Trend Micro provides us with insightful recommendations for how companies in the telecommunications sector can improve the security posture of their IT infrastructure.
Telecommunications is just one field of research for IT teams. In a new report, Islands of Telecom: Risks in IT, this sector is compared to what appears to be an archipelago that is connected by a large landmass beneath an ocean of IT. The characteristics of telecommunications may seem different from each other, but they all come together as the basis of everything.
In this research, Trend Micro, a world leader in cybersecurity, summarizes the characteristics, potential threats and recommendations to improve the security posture of telecommunications companies. The following are some areas of concern that are developed in the analysis:
Voice interception
Voice calls are still one of the most reliable types of communication. Nevertheless, cybercriminals take advantage of the environment, infrastructure and interconnection to implement remote attack scenarios. Given the level of presumed trust, voice call interception attacks often target senior executives, key political figures, lawyers, journalists and activists, to name a few. This kind of attack gains access to high-value information that can be used, for example, to influence the outcome in negotiations or trade.
Recommendation: Incident Response (IR) teams can monitor and track when abuse and fraud occur, enabling them to issue alert patterns and predict criminal behavior. Users are also encouraged to use end-to-end encryption in their voice applications and are advised to disable the GSM network on their phones, if possible.
SMS interception
A core telecommunications network can be considered ‘protected’ depending on how a telecommunications company perceives the term ‘security domain’. However, in reality, since a core telecommunications network is usually just a domain, the data it contains is only protected from the outside and not from the inside. Therefore, an insider cybercriminal can intercept the SMS or downgrade a 4G/5G service area to a less secure network, such as GSM.
Through social engineering, SIM swapping has also been used by malicious actors posing as compromised users. Typically, a malicious actor calls a telecommunications service center posing as a user who has lost their device or SIM. In response, the service center transfers the subscriber’s account and phone number to the attacker, after which all text messages are sent to the malicious actor rather than the unwitting legitimate subscriber.
Recommendation: Instead of SMS, users should consider other means of authentication, such as mobile app authenticators or an automated mobile phone prompt.
Calling line spoofing
Call Line Impersonation (CLID) is a standards-based activity used for legitimate purposes, including masquerading call centers behind 1-800 hotline numbers. Criminals can also abuse it to attack people: One scenario may involve a customer receiving a call or text message from their bank including a request for action in which the customer is lured into unintentionally sharing their credentials or other confidential information with an attacker via a phishing site.
Recommendation: Users and organizations should verify the origin of incoming calls and text messages as part of a multi-layered defense strategy. It is also recommended to leverage existing processes by using data such as telecommunications records that are related to the origin of the text messages or calls.
TDoS extortion
Compared to the quantitative denial of service (DoS) model in which a system is overloaded with traffic volumes, the telephony denial of service (TDoS) is a qualitative DoS model in which the service is ‘shut down’ to the legitimate target user. Attackers abuse existing business processes of telcos to manage fraud and create a scenario that shows the intended victim’s phone number and SIM card as belonging to a scammer. The telco then blocks the victim’s number and SIM card, which are now traced as sources of traceable fraud. As a result, the victim will likely be required to make a personal appearance at the telecommunications office to restore its services.
Recommendation: As customers, both organizations and users can establish a strong relationship with their respective sales account representatives or executives to avoid process gaps to restore connectivity and phone services. In this sense, it would also be advisable to have an alternative means of communication with the said contact.
Whale hunting by SIM jacking
Whaling comes from the term ‘phishing’, but it refers to ‘big shots’ such as VIPs, which can include journalists, politicians, CEOs, celebrities and athletes, to name a few. SIM hijacking is also known to others as SIM swapping, it consists of an attack that redirects mobile phone traffic from a potential victim to a malicious actor. This allows the attacker to originate voice calls or messages to other employees to compromise business email (BEC), such as intercepting SMS-based multi-factor authentication codes (MFA) or authorizing company bank transfers.
Recommendation: It is advisable to use non-SMS based means of authentication, such as authentication applications. VIPs can also employ a federated identity and asset management system (IAM) and rethink the IAM controls handled by telecommunications personnel.
In conclusion, the integration of telecom infrastructure for the vast majority of critical verticals has been an on-going trend, and will likely continue the opportunities that 5G and 6G provide in terms of technologies, capabilities, finances and attack surfaces. As a result, IT and security teams must be aware of the changing risks to IT assets, as well as the differences in the concepts, equipment, skills and training required to deal with those risks.
