Mitigating a global telecommunications threat

Adam Meyers, CrowdStrike’s Senior Vice President of Intelligence chats with Enterprise IT News about the role of OPSEC and how their activity cluster, DecisiveArchitect, uses it.

EITN: What is operation security? Is it the same as defence evasion techniques?

Adam Meyers: Operational Security (OPSEC) is a security and risk management process that categorises information, then determines the required steps to protect sensitive information and prevent it from getting into the hands of threat actors. OPSEC encourages IT managers to view a company’s operations from the perspective of a potential attacker. Defence evasion techniques, on the other hand, describe techniques that attackers deploy to bypass security tools and professionals.

It is important to note that these terms are not exclusively tied to defenders and threat actors per se. Case in point – in the context of DecisiveArchitect, adversaries deployed operational security to make it more difficult for defenders to identify and investigate activity through the use of various defence evasion techniques.

EITN:  What kind of operational security is DecisiveArchitect employing?

Adam Meyers: DecisiveArchitect – otherwise known as Red Menshen – is an activity cluster which has been observed targeting telecommunications providers across the Middle East and Asia using a custom backdoor tracked by CrowdStrike Intelligence as JustForFun, or BPFDoor.

It is interesting to note that DecisiveArchitect utilises OPSEC within its attack methodology, comprising a variety of defence evasion techniques. This makes it even more difficult for other organisations to identify the threat and investigate.

For example, DecisiveArchitect uses a custom-built implant as an attack vector on Linux, but instead of simply creating a new script that references the JustForFun implants, DecisiveArchitect uses a more operational security-conscious approach by modifying existing SysVinit scripts to reference a small script file, which then finally references the JustForFun implant.

Additionally, DecisiveArchitect modifies different legitimate SysVinit scripts across systems, and uses different file names/paths for the implant and associated persistence-related scripts, making it difficult to search across other systems for indicators identified through analysis of a single system.

It is interesting to note that DecisiveArchitect utilises OPSEC within its attack methodology, comprising a variety of defence evasion techniques. This makes it even more difficult for other organisations to identify the threat and investigate.

EITN:  How is CrowdStrike ‘custom-tracking’ the implant? How was the implant implanted to where it needed to be to cause havoc and cybersecurity risk?  

Adam Meyers: DecisiveArchitect leverages The Berkeley Packet Filter (BPF), which is intended for data packets’ transmissions, accessing regulation, and network traffic analysis. The Linux-based implant allows a threat actor to backdoor a system for remote code execution, without opening any new network ports or firewall rules.

BPFDoor appears to have been observed across systems for five years, suggesting that threat actors responsible for operating this malware have been undetected in many environments, making it the ideal tool for corporate espionage and persistent attacks.

EITN:  What are the risks posed to telco providers in Southeast Asia and also their subscribers – businesses and individuals?

Adam Meyers: When systems are compromised, there is a risk of sensitive information, such as call detail records (CDRs) or information relating to specific phone numbers, being compromised by threat actors and used with malicious intent.

Compromising a telecom may also give a threat actor the ability to target Signaling System 7 (SS7) infrastructure to enable more complex attacks such as tracking mobile subscribers and collecting intelligence about the movement of interesting targets such as diplomats, journalists, and dissidents.

Additionally, organisations should adopt cloud-native EDR, threat hunting capabilities and threat intelligence to cover data and identities even further.

EITN:  What does CrowdStrike recommend for telco providers to do to mitigate this risk and remediate?

Adam Meyers: Today, both eCrime actors and nation-state criminals continue to weaponise data. Organizations are moving from ‘trust but verify’ to ‘verify then trust’ and the only way to adequately defend networks is strong identity management and zero trust.

CrowdStrike encourages all organisations to adopt a heightened security posture, especially when it comes to three critical areas of enterprise risk that our Falcon Platform protects: endpoints and cloud workloads, identity and data.

Additionally, organisations should adopt cloud-native EDR, threat hunting capabilities and threat intelligence to cover data and identities even further.