Presentation Material

AI Generated Summary^{may contain errors}

Here is a summary of the content:

Initial Attack

• An attacker exploited a DNS server, which could be from another operator.
• They created a GTP tunnel to exit to the core network.
• They used a VPS server as a command and control (CNC) server.

Lateral Movement

• The attacker performed internal lateral movement in the telecom operator’s network.
• They gathered data they wanted to cover and sent it via TTP.

Evasion of Detection

• The attacker used legitimate traffic protocols, making it difficult for operators to detect the malicious activity.
• Operators may not have been following security-wise compliance or government compliance, which contributed to the difficulty in detecting the attack.

5G Infrastructure Update

• 5G is an all-IP protocol that uses HTTP/2 and JSON for communication.
• It relies on mutual authentication between the subscriber and the core network.
• The core network defines whether a particular subscriber is legitimate or not, using a security anchor function.

Challenges in Compliance

• There are two types of compliance: security-wise and government compliance.
• Operators may not follow compliance rules, making it difficult to detect attacks.
• Vendors may not cooperate or provide necessary facilities without additional licenses.