.
• Exploited telecom roaming exchange (GRX) infrastructure.

Attack Overview

• SSH brute-force login as initial access vector using telecom-specific built-in accounts.
• Exploited known vulnerabilities for Privilege Escalation: CVE-2016-5195 (DirtyCOW), CVE-2021-4034 (Polkit pkexec), CVE-2021-3156 (sudo buffer overflow)
• Backdoors embedded in PAM modules (e.g., pam_unix.so) with stealthy credential logging and access bypass.
• DNS/ICMP/GTP used for covert command-and-control (C2) communication.
• High OPSEC: log cleansing, timestomping, process masquerading.
• Used telecom-specific implants like Cordscan and SGSN Emulator to extract mobile network data (IMSI/HNI).
• Deployed FRP (Fast Reverse Proxy) and ProxyChains for exfiltration and lateral movement.

Recommendations

1. Enforce MFA for all SSH and telecom infrastructure access points.
2. Audit and disable default or built-in telecom equipment accounts.
3. Use account lockout policies and rate limiting for SSH login attempts to defend against brute-force attacks.
4. Immediately patch systems vulnerable to: CVE-2016-5195 (DirtyCOW), CVE-2021-4034 (Polkit pkexec), CVE-2021-3156 (sudo buffer overflow)
5. Upgrade legacy Linux kernels (pre-4.8.3) and deprecated telecom equipment OS builds.
6. Remove unnecessary services like telnet, ftp, or outdated PAM modules.
7. Search for unauthorized PAM modules (e.g., altered pam_unix.so) and backdoor hooks.
8. Enable File Integrity Monitoring (FIM) for: /usr/bin/, /usr/lib/security/, /etc/pam.d/, /etc/selinux/, and cron jobs.
9. Watch for process names masquerading as system services ([watchdog/1], httpd -D, dbus-console, etc.).
10. Block the IOCs at their respective controls https://www.virustotal.com/gui/collection/d73d817b5ed40295038aafd026e0ba171beef21a2ed9685a73744e348c5615ca/iocs

MITRE ATT&CK

Source:

• https://unit42.paloaltonetworks.com/infiltration-of-global-telecom-networks/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.