Linux Backdoor GTPDOOR Can Secretly Attack Mobile Carrier Networks, Exposing IP Addresses

Know the detection strategies to check if there's a Linux malware in a network.

Security researcher HaxRob has unveiled a stealthy Linux backdoor known as GTPDOOR, strategically crafted to infiltrate mobile carrier networks discreetly. This covert operation poses a serious threat to the security infrastructure of telecom operators.

Targeted Components within Mobile Networks

GTPDOOR is strategically aimed at exploiting vulnerabilities within components adjacent to the GPRS roaming eXchange (GRX), including the Serving GPRS Support Node (SGSN), Gateway GPRS Support Node (GGSN), and P-GW. These critical network elements are gateways to a telecom's core infrastructure, providing attackers with direct access to sensitive data and network resources.

Understanding the GRX and Network Components

According to HaxRob, GRX serves as a vital component in mobile telecommunications, facilitating seamless data roaming services across diverse geographical regions and networks.

Meanwhile, the SGSN, GGSN, and P-GW play pivotal roles in managing and routing mobile communications within an operator's network infrastructure.

Identifying Vulnerable Network Components

Given their exposure to the public domain, with IP addresses readily available in public documents, the SGSN, GGSN, and P-GW are prime targets for initial access into a mobile operator's network, per HaxRob's analysis.

Insights into GTPDOOR

HaxRob attributes GTPDOOR to the "LightBasin'' threat group (UNC1945), notorious for conducting intelligence-collection operations targeting telecommunications firms worldwide. The backdoor was detected in two versions uploaded to VirusTotal in late 2023, evading detection by conventional antivirus software.

Operation Mechanisms of GTPDOOR

GTPDOOR operates as a sophisticated backdoor malware leveraging the GPRS Tunnelling Protocol Control Plane (GTP-C) for covert command and control (C2) communications.

By exploiting legitimate network traffic and utilizing permitted ports, GTPDOOR evades standard security solutions. The malware can modify its process name to mimic legitimate system processes for added stealth, Bleeping Computer writes.

Functionality of GTPDOOR

GTPDOOR v1 facilitates operations such as setting encryption keys, writing data to local files, and executing shell commands. Meanwhile, GTPDOOR v2 enhances these capabilities with additional features like Access Control Lists (ACLs) for network permissions management.

How to Detect This Linux Backdoor

To combat GTPDOOR, detection efforts should focus on monitoring raw socket activities, identifying unusual process names, and detecting specific malware indicators.

Employing GTP firewalls and adhering to GSMA security guidelines are recommended defense measures to mitigate the threat posed by GTPDOOR.

The emergence of GTPDOOR alarms the critical need for secure cybersecurity measures within mobile carrier networks. Proactive detection and stringent defense strategies are essential to protecting a system against sophisticated threats like GTPDOOR and ensuring the integrity and security of the telecom sector.

For more news about malware and other cyber threats you are curious about, just click here to read the latest updates.


ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics