An article published October 4, 2024 by the Wall Street Journal highlights how foreign-state bad actors are exploiting the unsecured nature of some American telecom networks, and the built-in surveillance capabilities. While telecom network staff who have to configure Lawful Intercept (LI) requests can see the capabilities as mundane, they're a rich source of data when misused for espionage operations.

The Emergence[y] of Linux Malware

At the same time, news just emerged about perfctl, an effective malware package targeting Linux servers. Most of the servers on service provides on the Internet, including ISPs and Voice Providers, are Linux servers. This fits the pattern ECG predicted in a 2017 ECG Research Report "The Coming Malware Storm," which focuses on risks to Linux servers operating in most US Voice Telecom firms. While Windows Servers have long been targeted, the targeting of Linux systems has only begin to emerge as a prominent threat.

Linux servers often manage and control Lawful Intercept (LI) requests called "CALEA capabilities". These allow a network to be configured to collect data on individuals and send a copy of that data to a Law Enforcement Agency (LEA). But because the LEAs are so diverse - ranging in the US from local police departments to the federal government - there's no one universal mechanism, and no way to authenticate that the data is truly being sent to a legitimate LEA in response to a legal wiretap request.

This isn't the first time LI mechanisms have been abused. Twenty years ago, the "Greek Watergate" case involved LI used for illegal wiretap of elected officials. The technology in that case were Ericsson telephone switches.

US service providers are required to comply with lawful subpoenas and court orders for copies of the data sent through their networks. Subpoenas are generally used for historical information, like old call records, while a court may order the wiretapping or recording of all future calls. The CALEA program is well supported technically by the FBI and implemented in all the call-routing and switching platforms, such as Ribbon, BroadWorks, Metaswitch, NetSapiens.

But despite their great power to harm privacy, the security on these platforms is often minimal. Some technology providers simply remove the CALEA documentation from their web sites, and require operators to open a ticket to find out how to use it. Under FCC and FBI rules, a single designated official is required to be available to implement CALEA wiretaps, so the entire organization need not know how to make it work.

But "security through obscurity" - by hiding the CALEA documentation - is no security at all. Bad actors can discovery how to operate the wiretaps. To get access to the data and call switching, they need only to gain remote access to the networks used by normal system operators. That's right: if a telecom employee's PC is compromised, then the phone calls routing through that telecom network may be accessible to the attacker. PCs are regularly compromised by attacks where an email is sent to a user that contains malware. If the user can be tricked into open the email and the attachment, they can install malware that connects outbound to a Command-and-Control system. The malware may log the user's passwords, view their screen, or directly attack the Lawful Intercept platforms.

Another approach taken by attackers is for an attacker to install malware on a device, such as an Android smartphone, and then to launch attacks from that malware once the mobile device is on the trusted part of the network. 

Reducing the Risk Your Network is Used for Spying

What are some ways proven to protect your call processing platforms against this kind of attacks?

• Outbound Connectivity. The PC you use to access your Voice Core network does not necessarily need to be able to access the Internet. This restriction on outbound connections can radically reduce the ability of a Command-and-Control network to be established. Many of your core systems don't need to be able to initiate outbound connections, and blocking the arbitrary outbound connectivity can mitigate the impact of malware that does make its way to a core system.
• Mobile Device Restrictions. Mobile devices, like Android devices and iPhones, do not need to be connected to the network in such a way they can send packets into the Voice core network.
• Less Vulnerable PCs. MacOS and Linux desktops are generally targeted much less frequently than Windows desktops. This raises the complexity level for attackers.
• One-Time Passwords. One-time-passwords, such as those using a Time-based One-Time Password (TOTP) Authenticator app, are a great way to protect access to sensitive equipment. Each time an administrator logs into a sensitive system, they can be prompted to enter the password from the TOTP app. The attacker would need to get access to the TOTP sequence as well as the remote network to be able to remotely access and control the platform. In the absence of TOTP, authentication using SMS push notifications can be a big deterrent.
• Eliminate Remote Desktop. Platforms that allow a remote login to a management PC can make it easier for an attacker to gain the access they need. Unfortunately, Remote Desktop platforms are often left unsecured.
• Eliminate "trusted network zones." The concept of "zero-trust networking" means that you minimize the "trusted zone" of your network. This can raise the difficulty of launching an attack substantially.
  

In these attacks by China-linked actors against AT&T, Verizon, and others, the particular attack vectors (steps taken by the attackers) has not been announced yet. But you will not be wasting effort when you take steps to protect your customer's privacy -- and maybe national security at the same time.

ECG works with Internet and Voice Service Providers to update software on servers, VMWare hosts, replace and migrate firewalls, and improve your security posture.  Contact us if you need extra team members to get these projects done quickly.