You are currently viewing Espionage in Plain Sight: Telecoms Breached by CL-STA-0969 Group

Espionage in Plain Sight: Telecoms Breached by CL-STA-0969 Group

China-nexus espionage group, tracked as CL-STA-0969 and overlapping with “Liminal Panda,” is actively targeting telecommunications organizations in Asia. This sophisticated campaign, observed between February and November 2024, leverages brute-force attacks for initial access, followed by the exploitation of well-known Linux vulnerabilities to gain full control. The actor deploys a custom toolkit of malware designed for long-term persistence, stealthy command-and-control, and defense evasion. Immediate implementation of strong authentication, patching, and proactive threat hunting is essential to mitigate this threat.

Background on Targeted Systems

The campaign targets critical telecommunications infrastructure, including mobile roaming networks running on Linux and UNIX-based operating systems. These systems are central to international communications, making them high-value targets for state-sponsored intelligence gathering. The attackers demonstrate a deep understanding of telecom protocols (like GTP) and Linux system administration, allowing them to operate discreetly within compromised networks.

Vulnerability Details

The attack does not rely on a single zero-day vulnerability for initial access. Instead, it begins with brute-force attacks and then chains multiple known, high-severity local privilege escalation vulnerabilities to gain root access.

CVE IDVulnerability NameCVSS ScoreEPSS ScoreVulnerability Type
CVE-2021-4034PwnKit7.8 (High)86.69%Memory corruption flaw in Polkit’s pkexec utility
CVE-2021-3156Sudo Baron Samedit7.8 (High)92.02%Heap-based buffer overflow in the Sudo utility
CVE-2016-5195Dirty COW7.8 (High)94.09%Race condition in the Linux kernel’s memory manager

CISA KEV Catalog:

  • All three privilege escalation vulnerabilities, CVE-2021-4034, CVE-2021-3156, and CVE-2016-5195, are listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, mandating action by federal agencies.

Affected Products and Versions:

  • A wide range of Linux and UNIX-like operating systems are affected, as the vulnerabilities reside in core components like the Kernel, Polkit, and Sudo. Specific vulnerable versions include:
    • Sudo versions prior to 1.9.5p2 (CVE-2021-3156).
    • All versions of pkexec since its creation in May 2009 (CVE-2021-4034).
    • Linux kernel versions before 4.8.3 (CVE-2016-5195).

Infection Method

The CL-STA-0969 campaign employs a multi-stage infection process:

  1. Initial Access: The threat actor gains an initial foothold by conducting brute-force attacks against internet-facing SSH services on targeted telecom equipment.
  2. Privilege Escalation: Once on the system as a low-privileged user, the attacker exploits one of the known vulnerabilities (PwnKit, Baron Samedit, or Dirty COW) to gain root (administrator) privileges.
  3. Implant Deployment: With full control, the actor deploys a custom toolkit of backdoors and implants, including AuthDoorGTPDOOR, and ChronosRAT.
  4. Defense Evasion: The attacker systematically clears logs (such as /var/log/wtmp, /var/log/lastlog), deletes shell histories, and disables security features like SELinux to erase their tracks and evade detection.
  5. Persistence: The AuthDoor backdoor, a malicious Pluggable Authentication Module (PAM), is installed to provide persistent remote access with a hardcoded password, ensuring the actor can regain access even if SSH keys are changed.
  6. Covert C2 Communication: The actor establishes stealthy command-and-control channels using custom backdoors that leverage protocols like DNS, ICMP, and the GPRS Tunneling Protocol (GTP) to blend in with normal network traffic.

Malware Behavior and Capabilities

The malware used by CL-STA-0969 is designed for espionage, focusing on stealth, persistence, and covert communications.

  • Persistence Mechanism: The primary tool is AuthDoor, a PAM-based backdoor that creates a “magic password” for SSH access, making it highly resilient to remediation efforts that don’t specifically look for malicious PAM files.
  • Custom C2 Protocols: The malware suite includes backdoors that abuse non-standard protocols for C2:
    • GTPDOOR uses the GPRS Tunneling Protocol (GTP), common in telecom networks, to hide its traffic.
    • EchoBackdoor listens for commands within ICMP echo packets.
    • NoDepDNS uses DNS tunneling for C2.
  • Remote Command Access: The ChronosRAT backdoor provides a modular framework for executing remote commands, keylogging, and proxying traffic.
  • Defense Evasion: The actor uses advanced operational security, including timestomping (modifying file timestamps), clearing logs, and masquerading malicious processes with legitimate system names like rsyslogd or dbus-daemon.
  • Proxy Tunneling: The actor uses open-source tools like microsocks and custom tools to proxy traffic through compromised hosts, enabling lateral movement.

Techniques Include

The observed attack activities align with several MITRE ATT&CK techniques:

  • T1110.001 – Brute Force: Password Guessing: Used for initial access via SSH.
  • T1068 – Exploitation for Privilege Escalation: Leveraging CVEs like PwnKit to gain root access.
  • T1543.002 – Create or Modify System Process: Systemd Service: Used to establish persistence for malware.
  • T1562.001 – Impair Defenses: Disable or Modify Tools: Disabling SELinux to bypass security controls.
  • T1070 – Indicator Removal on Host: Clearing logs and shell history to cover tracks.
  • T1090 – Proxy: Tunneling malicious traffic through compromised systems.
  • T1071 – Application Layer Protocol: Abusing protocols like DNS and ICMP for C2.
  • T1021.004 – Remote Services: SSH: Using compromised credentials and backdoors to maintain SSH access.
  • T1003 – OS Credential Dumping: The AuthDoor backdoor effectively steals credentials by providing a persistent password.

IOCs (Indicators of Compromise)

Specific file hashes, domains, and IP addresses have not been publicly disclosed in the source reports to protect ongoing investigations. Detection should focus on the actor’s behaviors and TTPs.

Threat Actor Attribution

While CL-STA-0969 leverages a combination of three privilege escalation vulnerabilities (CVE-2021-4034, CVE-2021-3156, and CVE-2016-5195) to gain root access and conduct post-exploitation activities, other threat actors have been observed exploiting these vulnerabilities individually for similar purposes.

An attacker leverages the Insekt RAT’s command-and-control channel to execute a separate exploit for CVE-2021-4034 on a compromised Linux machine.
This memory corruption flaw in Polkit’s pkexec utility is used to escalate privileges, elevating the RAT’s process to root, and giving the attacker full control over the system.

Similarly, a low-privileged attacker on a vulnerable Linux system exploits CVE-2021-3156, a heap-based buffer overflow in the Sudo utility.
This vulnerability allows for the execution of arbitrary code as root, ultimately granting the attacker complete administrative control over the machine.

Impact

Successful exploitation leads to severe consequences for telecommunications providers:

  • Long-Term Network Compromise: The actor establishes a persistent, covert foothold within critical network infrastructure.
  • Espionage and Intelligence Gathering: The access could be used to monitor communications, track targets, or gather sensitive data, though no data exfiltration has been observed yet.
  • Lateral Movement: Attackers can pivot from compromised telecom gear to other parts of the corporate or government networks.
  • Degradation of Trust: The compromise of core telecom infrastructure undermines the security and privacy of communications flowing through it.

CL-STA-0969 Attack Flow

[Attacker] -> [SSH Brute Force] -> [Gain Low-Privilege Shell] -> [Exploit for Root (PwnKit/Baron Samedit)] -> [Deploy Backdoors (AuthDoor, GTPDOOR)] -> [Establish Covert C2 (DNS/ICMP/GTP)] -> Defense Evasion (Log Cleaning) / Persistence (PAM Backdoor) / Lateral Movement

Mitigation Steps

  1. Enforce multi-factor authentication (MFA) on all internet-facing systems, particularly SSH.
  2. Disable direct root login over SSH to reduce the risk of remote privilege abuse.
  3. Implement egress filtering to block unauthorized outbound C2 traffic.
  4. Audit PAM configurations (/etc/pam.d/) for unauthorized or suspicious modules like AuthDoor.
  5. Deploy network intrusion detection systems (NIDS) to monitor for abnormal traffic patterns and indicators of compromise.

Instantly Fix Risks with Saner Patch Management

Saner Patch Management is a continuous, automated, and integrated software solution designed to proactively address vulnerabilities and instantly fix risks exploited in the wild. The software supports major operating systems like Windows, Linux, macOS, and over 550 third-party applications.

It also facilitates setting up a secure testing environment to validate patches before their broad deployment in a primary production environment. Additionally, Saner Patch Management includes a patch rollback feature, offering a safety net in case of patch failure or system malfunction.

Experience the fastest and most accurate patching software here.