Cracking Open Soft Cell

For banks, it’s accounts. For factories, it’s assembly. For retail, it’s inventory. And for telecoms, it’s call detail. In each case, some critical asset must be protected from hackers at all costs. Banks cannot allow accounts to be deleted, retail firms cannot allow inventory to be corrupted, and telecom firms absolutely, positively cannot allow call detail records to be compromised. Period. This just cannot happen.

For ten mobile providers in Europe, Asia, Africa, and the Middle East, however, this is exactly what appears to have happened. The details of the Soft Cell campaign, launched in 2017 by a Chinese-sponsored attack group, remain murky, and the identity of the targeted providers is not evident. But thanks to some amazing forensic reporting from researchers at Cybereason, we can now piece together what seems to have happened.

The incident started with weak management of public-facing servers. Every security team knows that if you Internet-expose vulnerable servers – ones with unpatched software, out-of-date security tools, open ports, listening services, and on and on – then you will get hit. This is no longer a question: If you make this mistake, then expect to be attacked by bad guys ranging from benign newbies to terrifying nation-states.

With the mobile providers in question, vulnerable servers were apparently exposed, found by the attackers, and used to host a tool called China Chopper. (By the way, it’s called China Chopper due to references like found in the code.) I’ve looked at this little Web shell carefully, and it is efficient. In just a few kilobytes of code, the tool offers a clean entry point to a network from which the usual APT can be initiated.

Amazingly, this shell (and subsequent updated shells) was sitting inside these service providers for the past two years (gulp), and used to exfiltrate call detail records. From the posted Cybereason research, it looks like the familiar cadence of low-and-slow attacks was used: Nbtscan for reconnaissance, PoisonIvy for RAT, Mimikatz for credential dumps, WMI for lateral traversal, and so on. Same old, same old.

Given the intensity and consequence of this incident, I'm surprised it didn’t receive more mainstream attention. I'm certainly relieved to see that domestic US mobile service providers were not included in the report, but I remain worried that this type of successful attack comes way too close to home: Call detail record theft from an APT actor is a serious offense and should require the attention of lawmakers around the world.

May I remind you, dear reader, that this is exactly the type of theft cited as motivation behind the recent actions taken in the US against Huawei. The claim from the US has been that the Chinese government can use Trojan insertions to steal CDR and content. So, here we have a live case where this was done using simple cyber methods and basic tools that are familiar to anyone in a SANS penetration testing course.

Kudos to Cybereason for bringing this to our attention – but reverse kudos to the media for yawning at a campaign that should be a lead story on their news reports. In fact, here's a juicy headline they might use: Chinese Tap Mobile Telcos Sans Trojans. Keep in mind that incidents like this one should be advancing our understanding of infrastructure risk. They remind us that cyber defense must start at home.

I recommend you read more about this campaign in this fine article by Cybereason. You can also read about the China Chopper shell in this post by FireEye. This is an important hack with massive consequences. If we want to protect national critical infrastructure, then defensive responsibility starts at home: Leave front doors open with vulnerable servers, and expect the bad guys to walk in. That's what happened with Soft Cell.

Let me know what you think.