 All right, good afternoon. So speaking of audience participation and the audience helping out, I want to thank everybody that's been here this week and has been so cooperative, new hotel, new challenges. It was great to have everybody being so cooperative in, you know, trying to fill the rooms, dealing with it whenever we had to rearrange where the tracks were. You guys were fantastic. Why don't you give yourselves a hand? All right, so there's been some really, really interesting malware and different intelligence platforms that have been unveiled in the past couple years. And this talk is going to break down what it's going to do on networks, not just on individual boxes. I mean, the stuff that it's doing on the boxes is fascinating enough, but this is kind of a new area of research. So let's give Omer a big hand. So hello. Thank you very much for coming out to listen to my talk. Today I'm going to present you an offensive network security research related to the nation state attacks targeting the telecommunication networks. My name is Omer. Just briefly starting, what we are going to cover is introduction to the telco network architecture, the network protocols that are being highly targeted such as GRX network architecture and the SS7 protocol. And then we are briefly taking a look on the into practical attack scenarios on these GSM network components. And once we establish basic understanding of the attack surface of the GSM network protocols, we will switch to the main concern of this talk, the government implants, the region malware. Before delving to the, it is capabilities, I will try to briefly remind the root kit techniques as the region is the multi-component long-term intelligence gathering root kit. Afterwards, we will browse through the region capabilities and then analyze how it could be weaponized in offensive GSM network hacking. As recently there are more technically complex implants discovered by the researchers. We will briefly take a look on them. And finally, I'm going to present you some of the techniques employed by the region malware implant could be implemented by a high-level programming language. I am specifically talking about Windows driver kit development and the API programming in Windows systems. So just briefly myself about my name is Irma. My academic background is computer science. I used to help academic research at university in quantum cryptography and artificial intelligence. I'm currently employed with KPN royal Dutch telecom in Netherlands. And I used to work for companies such like IBM, IS and Verizon. I perform security assessments on my day-to-day work and I'm very interested in malware analysis and root kit techniques and I am actively doing research in these areas. This is the red team. We are based in Amsterdam and it is only six minutes train, trip from Amsterdam is the most popular tourist attraction center as known as red light district. And if you ever happen to be in Amsterdam, please visit us and have a beer or a drink with us to do some notice stuff together with us. What inspired us to carry out this research was to analyze and determine the services of the GSM and inner GSM networks. Governments are not only hacking their own citizens but spy on each other by covert hacking corporations with tools like reginald and stalled malware. Surveillance programs reach a crazy level and the recent leaks confirmed that the network devices, telecom networks are the victims or the contributors of the such programs. Once region hacking campaign revealed pretty much each and every telecommunication company got paranoid. Try to make sure that they haven't been affected by the same attack. Root kits are requiring a lot to learn about especially operating system internals, churnal working principles, computer architecture. So I'm sure not only understanding the incident but also to be able to reproduce and assimilate the attack would mean a lot to the do's whose day-to-day work is to break systems especially such as red team members. So just very briefly, GSM network architecture looks like that it's very complex network architecture. However, let's us try to break it down under the following core elements. GSM network is developed for digital mobile radio standard wireless and voice communication. GPRS is an extension of GSM network that provides mobile wireless and data communication and UMTS stands for the universal mobile telecommunication system and extension of GPRS network that moves towards on IP network by delivering broadband information including commerce and entertainment services to the mobile users. And UMT pays to find interfaces for radio network controllers. Not be packet to switch and circuit switched. And RNC, to RNC communication, RNS performs base station controller functions in GSM and GPRS networks. GSM network consists of the following components like mobile stations, base transceiver station, base station controller, base station subsystem, mobile switching center, authentication center, home location, visitor location registers. These are the most important components of the GSM network and it is being highly targeted in these region related attacks. So very briefly I try to explain what are the functionalities of these components and we will delve into how it could be targeted by the government in plus in a espionage campaign. The mobile station is the starting point of the mobile wireless network. So it can contain elements such like mobile terminal and terminal equipments. Base station transceiver station, when a subscriber uses the mobile station to make a call to the network, the mobile station transmission is called request to the base transfer receiver. Base station transfer station includes radio equipments such like antenna, signal link processing units, amplifier, necessary for radio transmission with a geographical area called cell. I like to tell very briefly about the GSM network units that carry and important information such as equipment item to the register is a database that stores international mobile equipment identities as known as IMEIs of the mobile situation in the network. This is an equipment identified assigned by the manufacturer of the mobile station that provides security features such as blocking call from the handset and that have been stolen like stolen phones within the network and attached to the mobile network. HLR is home location register is a central database for all users to register GSM network and it stores information about subscribers such as international mobile subscriber identities, subscriber services and a key for authentication to subscribers. Another important component is the authentication center and with the HLR is the authentication center database contains algorithms for authenticating subscribers to the necessary keys for the encryption and safeguard user input authentication. And the last element is VLR visitor location register is a distributed database that temporarily stores information about the mobile stations are active in the geographic area which is VLR is responsible for. And GSM network architecture has various interfaces for communication among network elements the mobile trust miss to the BTS and BTS to the BSC. And the communication also occurs over the interfaces to the management databases so HLR, VLR and authentication control unit. So these are the key elements that can be targeted by the attackers over either SS7 protocol or GRX protocol and how we are concerned and how the region malware plays roles in such attacks. The region malware specifically targets the GSM networks. Antivirus companies say the region has been designed to be a low key type of malware that can potentially be used as PNH campaigns. And according to the claims of antivirus companies it has been active since 2008. And this is a group of demonstration the picture was taken in Germany. They were protesting against GCHQ and NSA to get their data removed from databases. I was also one of the participants this demonstration. So our work pretty much looked like this. Since our competitors, actually enemies, were hard profile organizations such like GCHQ and NSA which always listened to their customers. Our approach pretty much looked like this. Like using old school techniques of the North Korea to bring them to their knees. But we didn't give up and take a try. So in order to determine attack scenarios we decided to perform a large-scale service enumeration from the base stations. For these reasons we have passively tapped the GSM communication from the radio base stations. And we greatly utilized Michael Osnami's passive network tapping utility in our research. I would like to thank him. I think he's not in one of the audiences. As he left tomorrow I think. We talked about this. And yeah, pretty much. And we tried to collect as much information as possible from different endpoints of the 2G, 4G and LTE communication. It included the possible management services that were reachable from the base station. From the network switches. And you would definitely be shocked what we have discovered on these assessments. So absence of the physical introduction, intuition detection devices that if a device is altered or changed most GSM companies don't even care possibility of it and they don't take into account it. And we found lots of vulnerable services running and accessible from the base stations. And reachable management interfaces with default password, public private key for different units to communicate with. The absence of the temporary resistance and the on authorized access protection, well the network tapping shouldn't be possible otherwise. And improper network segmentation, inner non-routable segments of the telco company could even be accessible. And core GPRS network and network subsystem could be exploitable as well. So since the base stations are one of the most out of GSM network companies we wanted to see whether it is possible to attack other inner components and they store juicy information such as access control unit, HLR, VLR. If you ever perform a similar assessment you could see that radio stations especially the segmentations are not correctly implemented. So it is theoretically and practically possible. So let's take a look on the network components that could be targeted locally and remotely. GPRS roaming exchange access hub for the GPRS communications from roaming users, removing them, needs for a dedicated link between GPRS service provider. It's a network consist of peering interconnected units. So the main GRX gateways are located for Europe in Amsterdam for Asia in Singapore. Essentially when you travel abroad your phone works regardless of your location. So the communication is being held, utilized by GRX networks. So what is GRX networks? GRX network is a roaming exchange interconnected networks. Simply in a simpler word it's your local GSM provider abroad. It's a trust based highly interconnected network that made internet sharing possible. And a failure or malicious activity would affect the multiple connected machines. GPRS tunneling protocol is a group of IP based communication protocols used to carry general packet radio services within the GSM, UMTS and LTE networks. GTP can be composed into separate protocols like such like GTPC, GTPU and GTP. GTPC is used within GPRS core network for signaling between gateway GPRS support nodes as known as GGSN and serving GPRS support nodes as known as GGSN. So these allows an active session on a user's behalf, context activation to the activate same session to adjust quality of the service parameters or update a session for subscriber who has just arrived from another SGSN. GTP can be used within UDP and TCP. UDP is either recommended or mandatory except for the tunnel link X25 in version zero. But GTP version one is used only on UDP protocol. So one of the most important feature of the GTP tunneling is that DNS on GRX is used for resolving APNs to set up GTP tunnel and access point is known as APN is the name for the gateway between GPRS 3G and 4G mobile network and another computer network for kindly public internet. So we gather some network dumps and analyze it how the GRX network flows look like and there are a lot of sensitive information here. Okay, in the following network capture a standard GTP packet trust means a lot of information like IMSA subscriber network, information, tunnel end points. This might also be correlated person and his activities rest of the world. As you can see here, here is the API, APN access networks and the DNS information. So this is the API. Are you telling all your communication intercepted and logged including your physical location? Well, we are not so paranoid but it can be possible in such cases because your protocols already providing an exchanging within the trust based networks globally. How about SS7 and SIGTRAN protocol? SS7 is a signaling protocol which built like 30 years ago and widely common used protocol and contains a lot of vulnerabilities. SS7 introduces procedures for user identification, routing, billing and call management. And it looks like, as in the picture, the data link corresponds to the MTP layer, physical layer, MTP 2 layer, MTP 3 layer. And some of the features if you look what we are really interested in SS7 is flow control of the transmitted information, traffic congestion control, peer and the status detection, traffic monitoring and monitoring measurement. And everything built upon the SS7 protocol since then like voice over IP interconnected, IP networking and lots of new network within the GSN network utilizes SS7 protocol. Like it simply looks like this. Your modems, fax devices, analog phones are utilized SS7 protocol for signaling. So an SS7 protocol analysis is revealed, really sensitive information is being transmitted between different nodes in the network. For instance, some of the interesting information could be related to the call if calling number, call number, call duration, call duration and call status. There are some publicly available tools. There you can analyze network and we also created a wire shark script to analyze and tag all the network flow information. And lately I found a Windows utility on the slide. You can download and analyze the SS7 network flow. So SS7 protocol and attack flows. Well, I think the information is being transmitted over SS7 protocol is enough to feed into our giant big metadata database. So practical attack scenarios. Let us assume that two victims are communicating, talking to each other on the subscriber line. So it is possible to introduce a change in the VLR and MSC database. Simply attacker introduces a conference call type of mechanism to intercept calls of two victims. It is also possible to perform attacks, subscriber, service, change attacks. For example, an attacker introduces a decoy MSC VLR database within the GSM network that he can supposedly reach to the SS7 protocol. So he can do much more attacks such like interception of SMS calls, interception of outgoing calls, redirections of incoming and outgoing calls and making changes in user views and the balance. So in other words, pretty much anything including financial frauds as well. During my research, I was cooperating with researchers from Finland. So I was informed that they have found another vulnerability in SS7. The vulnerability is simply exploiting the relationship between MA and C using AR access module within the GSM network. So they are able to unblock, to unblock the stolen mobile devices even without requiring a legitimate GSM card attached to the phone. So attacks look like this. Simply demodify the information sent to the VHAR database and change made and simply it prevents the verification of the VLR database and prevents from blocking the phone. So it simply cannot disable phone communicating through the GSM network that the phone attached to. And if you like to read more about this attack type, this academic paper will be presented on IEE conference in August. So it will be available. So the SS7 network is not only being targeted by the good guys or the government, but also hacking team was after the SS7 hacks. This is a leak, the information mail exchange between hacking team and one of their customers. So they were trying to implement malware that are specifically targeting SS7 signaling protocol. So they were after their victims to locate their, find out the phone location. And according to the mail exchange, the location information, how they are going to obtain location information is just simply querying SS7 signaling protocol. And mobile phone location could be obtained by such query. So, well, these are the brief attack techniques. So I think, I hope it should be clear why nation state actors are interested in hacking and attacking GSM networks. So I will briefly cover the root techniques, the basics of root kit techniques. Well, when we mention about, talk about the root kit, root kits are, could be analyzed in two categories and user modes and kernel mode, when we say root kit, user mode root kit, we are simply referring as executable or a DLL. And it employs some of the whole king techniques. And when we say kernel mode root kit, we are simply referring a Windows driver that can employ, for example, SDD, a system service, the scripted hooking, IDT hooking, IRPD page table hooking, and etc. So what is hooking is simply to be able to intercept a function, alter it, and change the content and sometimes intercept and prevent execution the way we want. In root kit and malicious application, simply everything is hooking. Let's assume implementing a key logger. You are simply monitoring calls of the Windows system and you are simply logging the functions that corresponds to the Windows API calls. And you are simply logging it. And hooking techniques also can be used, for instance, antivirus and firewall producers for the good intent. For instance, let's assume malware infected your computer and you are looking for hooks and malicious activities by simply monitoring kernel calls or hooks and how it behaves on the kernel. So some of the basic root kit techniques, like if you analyze a root kit on the user mode, that can employ, for instance, DLL injections, import address table hooking or inline hooking techniques. And the kernel level root kit driver can employ SST hooking, IRP hooking, IDT hooking, GTT hooking and CIS enter hooking techniques. You can find quite a lot of information and publicly available sample codes on internet. So I will not go into too much into these details. Well, once I stumbled upon the region malware and after completing the analysis on the network, the research I performed, my next goal was to analyze every single component of the region malware and simulate on the network. So antivirus companies really did a great job analyzing the malware, but they didn't dive into what actually being targeted and achieved by the malware. So my goal was to understand the malware and reproduce it and reimplement it. So that might help remade it to be understandable by the GSM providers. So region malware really looked like very complex malware I have ever seen. It consists of different modules, user level modules, kernel level modules. And it used very specific feature of operating system called orchestrator. It's simply system oriented architecture and every call being organized and prioritized depending on the RPC calls. So the drawing simply shows the stages like we can break down the region malware into five different stages. The most important stages are stage four and the fifth. And simply stage first to third are extracting the next stage and the next decrypting it. So simply disguising from the detection of the antiviruses. So there were quite a challenges while analyzing this malware because nobody had the very first draper module. So it is still a little bit unclear how the systems were affected and initially infected by the malware. And as the region targeted multiple institutions and GSM networks, it's still unclear. However, another challenge was multi-stage encrypted structure. So it was really hard to find samples. Even if you had a sample, if you don't have the next stage correctly, it could be a problem to extract it. So modules were invoked so architecture by the framework malware data stored inside a virtual file system and research GSM network likely had no indication of compromise. That was good. So my solution was to totally reverse engineer the orchestrator, use the memory dumps that are publicly available on internet, static analysis, common to the everyone via iDepro and similar tools, instrumentation of the calls, re-implementation of what I actually did and the dynamic analysis. So from stage one to three were simply loaders. I will go through a little bit quicker because we are about to run out of time. And I want to do a demonstration that I have implemented. Stage one was simply extracting to next stage. From first to three if you can look at the system calls, they are simply allocating a memory in kernel space and mapping to next stage and extracting it. Stage two is a little bit different because it implements, extract the next stage as a block of registry block. So it is really rare and very specific feature of the region malware. Similar to the as you can see the details of the registry keys and mapping functions, memory allocation calls. And stage third and fourth could be the most interesting one because stage three is simply the brain of the region malware. It's simply accepting orchestrator calls and executing them. So for instance it was attaching kernel modules, kernel module calls and executing them within a process memory of executable. So how could we weaponize it? I simply analyzed what it does in the orchestrator call and try to re-implant them using Windows driver kit. You can take a look on them later on. The code will be available. So just very quickly, this comparison might be a little bit subjective, but according to the technical complexity, in my opinion, the Dugu 2 is the most complex government implant it has ever been seen. And well, each malware implements very specific, very own features. So after reverse engineering and doing dynamic and static analysis, I re-implanted the region stage three and the fourth. A little bit tighter scope. So it had such features like power channel data extraction, rather than the threat of legitimate applications address space. Orchester simulator, it hasn't finished completely yet, but it simply simulates the orchestrator. And file system and registry network calls by Hawking and Bektor and Keleger module. So I will look up to demo. So Jimmer is a utility where you can see the changes of the system within the system, for example, hooks and et cetera. Right now there is no any hook and et cetera. What I have implemented is simply a kernel module, driver. This is corresponds to the region is stage four. And an executable, maybe stage two or the two or all combination. What it simply does is simulates and perform malicious activities in the system. So I will show you demonstrative very quickly. This is a batch file. The region malware hasn't been a weaponized yet. So it simply runs on the systems and extracts and runs the driver and executable, malicious executable. Yes, sure. Great. What do I hit next? All right. You all know how this works. Is he doing a good job? We have ourselves a new speaker. He's doing demos. They're working. See, that never happened. It's like the old Defcon. Anyway, that's going to help the demos. Trust me. Thank you. A little gift here for you. Somebody dropped it off in the speaker room. It appears to plug into the USB on your computer. It's got a lot of Chinese writing on it. And well, you know what? Good luck with that. So I'm simply executing the batch file that will run the I will show you register the little small region like rootkit in the system and then run it in the system and then execute to stage one. Running now. Okay. I run it. So it is executed. Well, as you can see, I implemented the rootkit using very simple techniques. For the beginning, it simply utilizes the system, say, SSTT hooks. Very simple system, but efficient. And the stage one is also executed, delete code. It simply protects the executable and it hides it. It implements also some hooks from the, to hide from the registry. And I will briefly demonstrate what it is. So I will try to delete this one. It's disabled. And I also show you a very specific feature. I'm a standard user now. It's a client I have implemented. So it's, you can simply connect back to the malicious infected system. And you can perform some things like executing commands on the system, for example. It has some malicious features such like encrypting the entire windows partition is killing the system and writing, messing up with NBR structure. And I also want to show you, for example, it protects the stage one executable. For example, if you say it couldn't find, but actually when I do like this to execute, it is there. But for example, when I try to show another executable which doesn't exist, it gives normal error. But actually the executable is there. What is root kita? It is simply intercepted calls. ZW query kernel calls and it simply hides it. And that's it. Thank you very much.