Ethical Hacking News
China-linked cyber espionage group Liminal Panda targets telecom networks across South Asia and Africa, compromising networks through exploited protocols and weak passwords. Experts warn of increasing vulnerabilities in telecommunications infrastructure due to the growing threat from state-sponsored actors.
Liminal Panda is a China-linked cyber espionage group that has been attributed to targeted cyber attacks against telecommunications entities in South Asia and Africa since at least 2020. The group leverages deep knowledge of telecommunications networks, protocols, and interconnections to execute malicious operations. Liminal Panda uses bespoke tools designed for clandestine access, command-and-control, and data exfiltration. The group exploits trust relationships between telecommunications providers and gaps in security policies to access core infrastructure from external hosts. The Liminal Panda threat actor's malware portfolio includes SIGTRANslator, CordScan, and PingPong – custom-built tools with specific capabilities. The primary objective of Liminal Panda's attacks appears to be the collection of network telemetry and subscriber information or breaching other telecommunications entities by exploiting industry interconnection requirements. The Chinese offensive cyber ecosystem is a joint enterprise involving government-backed units, civilian actors, and private entities that contribute to vulnerability research and toolset development. Telecommunications entities and critical infrastructure providers are susceptible to compromise by state-sponsored attackers like Liminal Panda and Salt Typhoon.
In a recent revelation, cybersecurity experts have shed light on a sophisticated China-linked cyber espionage group known as Liminal Panda, which has been attributed to a series of targeted cyber attacks against telecommunications entities in South Asia and Africa since at least 2020. The adversaries behind these malicious operations are believed to be leveraging deep knowledge about telecommunications networks, protocols that undergird these networks, and the various interconnections between providers.
According to CrowdStrike, a leading cybersecurity firm, Liminal Panda has demonstrated an extensive understanding of telecommunications infrastructure, including bespoke tools designed for clandestine access, command-and-control (C2), and data exfiltration. These tools have been utilized in conjunction with compromised telecom servers to initiate intrusions into further providers in other geographic regions.
"LIMINAL PANDA's known intrusion activity has typically abused trust relationships between telecommunications providers and gaps in security policies, allowing the adversary to access core infrastructure from external hosts," the company stated in a recent analysis. "The adversary conducts elements of their intrusion activity using protocols that support mobile telecommunications, such as emulating global system for mobile communications (GSM) protocols to enable C2, and developing tooling to retrieve mobile subscriber information, call metadata, and text messages (SMS)."
The Liminal Panda threat actor's malware portfolio includes SIGTRANslator, CordScan, and PingPong – custom-built tools designed with specific capabilities. The SIGTRANslator, for instance, is a Linux ELF binary that utilizes the SIGTRAN protocols to send and receive data. The CordScan tool contains built-in logic to fingerprint and retrieve data relating to common telecommunication protocols from infrastructure such as Serving GPRS Support Node (SGSN).
Another notable tool in Liminal Panda's arsenal is PingPong, which functions by listening for incoming magic ICMP echo requests and establishing a TCP reverse shell connection to an IP address and port specified within the packet. This backdoor enables adversaries to establish persistent access to compromised networks.
The threat actor has been observed utilizing weak and third-party-focused passwords to infiltrate external DNS (eDNS) servers using password spraying. Additionally, TinyShell in conjunction with a publicly available SGSN emulator called sgsnemu is used for C2 communications. CrowdStrike notes that TinyShell is an open-source Unix backdoor commonly employed by multiple adversaries.
The primary objective of Liminal Panda's attacks appears to be the collection of network telemetry and subscriber information or breaching other telecommunications entities by exploiting industry interconnection requirements. The use of compromised telecom servers has enabled the adversary to initiate intrusions into further providers in regions beyond their initial target areas.
In a broader context, French cybersecurity company Sekoia has characterized the Chinese offensive cyber ecosystem as a joint enterprise involving government-backed units such as the Ministry of State Security (MSS) and the Ministry of Public Security (MPS), civilian actors, and private entities that contribute to vulnerability research and toolset development. This collaboration creates challenges in attribution.
"It ranges from the conduct of operations, the sale of stolen information or initial access to compromised devices to providing services and tools to launch attacks," Sekoia stated. "The relationships between these military, institutional and civilian players are complementary and strengthened by the proximity of the individuals part of these different players and the CCP's policy."
Recent incidents involving U.S. telecom providers like AT&T, Verizon, T-Mobile, and Lumen Technologies have been linked to another China-nexus hacking group dubbed Salt Typhoon. These attacks highlight how telecommunications entities and other critical infrastructure providers are susceptible to compromise by state-sponsored attackers.
Cybersecurity experts emphasize the importance of recognizing these threats and strengthening security measures to counter sophisticated nation-state actors.
Related Information:
https://thehackernews.com/2024/11/china-backed-hackers-leverage-sigtran.html
Published: Wed Nov 20 02:25:47 2024 by llama3.2 3B Q4_K_M
