CSO at Enea AdaptiveMobile Security, Simeon Coney reviews a busy year for omnichannel threats, including attack growth, changing regulation, threat take-downs, and the use of attacks in conflict areas.
The overarching objective of enterprise communications is to deploy solutions that bring together a variety of channels that clients and users are familiar with, for more effective engagement. Omnichannel is the foundation on which these solutions are built, but as coverage grows and use cases expand, so do attack surface areas and the number of potential attack vectors.
Where there is growth in communications, threat actors are never far behind. Last year was a case in point, with threat actors mobilizing across messaging, signaling, voice and applications, in an attempt to leverage communications infrastructure to their advantage. Let’s look at each of these channels in turn and how they were impacted in 2022.
Attack growth and changing regulation in messaging
Prior to 2018, operators were used to seeing threats accounting for less than 0.1% of their overall messaging traffic. That might not sound like very much, but when you’re dealing with billions of messages every single day, that threat is substantial. In 2020/21, during the COVID-19 pandemic, we saw this figure increase dramatically to around 1% as threat actors sought to take advantage of our increased dependence on remote communications and online services. In 2022, the percentage of operator’s traffic that is considered a threat remains markedly higher than anything pre-2018.
Many of these threats are coming in the form of attacks on MMS and RCS, channels in which attackers are now becoming very comfortable using as a means of gaining faster sending rates. In response, we are seeing regulatory and industry measures like sender identity registers increasing – something which the MEF has been very vocal in supporting. This gives the opportunity for an improved flow for commercial messages with better messaging intelligence & control – reducing the risk of false positive blocking of legitimate traffic and providing better identification of abusive sources.
New regulation within the ecosystem, such as ruling what traffic is acceptable – and when – is also contributing to the growing need for greater intelligence in message control. An example of this is an increasingly common requirement to address the time of day, and working days when marketing messages are permitted to be sent – which requires intelligence on profiling marketing communication versus other categories.
The increasing need for voice firewalling
Voice firewalling has now become critical to addressing a range of frauds against end users, operators, and abuse of the ecosystem at large. The website iSpoof, which has recently been taken down following an investigation, provided a packaged set of tools designed to be used by attackers to trick individuals into handing over money or giving access to their high value accounts. Between August 2021 and August 2022 for the UK alone, more than 10 million fraudulent calls were made with the average amount stolen sitting at around £10,000 GBP.
The iSpoof platform is particularly dangerous because it makes the advanced capability of Calling Line Identity (CLI) manipulation widely available to attackers, coupled with pre-built scripts for obtaining 2FA codes from victims by deception – fraudulent voice phishing attacks-as-a-service. Voice firewalling on bearers such as ISUP and SIP is therefore likely to become even more crucial to network security as we move through 2023 and beyond.
Malware application takedowns
There were several headlines in 2022 regarding the takedown of certain malware applications, the most prominent of which was FluBot. This is an aggressive attack which spreads relentlessly via SMS, stealing sensitive information like passwords and banking credentials from unsuspecting users. In June 2022, Europol announced that it had seized a FluBot operation and disconnected 10,000 potential victims from the malware. However, this attack has demonstrated the effectiveness of these techniques on victims and means there is motivation for new gangs to re-establish the same capabilities. This pattern of taking down a malware application command and control infrastructure only to have it resurface is frustratingly common, and it is highly unlikely that we’ll have heard the last from FluBot and similar threats.
Signaling, “cyberwar” and the role of mobile networks
Media attention has of course been focused on the war in Ukraine. However, what’s unique about this particular conflict is the role mobile networks have played in what is often described as “cyber warfare”. This phraseology is unhelpful, because in an armed conflict, the most impactful activity is that surrounding physical actions and physical effects on the battlefield. For example, the capture by Ukrainian forces of SIM boxes seemingly used by the Russians for Command and Control had a real-world impact and revealed much about Russia’s capabilities but would likely not have featured in a typical discussion of the ongoing ‘cyberwar’.
This is why a much more useful descriptor is “hybrid warfare”, and through this lens we can see mobile networks play a critical role. Throughout the conflict in Ukraine, we’ve seen countless physical repairs being carried out on critical telecoms infrastructure in order to maintain functioning network services. Concerted efforts from the invading force to infiltrate company networks via phishing attacks and cripple websites using DDoS methods have been widely reported.
At the same time, Ukrainian authorities have also highlighted Russian attempts to weaponize captured mobile network infrastructure. Ultimately, smartphones continue to be instrumental to civil defense as well as combat efforts and we’re likely to see mobile networks continue to be used for both defensive and offensive means. This demonstrates the importance of a greater application of security across mobile networks to defend nations at a state level.
As we move through 2023 and beyond, the prominent and trusted position that mobile operators and aggregators hold in the world will become ever more apparent and important, both in terms of national security and in the safeguarding and security of individuals. To find out how Enea AdaptiveMobile Security helps operators secure their networks against a multitude of threats, you can get in touch with them.