{ "authors": [ "MITRE" ], "category": "attack-pattern", "description": "MITRE Five-G Hierarchy of Threats (FiGHT™) is a globally accessible knowledge base of adversary tactics and techniques that are used or could be used against 5G networks.", "name": "MITRE FiGHT Techniques", "source": "https://fight.mitre.org/", "type": "mitre-fight", "uuid": "6a1fa29f-85a5-4b1c-956b-ebb7df314486", "values": [ { "description": "An adversary may breach or otherwise leverage a mobile network operator’s (MNO’s) roaming partners or their service partners to gain access to subscriber’s services or obtain information about that subscriber from their home network. Since these relationships are of a more trusted nature, end-to-end security is not necessarily used.\r\n\r\nAn adversary may use the trusted relationship with other mobile network operators and their related service providers such as roaming hubs, roaming partners, national partners, SMS service providers, lookup services to gain access to subscriber information at the subscriber’s home MNO. An adversary may take advantage of potentially weaker security at a roaming partner of a targeted MNO. The roaming MNO or their service partners could also be adversaries themselves. \r\n\r\nThese trusted relationships expose more interfaces to the roaming partner and their service providers than described in the related technique [FGT5029](/techniques/FGT5029). The information an adversary can obtain or modify about a subscriber and the subscriber’s activity depends on the specific location and assets compromised and additional techniques used. Information such as location, call records, messages, etc. are potentially obtained. Adversary use of additional techniques to compromise the VPLMN UPF (N9 endpoint) may result in direct compromise of user plane data. The adversary may generate queries using specially crafted messages as described in [FGT5029](/techniques/FGT5029) or obtain credentials and operate as an apparently authorized partner would to collect information. Depending on the roaming partner’s configuration, core functions may be directly exposed to service providers used by the roaming partner.", "meta": { "access-required": "service account, token, expanded privilege", "architecture-segment": "Roaming, Application Layer, Supply Chain", "bluf": "An adversary may breach or otherwise leverage a mobile network operator's (MNO's) roaming partners or their service partners to gain access to subscriber's services or obtain information about that subscriber from their home network.", "criticalassets": [ { "Description": "An adversary would want to compromise the cSEPP as it is the VPLMN end-point for the N32c channel to the HPLMN.", "Name": "SEPP" }, { "Description": "An adversary would want to compromise the VPLMN UPF as it is used as an endpoint on the roaming network for the N9 user plane interface between UPFs.", "Name": "VPLMN UPF" }, { "Description": "An adversary would want to compromise a trusted VAS with access to the MNO’s core functions.", "Name": "VAS" } ], "detections": [ { "detects": "Analysis of application logs on the HPLMN SEPP and PLMN NFs may indicate unusual control channel activity.", "fgdsid": "DS0015", "name": "Application Log" }, { "detects": "Analysis of network traffic from VAS, and/or IPX may indicate unexpected or unusual traffic.", "fgdsid": "DS0029", "name": "Network Traffic" } ], "external_id": "FGT1199.501", "kill_chain": [ "fight:Initial-Access", "fight:Impact" ], "mitigations": [ { "fgmid": "M1018", "mitigates": "Management of credentials used by partners to be scoped to the least privilege can minimize potential abuse. Does not mitigate misuse within allowed privileges.", "name": "User Account Management" }, { "fgmid": "M1030", "mitigates": "Minimize exposure of functions to only those partner functions that need to access.", "name": "Network Segmentation" }, { "fgmid": "M1037", "mitigates": "Ensure communication with functions such as a SEPP is constrained to necessary addresses, ports, and protocols.", "name": "Filter Network Traffic" }, { "fgmid": "M1054", "mitigates": "Validation of credentials properly can mitigate some AITM attacks and ensure revoked/expired credentials are not allowed.", "name": "Software Configuration" } ], "object-type": "technique", "platforms": "SEPP", "preconditions": [ { "Description": "An adversary must already have compromised a trusted PLMN or one of their service providers, e.g. IPX, VAS, etc.", "Name": "Compromised partner" }, { "Description": "An adversary may need compromised legitimate credentials that could be used to obtain information from the MNO.", "Name": "Compromised credentials" }, { "Description": "An adversary may need to identify a vulnerability in an MNO network function to send specially crafted requests to obtain initial access.", "Name": "Identified vulnerability" } ], "procedureexamples": [ { "Description": "The service partner of the targeted MNO may themselves be targeted as part of an attack chain using that roaming partners supply chain.", "Name": "Partner supply chain compromise" }, { "Description": "A roaming partner, may have an adversary with a privileged position in the roaming or service partners organization and can use that position to attempt additional techniques against the targeted MNO.", "Name": "Partner insider" } ], "refs": [ "[1] 5GS Roaming Guidelines Version 5.0 (non-confidential , NG.113-v5.0, GSMA, December 2021 - https://www.gsma.com/newsroom/wp-content/uploads//NG.113-v5.0.pdf", "[2] 5G; Security Architecture and Procedures for 5G System, TS 33.501 v16.10.0 Release 16, Sections 9.9, 13.1, 13.2, 3GPP, March 2022 - https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3169", "[3] ETSI White Paper No. 46 – MEC security: Status of standards support and future evolutions, 1st edition, ETSI, May 2021 - https://www.etsi.org/images/files/ETSIWhitePapers/ETSI_WP_46-_MEC_security.pdf", "[4] R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield, “Towards dynamic threat modelling in 5G core networks based on MITRE ATT&CK”,  October 2021 - https://arxiv.org/abs/2108.11206", "https://fight.mitre.org/data%20sources/DS0015", "https://fight.mitre.org/data%20sources/DS0029", "https://fight.mitre.org/mitigations/M1018", "https://fight.mitre.org/mitigations/M1030", "https://fight.mitre.org/mitigations/M1037", "https://fight.mitre.org/mitigations/M1054", "https://fight.mitre.org/techniques/FGT1199.501" ], "status": "This is a theoretical behavior in context of 5G systems.", "subtechnique-of": "FGT1199", "typecode": "fight_subtechnique_to_attack_technique" }, "related": [ { "dest-uuid": "686a3700-8ee3-52d3-954f-d2ec4abf14aa", "type": "mitigated-by" }, { "dest-uuid": "9c376223-8d89-5179-8a56-51de20697bd2", "type": "mitigated-by" }, { "dest-uuid": "ed391833-59f3-5049-9017-66427a8d8a17", "type": "mitigated-by" }, { "dest-uuid": "dd78a499-3b11-5095-9db9-58cef55bef9e", "type": "mitigated-by" }, { "dest-uuid": "3c23d0f7-d55c-5891-90b9-c744e976f0ef", "type": "detected-by" }, { "dest-uuid": "becdcf31-3d2a-53bb-8251-51e9da4a0df6", "type": "detected-by" }, { "dest-uuid": "f1d89d8c-28cb-5e96-a689-bbff038fe2ee", "type": "subtechnique-of" } ], "uuid": "bc291a20-b999-5698-9282-d493c45b7e8f", "value": "MNO Roaming Partners" }, { "description": "Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1525)", "meta": { "access-required": "User or Administrative access to repository", "addendums": [ "#### Addendum Name: Compromised image\r\n##### Architecture Segments: Virtualization, Cloud Service Provider, OA&M, Supply Chain\r\n An adversary may install a compromised image in a 5G environment to achieve persistence. This could be achieved by either poisoning an image repository, compromising the MANO, or other means.\r\n\r\nThe 5G Virtual Network Function (VNF) software is either developed in house or supplied by a product vendor. Typically, software is stored in a deployment repository for deployment or for an orchestrator to use as part of an automated workload deployment activity. An adversary may install a compromised image in the repository of 5G VNFs and or VM (Virtual Machine)/Container images to later establish Command and Control (C2) connection and subsequent modification, discovery, and exfiltration operations.\r\n\r\nManagement and Orchestration (MANO) is a framework for managing and orchestrating network functions virtualization (NFV) infrastructure, resources, and services. It provides a standard approach for the management and orchestration of network services in NFV environments, including the automation of tasks such as network service deployment, scaling, and network function lifecycle management. A poisoned image can be installed using compromised MANO tool set during image acquisition, repository manipulation or deployment and configuration scripts.\r\n\r\n" ], "architecture-segment": "Virtualization, Cloud Service Provider, OA&M, Supply Chain", "bluf": "Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment.", "criticalassets": [ { "Description": "An adversary may target the 5G core network domain", "Name": "Core components" }, { "Description": "An adversary may target the 5G core network domain", "Name": "RAN components" }, { "Description": "An adversary may target CI/CD pipeline components", "Name": "SDN components" }, { "Description": "An adversary may target security and operations tools", "Name": "System tools" } ], "detections": [ { "detects": "Analyze logs and other CI/CD events to detect unauthorized activity", "fgdsid": "FGDS5012", "name": "SIEM" }, { "detects": "An automated image hash verification should be performed", "fgdsid": "FGDS5015", "name": "Image verification" } ], "external_id": "FGT1525", "kill_chain": [ "fight:Persistence" ], "mitigations": [ { "fgmid": "FGM5088", "mitigates": "Development and production repositories should be separated to avoid access and image slipovers. Production repositories should be access controlled for accounts responsible for deployments and operations accounts only.", "name": "Separate repositories for development and production" }, { "fgmid": "FGM5089", "mitigates": "In addition to image name, deployment tools must use hash and verify image during deployment", "name": "Verify image in deployment" }, { "fgmid": "FGM5090", "mitigates": "Logs from tools and repository must be corelated to ensure unauthorized activity is reported.", "name": "Log correlation" }, { "fgmid": "M1035", "mitigates": "Access to repositories should be restricted to known networks from where any authorized actions need be executed.", "name": "Limit Access to Resource Over Network" }, { "fgmid": "M1043", "mitigates": "Restricted Permissions to add images to repositories for person and non-person accounts", "name": "Credential Access Protection" }, { "fgmid": "M1049", "mitigates": "Manual or automated image creation and storage must include image hash", "name": "Anti-virus & Anti-malware" } ], "object-type": "technique", "platforms": "VM, Container, Azure/AWS, IaaS, SDN", "postconditions": [ { "Description": "A compromised image deployed in the production can lead to variety of adversarial activities depending on what capabilities were added/deleted from the image.", "Name": "A Compromised Image is deployed in production" } ], "preconditions": [ { "Description": "An image can be manipulated, or a new image can be introduced to have same impact. Privileged Access to tool or repo is required.", "Name": "Credential and Access to repository and or image creation tools (i.e. Docker)" } ], "refs": [ "[1] ENISA THREAT LANDSCAPE FOR 5G NETWORKS, December 2020, section 6.2. Accessed April 13, 2021 - https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks/", "[2] Docker Documentation, Security, Content in Trust - https://docs.docker.com/engine/security/trust/", "https://attack.mitre.org/techniques/T1525", "https://fight.mitre.org/data%20sources/FGDS5012", "https://fight.mitre.org/data%20sources/FGDS5015", "https://fight.mitre.org/mitigations/FGM5088", "https://fight.mitre.org/mitigations/FGM5089", "https://fight.mitre.org/mitigations/FGM5090", "https://fight.mitre.org/mitigations/M1035", "https://fight.mitre.org/mitigations/M1043", "https://fight.mitre.org/mitigations/M1049", "https://fight.mitre.org/techniques/FGT1525" ], "status": "This is an observed behavior in Enterprise networks, and is theoretical in context of 5G systems.", "typecode": "attack_technique_addendum" }, "related": [ { "dest-uuid": "4fd8a28b-4b3a-4cd6-a8cf-85ba5f824a7f", "type": "related-to" }, { "dest-uuid": "6aadfd3f-9f22-55a1-965f-559845f7c3c4", "type": "mitigated-by" }, { "dest-uuid": "f5161722-ba76-5111-b4e1-5be22d958b75", "type": "mitigated-by" }, { "dest-uuid": "22139148-14ef-5a59-a345-d4fcd502a317", "type": "mitigated-by" }, { "dest-uuid": "79119bb4-e146-5c99-ab3f-7ed4ed1e975a", "type": "mitigated-by" }, { "dest-uuid": "4d882eab-1588-508e-b3fc-f7221cad2db8", "type": "mitigated-by" }, { "dest-uuid": "b30b0bba-d220-5835-9ab8-5e0308f55979", "type": "mitigated-by" }, { "dest-uuid": "7a823dc9-a6c0-5d4f-95ca-b13ba57696df", "type": "detected-by" }, { "dest-uuid": "9325a5c1-d001-53cc-b556-749181f60f6a", "type": "detected-by" } ], "uuid": "21ae9651-77b5-56ac-9c1c-aa3e8dbb2bf2", "value": "Implant Internal Image" }, { "description": "An adversary positioned in an operator network may send an SMS delivery location query that will bypass the SMS home router of another operator, allowing the adversary to get the location of the user device.\r\n\r\nSMS home routing bypassing is a technique that exploits incorrect implementation or configuration. An adversary sends an SMS delivery location query that does not get intercepted by the SMS home router, so it receives a response by providing the location of the adversary’s target UE. \r\n \r\nThis technique is applicable to 3G, 4G, and 5G, since 5G systems still need to interconnect with SS7 networks. 5G supports both SMS over IP and SMS over NAS. The routes for SMS are still from SMSC (Short Message Service Center) to STP (Signaling Transfer Point) to either IP-SM-GW (IP Short Message Gateway) for SMS over IP or SMSF (SMS Function) for SMS over NAS. Refer to section 7.2 of [3].", "meta": { "access-required": "N/A", "architecture-segment": "Control Plane, Roaming", "bluf": "A adversary positioned in an operator network may send an SMS delivery location query that will bypass the SMS home router of another operator, and which will allow to get the location of the user device.", "criticalassets": [ { "Description": "Coarse location: In the form of routing info (MSC address)", "Name": "UE location" } ], "detections": [ { "detects": "Logs of externally received messages requesting location of user or, logs of outgoing responses to such messages can detect anomalies. Logs are on the NF or functions which interface SMS home router such as MAP IWF or SMSC. See Figure 27 of [3].", "fgdsid": "DS0015", "name": "Application Log" } ], "external_id": "FGT5002", "kill_chain": [ "fight:Defense-Evasion" ], "mitigations": [ { "fgmid": "FGM5004", "mitigates": "Correctly configure SMS firewall in home network. [4]", "name": "Correctly configure SMS firewall" } ], "object-type": "technique", "platforms": "5G", "preconditions": [ { "Description": "Access to a host that could pass as belonging to a different operator (roaming partner)", "Name": "Compromised SMS Center or STP" }, { "Description": "Access to the MSISDN of the user device", "Name": "Get target user’s phone number" } ], "procedureexamples": [ { "Description": "Incorrect implementation/configuration or compromised home SMS router can allow bypass of the SMS location query messages. Deployed SMS router as in Section 7.2.2 of [3]", "Name": "Send SMS location query via SS7 or Diameter" } ], "refs": [ "[1] S.P. Rao, S. Holtmanns, T. Aura: “Threat modeling framework for mobile communication systems”, May 2020 - https://arxiv.org/abs/2005.05110v1", "[2] European Union Agency for Cybersecurity (ENISA , “Signaling security in telecom SS7/Diameter/5G”, March 2018 - https://www.enisa.europa.eu/publications/signalling-security-in-telecom-ss7-diameter-5g", "[3] GSM Association, “Official Document NG.111 - SMS Evolution”, v2.0, Nov. 2020 - https://www.gsma.com/newsroom/wp-content/uploads//NG.111-v2.0.pdf", "[4] Kirill Puzankov: “Hidden Agendas: bypassing GSMA recommendations on SS7 networks,”accessed on May 25, 2023 - https://docplayer.net/136483279-Hidden-agendas-bypassing-gsma-recommendations-on-ss7-networks-kirill-puzankov.html", "https://fight.mitre.org/data%20sources/DS0015", "https://fight.mitre.org/mitigations/FGM5004", "https://fight.mitre.org/techniques/FGT5002" ], "status": "Observed in earlier 3GPP generations and expected in 5G.", "typecode": "fight_technique" }, "related": [ { "dest-uuid": "b6db0fd1-7f3d-5873-bce6-6a2c56b2af9c", "type": "mitigated-by" }, { "dest-uuid": "3c23d0f7-d55c-5891-90b9-c744e976f0ef", "type": "detected-by" } ], "uuid": "31dbb269-1244-5113-a82e-15d3503c6c9a", "value": "Bypass home routing" }, { "description": "An adversary may employ a false base station to bid down (downgrade) the victim UE to a less secure Radio Access Network in order to exploit the vulnerabilities in that network. \r\n\r\nAn adversary located between the victim UE and real base stations may jam the 5G radio frequencies and use the false base station to generate illegitimate over-the-air signaling to deny service to 5G and induce the UE to operate over a less secure radio access network, such as 3G, 4G. This requires a UE profile that permits attaching to networks other than 5G.\r\n\r\nWhen the security profile in the UE allows connection to a less secure service, adversary denies service to 5G, bids down victim UE to less secure network (4G or 3G) with illegitimate signaling. Then the adversary bids down the UE to 2G network and orders the UE to transmit with no or weak encryption/integrity protection. However, note that 5G (Release 15 and later) supports an anti-bid-down feature: during the Authentication and Key Agreement (AKA) procedure, the network sends to the UE an “ABBA” parameter (Anti Bidding Down between Architectures), which indicates the security features that the network possesses. When this feature is enabled, the UE is not to attach to earlier generation networks.\r\n\r\nAlso known as downgrading, the bidding down enables the adversary to perform additional following techniques using over the air interfaces, such as eavesdropping of user SMS and voice calls, user data or signaling manipulation, and privacy breaches. These privacy breaches may include exposure of the IMSI, location tracking of user, and impersonation of a user.", "meta": { "architecture-segment": "RAN", "bluf": "An adversary may employ a fake base station to bid down (downgrade) the victim UE to a less secure Radio Access Network in order to exploit vulnerabilities in that network.", "criticalassets": [ { "Description": "Data that the UE sends to/from the network (including identifiers).", "Name": "User data" } ], "detections": [ { "detects": "At the UE side, the UE can tell that there is a 5G cell site that it can hear, but if it eventually gets connected to a 4G cell site, then it may have suffered a bidding down attack", "fgdsid": "FGDS5013", "name": "UE connecting to 4G" } ], "external_id": "FGT1562.501", "kill_chain": [ "fight:Defense-Evasion" ], "mitigations": [ { "fgmid": "FGM5002", "mitigates": "UE should discard RRC redirection messages that are not integrity protected, and go search for other gNBs. UE should only accept to register to networks that require mutual auth and strong encryption, also integrity protection of user plane. See [2]", "name": "Discard RAN signaling received without integrity protection" }, { "fgmid": "FGM5092", "mitigates": "UE warns user of lower security network (and the user can take action to limit data or type of data, or to disconnect).", "name": "Warn user" }, { "fgmid": "FGM5097", "mitigates": "Set security profile to prohibit bidding down to less secure service.", "name": "Disable acceptance of a less secure system" } ], "object-type": "technique", "platforms": "5G RAN", "postconditions": [ { "Description": "UE is now vulnerable to 4G threats.", "Name": "UE is connected to a 4G network" } ], "preconditions": [ { "Description": "Adversary has procured a UE and gNB under its control, and the victim UE is nearby", "Name": "False base station with strong signal and UE system" } ], "procedureexamples": [ { "Description": "UEs tend to attach to gNBs which have better signal condition than the gNB the UE is currently attached. False gNB with stronger signal strength than legitimate gNBs lures UE to connect, then sends RRC redirection message that is not integrity protected, so that the UE can’t check its legitimacy. This RRCRelease message has the instruction for the UE to attach to a 4G cell instead (i.e, RedirectInfo as E-UTRA Absolute Radio Frequency Channel Number (E-ARFCN)", "Name": "False gNB redirects UE to 4G." } ], "refs": [ "[1] S.P. Rao, S. Holtmanns, T. Aura: “Threat modeling framework for mobile communication systems”, May 2020 - https://arxiv.org/abs/2005.05110v1", "[2] DEFCON 24 article “Forcing Targeted LTE Cellphone Into Unsafe Network” - https://www.scribd.com/document/350156530/forcing-targeted-lte-cellphone-into-unsafe-network", "https://fight.mitre.org/data%20sources/FGDS5013", "https://fight.mitre.org/mitigations/FGM5002", "https://fight.mitre.org/mitigations/FGM5092", "https://fight.mitre.org/mitigations/FGM5097", "https://fight.mitre.org/techniques/FGT1562.501" ], "status": "This is a theoretical behavior in context of 5G systems.", "subtechnique-of": "FGT1562", "typecode": "fight_subtechnique_to_attack_technique" }, "related": [ { "dest-uuid": "4d506842-0cd5-5dfc-9bab-dd0800817238", "type": "mitigated-by" }, { "dest-uuid": "b188a8b7-ce54-5130-bb62-4de2bea50671", "type": "mitigated-by" }, { "dest-uuid": "7897a6c7-460b-5e0c-95d7-1185ff5b1a45", "type": "mitigated-by" }, { "dest-uuid": "a840f248-f516-5dc6-b79e-941abf405905", "type": "detected-by" }, { "dest-uuid": "f504e92d-9f52-56b8-8fe1-aad7285cd440", "type": "subtechnique-of" } ], "uuid": "f496a628-bfe9-51ec-8ebf-d78cfe752c7c", "value": "Bid down UE" }, { "description": "An adversary may gain access to an operator's roaming database (IR.21), which can reveal the critical network assets of both the operator and its roaming partners.\r\n\r\nInternational Mobile Network Operators (MNOs) maintain information about their network infrastructure, roaming/interconnection configuration, and MNO partner billing agreements. This sensitive data is in a standardized format, under the name “IR.21”. GSMA (an operator forum) administers databases of IR.21 for all international MNO and allowing all MNOs access to it. This type of sensitive information is intended to be close held and not be publicly accessible; however, data leaks and insider attacks have occurred, and thus this information can be and has been used by adversaries in their discovery tactics.", "meta": { "architecture-segment": "OA&M", "bluf": "An adversary may gain access to an operator's roaming database (IR.21), which can reveal the critical network assets of both the operator and its roaming partners.", "criticalassets": [ { "Description": "Information on the IP addresses of the mobile network nodes, along with those of the interconnect/roaming nodes.", "Name": "Mobile network topology, interconnects." }, { "Description": "Hostnames and IP addresses of core network functions like subscriber databases and functions involved in roaming exchanges (e.g. Access and Mobility Function (AMF)).", "Name": "IP addresses of core NFs" } ], "detections": [ { "detects": "Leaking this information on the Internet is obvious", "fgdsid": "FGDS5008", "name": "Search Internet for leaks" }, { "detects": "Access to IR.21 file should be logged.", "fgdsid": "FGDS5009", "name": "Access to operator resource" } ], "external_id": "FGT1592.501", "kill_chain": [ "fight:Reconnaissance" ], "mitigations": [ { "fgmid": "FGM5500", "mitigates": "Control access to IR.21 files in GSMA. Host/application hosting this file should guard against such leak.", "name": "Restrict access to operator OA&M resources" } ], "object-type": "technique", "platforms": "5G Network", "postconditions": [ { "Description": "IP addresses of core network functions known", "Name": "Discovered IP addresses" } ], "preconditions": [ { "Description": "Adversary needs to access the operator databases or GSMA repositories", "Name": "Access to GSMA account; in some cases, none." } ], "procedureexamples": [ { "Description": "Claro Americas, and Vivo telecom, had their IR.21 database accessible from an internet in 2016 (reference no longer available)", "Name": "IR.21 accessible from the Internet" } ], "refs": [ "[1] S.P. Rao, S. Holtmanns, T. Aura: “Threat modeling framework for mobile communication systems”, May 2020 - https://arxiv.org/abs/2005.05110v1", "https://fight.mitre.org/data%20sources/FGDS5008", "https://fight.mitre.org/data%20sources/FGDS5009", "https://fight.mitre.org/mitigations/FGM5500", "https://fight.mitre.org/techniques/FGT1592.501" ], "status": "Observed in earlier 3GPP generations and expected in 5G.", "subtechnique-of": "FGT1592", "typecode": "fight_subtechnique_to_attack_technique" }, "related": [ { "dest-uuid": "a20446d7-5ae8-55fb-b427-321d58ec1c7f", "type": "mitigated-by" }, { "dest-uuid": "0e87addc-6d6d-534c-bbd6-ee0ac7416c5e", "type": "detected-by" }, { "dest-uuid": "48956a40-c7df-5979-b4d3-4846eef3e0bb", "type": "detected-by" }, { "dest-uuid": "d4895d7d-51ee-5222-b969-133109f5c6ed", "type": "subtechnique-of" } ], "uuid": "a52fef9e-78f3-525a-93ed-21281dfc9165", "value": "Internal resource search" }, { "description": "An adversary may query the Network Repository Function (NRF) to discover restricted Network Function (NF) services to further target that NF. \r\n\r\nAll active NFs in an operator network are to be securely registered with the NRF. Part of this registration information includes the type of NF, the particular services that NF provides, IP addresses, etc. \r\n\r\nConsumer NFs query the NRF for Producers NFs they need to interact with, but the NRF is expected to check that the Consumer NF is authorized to discover such Producer NFs. This type of signaling to the NRF can be abused to identify and target one or more NFs of interest. The NRF is expected to check discovery requests against the sender’s profile, but this is prone to misconfiguration and therefore might not protect the restricted NF services.\r\n\r\nIn network slicing, the same principles of NRFs apply, and service discovery is restricted per slice; however, NFs in one slice may have a legitimate need to communicate with NFs in another slice. If NF discovery authorization controls are not supported by the NRF, the NF instance in one slice can discover NF instances belonging to other slices. For example, an NF in one slice should not be inquiring about NFs in other slices, unless it needs to communicate with them.", "meta": { "architecture-segment": "Control Plane, Network Slice", "bluf": "An adversary may query the Network Repository Function (NRF) to discover restricted Network Function (NF) services to further target that NF.", "criticalassets": [ { "Description": "It is possible for example to find out whether an operator provides services to a certain customer. Or whether a user is also part of a private slice e.g. DoD. There is slice isolation assurance loss with this threat.", "Name": "Operator network components and services" } ], "detections": [ { "detects": "Logging of all access requests/inquiries to NFs", "fgdsid": "DS0015", "name": "Application Log" } ], "external_id": "FGT5003", "kill_chain": [ "fight:Discovery" ], "mitigations": [ { "fgmid": "FGM5003", "mitigates": "Ensure cross-layer checks at the NRF, between the certificate presented to it at the TLS connection setup stage and the identity and authorization requested presented to it at the OAuth Token request stage.\nEnsure the consumer is authorized to ask about this service.\n\nAuthorization follows need-to-know rules, such as:\n1. an NF cannot query for NFs in other network slices\n2. an NF can only query for NFs that it needs to communicate with.", "name": "Cross check between application layer and transport layer" }, { "fgmid": "FGM5501", "mitigates": "Inspect proxy servers such as SCP (if deployed) for any suspicious use of access tokens such as unauthorized re-direct or replay of tokens", "name": "TLS proxy/firewalls with DPI on the SBA" } ], "object-type": "technique", "platforms": "5G Network", "postconditions": [ { "Description": "Information about what other services are provided by a given MNO", "Name": "Unauthorized probing of network services" } ], "preconditions": [ { "Description": "NRF is by design open to connections from other network functions. Control of another NF in the operator domain may be required.", "Name": "Access to NRF" }, { "Description": "SCP is compromised to hijack tokens.", "Name": "Access to SCP" } ], "procedureexamples": [ { "Description": "A malicious NF can abuse access token issued by the NRF for one slice to access another shared NF in a different slice. Clause H.2.2.1 of [2]", "Name": "Access token abuse" }, { "Description": "Access tokens can be hijacked by a compromised intermediate proxy such as SCP (if deployed by operator). This attack can be followed by re-direct or replay of access tokens. Clause 3.9 of [3]", "Name": "Access token hijack" } ], "refs": [ "[1] R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield, “Towards dynamic threat modelling in 5G core networks based on MITRE ATT&CK”, October 2021 - https://arxiv.org/abs/2108.11206", "[2] 3GPP Technical Report 33.926, “Security Assurance Specification (SCAS threats and critical assets in 3GPP network product classes”, Release 17. - https://www.3gpp.org/DynaReport/33926.htm", "[3] Internet Engineering Task Force (IETF “OAuth 2.0 Security Best Current Practice”, draft-ietf-oauth-security-topics-05, June 2022. - https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19", "https://fight.mitre.org/data%20sources/DS0015", "https://fight.mitre.org/mitigations/FGM5003", "https://fight.mitre.org/mitigations/FGM5501", "https://fight.mitre.org/techniques/FGT5003" ], "status": "This is a theoretical behavior in context of 5G systems.", "typecode": "fight_technique" }, "related": [ { "dest-uuid": "c1144b6f-994d-5a18-9c38-f40e89a4d19f", "type": "mitigated-by" }, { "dest-uuid": "39a823fe-072a-54a2-90cb-522e0a8c149c", "type": "mitigated-by" }, { "dest-uuid": "3c23d0f7-d55c-5891-90b9-c744e976f0ef", "type": "detected-by" } ], "uuid": "193a90c2-215e-5340-9628-fade3b0d88a6", "value": "Network Function Service Discovery" }, { "description": "An adversary may discover Software Defined Network (SDN) flow information, which could then be used for lateral movement and unauthorized changes in the network.\r\n\r\nTo achieve this, an adversary must compromise an SDN element (e.g., controller, router, switch) to forge network data and launch other attacks, such as denial of service. While data forging could relate to data held by any component of an SDN (e.g., network switches, controllers and/or SDN applications), a threat specific to SDN consists of forging requests from accessible low level SDN controllers to upper-level ones. This could then drive the upper level controllers’ decisions on how to redefine large parts of the network. In the literature, this scenario has been identified as a threat related to components in the data plane and the controller plane of any SDN network (IP-WAN, IP-LAN, RAN, Transport).", "meta": { "access-required": "User or Administrative access to repository", "architecture-segment": "Virtualization", "bluf": "An adversary may discover Software Defined Network (SDN) flow information, which could then open opportunity for lateral movement and unauthorized changes in the network.", "criticalassets": [ { "Description": "Adversary may target a particular network controller, network element, CI/CD, security, and operations tools to manipulate SDN network flows.", "Name": "SDN Controller and Network Elements, operations, and security tools" }, { "Description": "Adversary may target configuration or network flow data", "Name": "SDN Configurations file, Network flow tables" } ], "detections": [ { "detects": "Periodically audit SDN and Network element configuration and compare with baseline configuration to detect unauthorized changes", "fgdsid": "DS0015", "name": "Application Log" }, { "detects": "Periodically audit network flow tables to detect unauthorized changes to flow data", "fgdsid": "DS0029", "name": "Network Traffic" }, { "detects": "Analyze logs to detect unauthorized activity", "fgdsid": "FGDS5014", "name": "SDN Access Logs" } ], "external_id": "FGT5004", "kill_chain": [ "fight:Collection", "fight:Discovery" ], "mitigations": [ { "fgmid": "FGM5024", "mitigates": "Strong integrity protection method should be employed on APIs carrying control plane traffic between Controller and network element as well as controller and SDN application to avoid adversary in the middle threats", "name": "Integrity protection of data communication" }, { "fgmid": "FGM5090", "mitigates": "Logs from SDN Controller and network elements must be corelated to ensure unauthorize activity is reported. Similarly, flow rules change log should be reviewed and reconciled with authorized changes.", "name": "Log correlation" }, { "fgmid": "FGM5091", "mitigates": "Mutual authentication between the SDN controller and network elements. The SDN controller and SDN application can be used to prevent unauthorized access", "name": "Mutual authentication" }, { "fgmid": "M1022", "mitigates": "Restricted Permissions to add images to SDN Controller and Network Elements for person and non-person accounts.\n\nRestrict permissions for person and non-person accounts to prevent flow rule insertion or modification", "name": "Restrict File and Directory Permissions" }, { "fgmid": "M1030", "mitigates": "Physical and logical segmentation can prevent lateral movements.", "name": "Network Segmentation" }, { "fgmid": "M1041", "mitigates": "Strong encryption should be used on APIs carrying control plane traffic between Controller and network element as well as controller and SDN application to avoid adversary in the middle threats", "name": "Encrypt Sensitive Information" }, { "fgmid": "M1053", "mitigates": "All SDN Configurations should be backed up and periodically audited to see differences between running configuration and back up configurations", "name": "Data Backup" }, { "fgmid": "M1054", "mitigates": "Keep baseline configurations up to date to avoid loopholes due to stale configuration or configuration drift.", "name": "Software Configuration" } ], "object-type": "technique", "platforms": "SDN", "postconditions": [ { "Description": "Network flow compromise can lead to DOS, or change the traffic pattern and paths. Adversary may change the path for network sniffing or for MiTM activity.", "Name": "Network flow compromise" } ], "preconditions": [ { "Description": "Privileged Access to SDN controller and Network elements", "Name": "Credential and Access to SDN Controller and network elements" } ], "refs": [ "[1] ENISA, “Threat Landscape and Good Practice Guide for Software Defined Networks/5G”, Jan. 2016 - https://www.enisa.europa.eu/publications/sdn-threat-landscape", "[2] Scott-Hayward, S., O'Callaghan, G., & Sezer, S. “SDN Security: A Survey”. 2013 IEEE SDN for Future. Networks and Services (SDN4FNS (pp. 1-7 - https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6702c553&tag=1", "[3] R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield, “Towards dynamic threat modelling in 5G core networks based on MITRE ATT&CK”, October 2021 - https://arxiv.org/abs/2108.11206", "https://fight.mitre.org/data%20sources/DS0015", "https://fight.mitre.org/data%20sources/DS0029", "https://fight.mitre.org/data%20sources/FGDS5014", "https://fight.mitre.org/mitigations/FGM5024", "https://fight.mitre.org/mitigations/FGM5090", "https://fight.mitre.org/mitigations/FGM5091", "https://fight.mitre.org/mitigations/M1022", "https://fight.mitre.org/mitigations/M1030", "https://fight.mitre.org/mitigations/M1041", "https://fight.mitre.org/mitigations/M1053", "https://fight.mitre.org/mitigations/M1054", "https://fight.mitre.org/techniques/FGT5004" ], "status": "This is a theoretical behavior in context of 5G systems.", "typecode": "fight_technique" }, "related": [ { "dest-uuid": "cccb021c-dd96-5d72-904f-c55ad24598de", "type": "mitigated-by" }, { "dest-uuid": "22139148-14ef-5a59-a345-d4fcd502a317", "type": "mitigated-by" }, { "dest-uuid": "fcdd534a-5b3d-5d5c-a394-c25bba4c3eda", "type": "mitigated-by" }, { "dest-uuid": "98e2c930-af98-58ec-9c07-acea1cf2b6a2", "type": "mitigated-by" }, { "dest-uuid": "9c376223-8d89-5179-8a56-51de20697bd2", "type": "mitigated-by" }, { "dest-uuid": "71801a06-41bd-5336-a539-e8bea9d647f7", "type": "mitigated-by" }, { "dest-uuid": "1f4b61bd-9209-5d04-8a90-bc3e4fe84226", "type": "mitigated-by" }, { "dest-uuid": "dd78a499-3b11-5095-9db9-58cef55bef9e", "type": "mitigated-by" }, { "dest-uuid": "3c23d0f7-d55c-5891-90b9-c744e976f0ef", "type": "detected-by" }, { "dest-uuid": "becdcf31-3d2a-53bb-8251-51e9da4a0df6", "type": "detected-by" }, { "dest-uuid": "6a72edd8-428c-5a31-8f36-1ccee776ff19", "type": "detected-by" } ], "uuid": "92ee2205-3046-5a74-9f0c-10db329f2bc3", "value": "Network Flow Manipulation" }, { "description": "An adversary may use the compromised SDN controller or Control plane API to modify network flow rules, or traffic management policies.\r\n\r\nAn SDN controller is a centralized control application for policy, device configuration, and traffic flow management. SDN controller compromise can allow an adversary to change the traffic path for offensive or defensive evasion purposes as well as cause denial of service to certain networks or end points. SDN Controller application is typically installed on a physical over virtual server and communicate northbound to other OAM applications as well as southbound to network switches. SDN controller acts as an Operating System for the Network in SDN architecture and is widely deployed in data centers and wide area network connections (SD-WAN).", "meta": { "access-required": "User or Administrative access to repository", "architecture-segment": "Virtualization", "bluf": "An adversary may use the compromised SDN controller or Control plane API to modify network flow rules, or traffic management policies.", "criticalassets": [ { "Description": "Adversary may target a particular network controller, network element, CI/CD, security, and operations tools to manipulate SDN network flows.", "Name": "SDN Controller and Network Elements, operations, and security tools" }, { "Description": "Adversary may target configuration to manipulate controller and network element behavior", "Name": "SDN controller Configuration file" } ], "detections": [ { "detects": "Periodically audit SDN and Network element configuration to detect unauthorized changes", "fgdsid": "DS0015", "name": "Application Log" }, { "detects": "Periodically audit network flow tables to detect unauthorized changes to flow data", "fgdsid": "DS0029", "name": "Network Traffic" }, { "detects": "Analyze logs to detect unauthorized activity", "fgdsid": "FGDS5014", "name": "SDN Access Logs" } ], "external_id": "FGT5004.001", "kill_chain": [ "fight:Collection", "fight:Discovery" ], "mitigations": [ { "fgmid": "FGM5024", "mitigates": "Strong integrity protection method should be employed on APIs carrying control plane traffic between Controller and network element as well as controller and SDN application to avoid adversary in the middle threats", "name": "Integrity protection of data communication" }, { "fgmid": "FGM5090", "mitigates": "Logs from SDN Controller and network elements must be corelated to ensure unauthorize activity is reported. Similarly flow rules change log should be reviewed and reconciled with authorized changes.", "name": "Log correlation" }, { "fgmid": "FGM5091", "mitigates": "Mutual authentication between SDN controller and network elements, SDN controller and SDN application can prevent unauthorized access", "name": "Mutual authentication" }, { "fgmid": "M1022", "mitigates": "Restricted Permissions to add application images to SDN Controller for person and non-person accounts.\n\nRestricted permissions for person and non-person accounts to prevent flow rule insertion or modification", "name": "Restrict File and Directory Permissions" }, { "fgmid": "M1030", "mitigates": "Physical and logical segmentation can prevent lateral movements. Segmentation techniques in the hosts and network will reduce the chances of lateral movement to the control.", "name": "Network Segmentation" }, { "fgmid": "M1041", "mitigates": "Strong encryption should be used on APIs carrying control plane traffic between Controller and network element as well as controller and SDN application to avoid adversary in the middle threats", "name": "Encrypt Sensitive Information" }, { "fgmid": "M1053", "mitigates": "SDN controller configurations should be backed up and periodically audited to see differences between running configuration and back up configurations", "name": "Data Backup" }, { "fgmid": "M1054", "mitigates": "Keep baseline configuration up to date to avoid loopholes due to stale configuration or configuration drift.", "name": "Software Configuration" } ], "object-type": "technique", "platforms": "SDN Controller", "postconditions": [ { "Description": "Network flow compromise can lead to DOS, or change the traffic pattern and paths. Adversary may change the path for network sniffing or for MiTM activity.", "Name": "Network flow compromise" } ], "preconditions": [ { "Description": "Privileged Access to SDN controller via direct login or through SDN control plane APIs", "Name": "Credential and Access to SDN Controller" } ], "refs": [ "[1] ENISA, “Threat Landscape and Good Practice Guide for Software Defined Networks/5G”, Jan. 2016 - https://www.enisa.europa.eu/publications/sdn-threat-landscape", "[2] Scott-Hayward, S., O'Callaghan, G., & Sezer, S. “SDN Security: A Survey”. 2013 IEEE SDN for Future. Networks and Services (SDN4FNS (pp. 1-7 - https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6702553&tag=1", "[3] R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield, “Towards dynamic threat modelling in 5G core networks based on MITRE ATT&CK”, October 2021 - https://arxiv.org/abs/2108.11206", "https://fight.mitre.org/data%20sources/DS0015", "https://fight.mitre.org/data%20sources/DS0029", "https://fight.mitre.org/data%20sources/FGDS5014", "https://fight.mitre.org/mitigations/FGM5024", "https://fight.mitre.org/mitigations/FGM5090", "https://fight.mitre.org/mitigations/FGM5091", "https://fight.mitre.org/mitigations/M1022", "https://fight.mitre.org/mitigations/M1030", "https://fight.mitre.org/mitigations/M1041", "https://fight.mitre.org/mitigations/M1053", "https://fight.mitre.org/mitigations/M1054", "https://fight.mitre.org/techniques/FGT5004.001" ], "status": "This is a theoretical behavior in context of 5G systems.", "subtechnique-of": "FGT5004", "typecode": "fight_subtechnique" }, "related": [ { "dest-uuid": "cccb021c-dd96-5d72-904f-c55ad24598de", "type": "mitigated-by" }, { "dest-uuid": "22139148-14ef-5a59-a345-d4fcd502a317", "type": "mitigated-by" }, { "dest-uuid": "fcdd534a-5b3d-5d5c-a394-c25bba4c3eda", "type": "mitigated-by" }, { "dest-uuid": "98e2c930-af98-58ec-9c07-acea1cf2b6a2", "type": "mitigated-by" }, { "dest-uuid": "9c376223-8d89-5179-8a56-51de20697bd2", "type": "mitigated-by" }, { "dest-uuid": "71801a06-41bd-5336-a539-e8bea9d647f7", "type": "mitigated-by" }, { "dest-uuid": "1f4b61bd-9209-5d04-8a90-bc3e4fe84226", "type": "mitigated-by" }, { "dest-uuid": "dd78a499-3b11-5095-9db9-58cef55bef9e", "type": "mitigated-by" }, { "dest-uuid": "3c23d0f7-d55c-5891-90b9-c744e976f0ef", "type": "detected-by" }, { "dest-uuid": "becdcf31-3d2a-53bb-8251-51e9da4a0df6", "type": "detected-by" }, { "dest-uuid": "6a72edd8-428c-5a31-8f36-1ccee776ff19", "type": "detected-by" }, { "dest-uuid": "92ee2205-3046-5a74-9f0c-10db329f2bc3", "type": "subtechnique-of" } ], "uuid": "619948ee-a419-5a48-b69b-d9bcc4ef5e37", "value": "Controller" }, { "description": "An adversary may compromise a vSwitch in an SDN network to manipulate the network traffic or cause denial of service\r\n\r\nAn SDN vSwitch is like a layer 2 switch that connects devices to the network and performs packet forwarding between the switch ports. This threat involves compromising an SDN vSwitch (an SDN device responsible for packet/data switching between different ingress and egress ports) to forge network data and launch other attacks (e.g., DoS). Adversary may target vSwitch configuration or directly manipulate network flow tables in memory to drive their decisions on how to redefine large parts of the network.", "meta": { "access-required": "User or Administrative access to repository", "architecture-segment": "Virtualization", "bluf": "An adversary may compromise a vSwitch in an SDN network to manipulate the network traffic or cause denial of service", "criticalassets": [ { "Description": "Adversary may target a particular network controller, network element, CI/CD, security, and operations tools to manipulate SDN network flows in a vSwitch", "Name": "SDN vSwitch, operations, and security tools" }, { "Description": "Adversary may target configuration to manipulate vSwitch and network behavior", "Name": "SDN vSwitch Configuration file" }, { "Description": "Network flows are stored in Network Flow tables, usually refer to as route or switch tables that vSwitch uses to decide which packet forwarding port to use for incoming packets", "Name": "SDN vSwitch flow table" } ], "detections": [ { "detects": "Periodically audit SDN and Network element configuration and compare with baseline configuration to detect unauthorized changes", "fgdsid": "DS0015", "name": "Application Log" }, { "detects": "Periodically audit network flow tables to detect unauthorized changes to flow data", "fgdsid": "DS0029", "name": "Network Traffic" }, { "detects": "Analyze logs to detect unauthorized activity", "fgdsid": "FGDS5014", "name": "SDN Access Logs" } ], "external_id": "FGT5004.002", "kill_chain": [ "fight:Collection", "fight:Discovery" ], "mitigations": [ { "fgmid": "FGM5024", "mitigates": "Strong integrity protection method should be employed on APIs carrying control plane traffic between Controller and network element as well as controller and vSwitch to avoid adversary in the middle threats", "name": "Integrity protection of data communication" }, { "fgmid": "FGM5090", "mitigates": "Logs from SDN Controller and network elements must be correlated to ensure unauthorized activity is reported. Similarly flow rules change log should be reviewed and reconciled with authorized changes.", "name": "Log correlation" }, { "fgmid": "FGM5091", "mitigates": "Mutual authentication between SDN controller and vSwitch can prevent unauthorized access", "name": "Mutual authentication" }, { "fgmid": "M1022", "mitigates": "Restricted Permissions to add application images to SDN vSwitch for person and non-person accounts.\n\nRestricted permissions for person and non-person accounts to prevent flow rule insertion or modification directly on the vSwitch", "name": "Restrict File and Directory Permissions" }, { "fgmid": "M1030", "mitigates": "Physical and logical segmentation can prevent lateral movements. Segmentation techniques in the hosts and network will reduce the chances of lateral movement to the control.", "name": "Network Segmentation" }, { "fgmid": "M1041", "mitigates": "Strong encryption should be used on APIs carrying control plane traffic between Controller and network element as well as controller and vSwitch to avoid adversary in the middle threats", "name": "Encrypt Sensitive Information" }, { "fgmid": "M1053", "mitigates": "SDN vSwitch configurations should be backed up and periodically audited to see differences between running configuration and back up configurations", "name": "Data Backup" }, { "fgmid": "M1054", "mitigates": "Keep baseline configuration up to date to avoid loopholes due to stale configuration or configuration drift.", "name": "Software Configuration" } ], "object-type": "technique", "platforms": "SDN vSwitch, Network Element", "postconditions": [ { "Description": "Network flow compromise can lead to DOS or change the traffic pattern and paths. Adversary may change the path for network sniffing or for AiTM activity.", "Name": "Network flow compromise" } ], "preconditions": [ { "Description": "Privileged Access to SDN vSwitch via direct login or through SDN control plane APIs", "Name": "Credential and Access to SDN vSwitch" } ], "refs": [ "[1] ENISA, “Threat Landscape and Good Practice Guide for Software Defined Networks/5G”, Jan. 2016 - https://www.enisa.europa.eu/publications/sdn-threat-landscape", "[2] Scott-Hayward, S., O'Callaghan, G., & Sezer, S. “SDN Security: A Survey”. 2013 IEEE SDN for Future. Networks and Services (SDN4FNS (pp. 1-7 - https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6702553&tag=1", "[3] R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield, “Towards dynamic threat modelling in 5G core networks based on MITRE ATT&CK”, October 2021 - https://arxiv.org/abs/2108.11206", "https://fight.mitre.org/data%20sources/DS0015", "https://fight.mitre.org/data%20sources/DS0029", "https://fight.mitre.org/data%20sources/FGDS5014", "https://fight.mitre.org/mitigations/FGM5024", "https://fight.mitre.org/mitigations/FGM5090", "https://fight.mitre.org/mitigations/FGM5091", "https://fight.mitre.org/mitigations/M1022", "https://fight.mitre.org/mitigations/M1030", "https://fight.mitre.org/mitigations/M1041", "https://fight.mitre.org/mitigations/M1053", "https://fight.mitre.org/mitigations/M1054", "https://fight.mitre.org/techniques/FGT5004.002" ], "status": "This is a theoretical behavior in context of 5G systems.", "subtechnique-of": "FGT5004", "typecode": "fight_subtechnique" }, "related": [ { "dest-uuid": "cccb021c-dd96-5d72-904f-c55ad24598de", "type": "mitigated-by" }, { "dest-uuid": "22139148-14ef-5a59-a345-d4fcd502a317", "type": "mitigated-by" }, { "dest-uuid": "fcdd534a-5b3d-5d5c-a394-c25bba4c3eda", "type": "mitigated-by" }, { "dest-uuid": "98e2c930-af98-58ec-9c07-acea1cf2b6a2", "type": "mitigated-by" }, { "dest-uuid": "9c376223-8d89-5179-8a56-51de20697bd2", "type": "mitigated-by" }, { "dest-uuid": "71801a06-41bd-5336-a539-e8bea9d647f7", "type": "mitigated-by" }, { "dest-uuid": "1f4b61bd-9209-5d04-8a90-bc3e4fe84226", "type": "mitigated-by" }, { "dest-uuid": "dd78a499-3b11-5095-9db9-58cef55bef9e", "type": "mitigated-by" }, { "dest-uuid": "3c23d0f7-d55c-5891-90b9-c744e976f0ef", "type": "detected-by" }, { "dest-uuid": "becdcf31-3d2a-53bb-8251-51e9da4a0df6", "type": "detected-by" }, { "dest-uuid": "6a72edd8-428c-5a31-8f36-1ccee776ff19", "type": "detected-by" }, { "dest-uuid": "92ee2205-3046-5a74-9f0c-10db329f2bc3", "type": "subtechnique-of" } ], "uuid": "0aac4d25-bafb-5d52-9352-6ff5eb09e66f", "value": "vSwitch" }, { "description": "Adversaries may bridge network boundaries by modifying a Virtual Network Function’s Configuration.\r\n\r\nAny VNF that serves as a Middlebox or Proxy can be targeted by adversary for configuration exploits (Network Address Translation (NAT), Gateways, Security Edge Protection Proxies (SEPPs), IP Exchange (IPXs) entities). Configuration stored on the device determines the device behavior for middle boxes such as NAT or application GWs. Start up and run time configuration data can be manipulated for nefarious purposes. SDN VNF unauthorized configuration changes can lead modified 5G traffic flows and may bridge otherwise isolated slices.", "meta": { "access-required": "User or Administrative access to repository", "architecture-segment": "OA&M, Virtualization", "bluf": "Adversaries may bridge network boundaries by modifying a network device's Virtual Network Function Configuration.", "criticalassets": [ { "Description": "Adversary may target a particular network controller, network element, CI/CD, security to manipulate VNF behavior", "Name": "VNF orchestrators/managers" }, { "Description": "Adversary may target particular operations tools to manipulate VNF behavior", "Name": "VNF operations tools" }, { "Description": "Adversary may target particular security tools to manipulate VNF behavior", "Name": "VNF security tools" }, { "Description": "Adversary may target configuration in the VNF, stored in backups, or part of the code", "Name": "VNF Configuration file" } ], "detections": [ { "detects": "Image life cycle and runtime events", "fgdsid": "DS0007", "name": "Image" }, { "detects": "Audit configuration - Periodically audit VNF configuration to detect unauthorized changes", "fgdsid": "DS0015", "name": "Application Log" }, { "detects": "Access Logs - Analyze logs to detect unauthorized activity to VNF and other tools used in lifecycle management and security of the VNF", "fgdsid": "DS0028", "name": "Logon Session" }, { "detects": "Audit network flow - Audit network flows to VNF and other tools used in lifecycle management and security of the VNF", "fgdsid": "DS0029", "name": "Network Traffic" } ], "external_id": "FGT5039", "kill_chain": [ "fight:Defense-Evasion" ], "mitigations": [ { "fgmid": "M1033", "mitigates": "VNF Access Rights -Restricted Permissions to add images to VNFs (Network Element) for person and non-person accounts", "name": "Limit Software Installation" }, { "fgmid": "M1047", "mitigates": "Logs from VNFs must be corelated with other OA&M and Security monitoring tools to ensure unauthorize activity is reported. SEIM like system should be deployed to correlate events.", "name": "Audit" }, { "fgmid": "M1053", "mitigates": "Configuration back ups -All VNF Configurations should be backed up and periodically audited to see differences between running configuration and back up configurations as well as comparison between configuration catalogue and running instance", "name": "Data Backup" } ], "object-type": "technique", "platforms": "SDN vSwitch, Network Element", "postconditions": [ { "Description": "VNF compromise can lead to DOS or change in the traffic pattern and paths.", "Name": "Unexpected and unusual VNF behavior" } ], "preconditions": [ { "Description": "Privileged Access to VNF or VNF managers via direct login or through Control Plane APIs", "Name": "Credential and Access" } ], "procedureexamples": [ { "Description": "Active configuration changes can be made when direct access to VNF or its element managers is available", "Name": "Active configuration changes" }, { "Description": "Configuration as a code repository or back up configuration store can be manipulated to cause an NF to take compromised configuration upon reboot or re-instantiation", "Name": "Stored or Coded configuration" } ], "refs": [ "[1] S.P. Rao, S. Holtmanns, T. Aura: “Threat modeling framework for mobile communication systems”, May 2020 - https://arxiv.org/abs/2005.05110v1", "https://fight.mitre.org/data%20sources/DS0007", "https://fight.mitre.org/data%20sources/DS0015", "https://fight.mitre.org/data%20sources/DS0028", "https://fight.mitre.org/data%20sources/DS0029", "https://fight.mitre.org/mitigations/M1033", "https://fight.mitre.org/mitigations/M1047", "https://fight.mitre.org/mitigations/M1053", "https://fight.mitre.org/techniques/FGT5039" ], "status": "This is a theoretical behavior in context of 5G systems.", "typecode": "fight_technique" }, "related": [ { "dest-uuid": "d77cd76e-6cf8-5345-ba70-cd17b9215573", "type": "mitigated-by" }, { "dest-uuid": "a30b7d01-b740-5538-b28d-d87befd5fd29", "type": "mitigated-by" }, { "dest-uuid": "1f4b61bd-9209-5d04-8a90-bc3e4fe84226", "type": "mitigated-by" }, { "dest-uuid": "9c89df80-284c-50bd-b53c-408ce950baa2", "type": "detected-by" }, { "dest-uuid": "3c23d0f7-d55c-5891-90b9-c744e976f0ef", "type": "detected-by" }, { "dest-uuid": "859ecf98-b107-5a3a-886e-dfb46999fe09", "type": "detected-by" }, { "dest-uuid": "becdcf31-3d2a-53bb-8251-51e9da4a0df6", "type": "detected-by" } ], "uuid": "bb92bd94-2bba-507b-abf3-87c4c7efe70c", "value": "Manipulate Virtual Network Function (VNF) Configuration" }, { "description": "Adversaries may break out of a container to gain access to the underlying host.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1611)", "meta": { "addendums": [ "#### Addendum Name: VM and Container Breakout\r\n##### Architecture Segments: Virtualization, OA&M\r\n Adversary may be able to break out of VM/Container to host to compromise co-resident tenant VM/Container for discovery and exfiltration and host-based privilege escalation. \r\n\r\nVM guest OS may escapes from its VM encapsulation to interact directly with the hypervisor. This gives the adversary access to all VMs and, if guest privileges are high enough, the host machine as well. Although few if any instances are known, experts consider VM escape to be the most serious threat to VM security.\r\n\r\nSimilarly, a container may also create privileged access to Host file system or execution environment.\r\n\r\n5G deployments may include PNFs as well as VNFs. VNFs may be deployed over Type1 or Type2 VMs or as Containers over guest OS, or over a VM. Examples of 5G functions deployed as CNF due to scaling requirements may include 5G Core capabilities of AMF, SMF, UPF and RAN Capabilities of CU, DU, RIC, x-Apps, r-Apps. A container or VM escape can expose control and user plane traffic as well as credentials to allow adversary to further carry out attacks on the network.\r\n\r\n" ], "architecture-segment": "Virtualization, OA&M", "bluf": "Adversaries may break out of a container to gain access to the underlying host.", "criticalassets": [ { "Description": "Any capabilities deployed as VNF or CNF", "Name": "VNF, CNF" }, { "Description": "Host OS, VM host server becomes a bridging device between tenant VMs and Containers if compromised", "Name": "VM, Contianer host" }, { "Description": "In addition to application data exposure, credential exposure is usually a key target for adversary to open the doors for many other exploits.", "Name": "Credentials" } ], "detections": [ { "detects": "Monitor process creation and OS API execution activity.", "fgdsid": "DS0009", "name": "Process" }, { "detects": "Monitor for the deployment of suspicious or unknown container images and pods in your environment, particularly containers running as root.", "fgdsid": "DS0032", "name": "Container" }, { "detects": "Monitor cluster-level (Kubernetes) data and events associated with changing containers' volume configurations.", "fgdsid": "DS0034", "name": "Volume" } ], "external_id": "FGT1611", "kill_chain": [ "fight:Lateral-Movement", "fight:Privilege-Escalation" ], "mitigations": [ { "fgmid": "M1026", "mitigates": "Rootless containers: Ensure containers are not running as root by default. In Kubernetes environments, consider defining a Pod Security Policy that prevents pods from running privileged containers.", "name": "Privileged Account Management" }, { "fgmid": "M1038", "mitigates": "Use read-only containers, read-only file systems, and minimal images when possible, to prevent the running of commands.", "name": "Execution Prevention" }, { "fgmid": "M1048", "mitigates": "Consider utilizing seccomp, seccomp-bpf, or a similar solution that restricts certain system calls such as mount. In Kubernetes environments, consider defining a Pod Security Policy that limits container access to host process namespaces, the host network, and the host file system", "name": "Application Isolation and Sandboxing" } ], "object-type": "technique", "platforms": "Windows, Linux, MacOS", "procedureexamples": [ { "Description": "Container was configured to bind to the host root directory", "Name": "S0600" }, { "Description": "Hildegard used the BOtB tool that can break out of Container", "Name": "S0601" }, { "Description": "Peirates can gain a reverse shell on a host node by mounting the Kubernetes hostPath.", "Name": "S0683" }, { "Description": "Siliscape maps the hosts’s C drive to the contianer by creating a global symbolic link of NtSetInformationSymbolicLink", "Name": "S0623" }, { "Description": "TeamTNT has deployed privileged containers that mount the filesystem of victim machine", "Name": "G0139" } ], "refs": [ "[1] ETSI NFV SEC023, Container security spec (WIP v004. - https://docbox.etsi.org/ISG/NFV/Open/Drafts/SEC023_Container_Security_Spec", "[2] R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield, “Towards dynamic threat modelling in 5G core networks based on MITRE ATT&CK”, October 2021 - https://arxiv.org/abs/2108.11206", "[3] Github, “Awesome VM exploit” - https://github.com/WinMin/awesome-vm-exploit", "[4] Project Zero - https://googleprojectzero.blogspot.com/2021/06/an-epyc-escape-case-study-of-kvm.html", "https://attack.mitre.org/techniques/T1611", "https://fight.mitre.org/data%20sources/DS0009", "https://fight.mitre.org/data%20sources/DS0032", "https://fight.mitre.org/data%20sources/DS0034", "https://fight.mitre.org/mitigations/M1026", "https://fight.mitre.org/mitigations/M1038", "https://fight.mitre.org/mitigations/M1048", "https://fight.mitre.org/techniques/FGT1611" ], "status": "This is an observed behavior in Enterprise networks, and is theoretical in context of 5G systems.", "typecode": "attack_technique_addendum" }, "related": [ { "dest-uuid": "4a5b7ade-8bb5-4853-84ed-23f262002665", "type": "related-to" }, { "dest-uuid": "177506f3-cd8d-5035-b807-6528e3a75c5f", "type": "mitigated-by" }, { "dest-uuid": "9a269951-76a2-5c22-9f28-a2be9ba89a7f", "type": "mitigated-by" }, { "dest-uuid": "125376f1-4b4e-51b5-9bc4-78f78acd3f91", "type": "mitigated-by" }, { "dest-uuid": "2251c650-0578-5b11-ab47-d05f1166dc47", "type": "detected-by" }, { "dest-uuid": "ec826f62-f75d-54a6-ad04-6b19f808283f", "type": "detected-by" }, { "dest-uuid": "656442c9-cfef-567b-8ee3-8df729d3eff2", "type": "detected-by" } ], "uuid": "ece5710d-4edb-5077-acb5-65ec7c7b6eb3", "value": "Escape to Host" }, { "description": "An adversary may be able to read memory registers to discover privileged information such as local password comparison, encryption key etc.\r\n\r\nAn adversary can achieve this by scanning the physical memory used by a given software program. This will give the adversary access to any information that the program has access to, which could be sensitive. While memory scraping can affect components of any layer of the network, this type of threat has been primarily a focus of SDN application servers where the adversary can have greater advantage, if successful, in discovering sensitive information (credentials such as token and keys). \r\n\r\nAdversaries may use memory scraping to target different components of the core network, a core dump of an SDN controller (e.g. as the result of malicious software) can be used to exploit private data. Once successfully performed, memory scraping can be used to extract sensitive SDN data (e.g. flow rules at the northbound API).[2]", "meta": { "access-required": "Administrative access, Access to install scraper malware", "architecture-segment": "Virtualization", "bluf": "An adversary may be able to read memory registers to discover privileged information such as local password comparison, encryption key etc.", "criticalassets": [ { "Description": "Adversary may target a particular network controller, network element, CI/CD, security, and operations tools to collect data", "Name": "SDN controller and network elements (or any target host)" }, { "Description": "Adversary may target configuration or network flow data", "Name": "SDN configurations file, Network flow tables" } ], "detections": [ { "detects": "Analyze logs to detect unauthorized activity", "fgdsid": "DS0015", "name": "Application Log" }, { "detects": "All inbound and outbound connections should be audited for unauthorized activity", "fgdsid": "DS0029", "name": "Network Traffic" } ], "external_id": "FGT5005", "kill_chain": [ "fight:Collection" ], "mitigations": [ { "fgmid": "FGM5090", "mitigates": "Logs from SDN controller and network elements must be correlated to ensure unauthorize activity (file transfer, patch installs, process init) is reported.", "name": "Log correlation" }, { "fgmid": "M1033", "mitigates": "Restrict permissions to add software to SDN controller and network elements for person and non-person accounts", "name": "Limit Software Installation" }, { "fgmid": "M1047", "mitigates": "SDN controllers and network elements scanned for file changes and processes.", "name": "Audit" } ], "object-type": "technique", "platforms": "SDN, Hosts", "preconditions": [ { "Description": "Privileged access to SDN controller and network elements to transfer and install malware to the target host.", "Name": "Credential and access to SDN controller and network elements" } ], "refs": [ "[1] European Union Agency for Cybersecurity (ENISA : “ENISA Threat Landscape for 5G Networks” Report, section 6.2, December 2020. - https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks", "[2] ENISA, “Threat Landscape and Good Practice Guide for Software Defined Networks/5G”, Jan. 2016 - https://www.enisa.europa.eu/publications/sdn-threat-landscape", "[3] ETSI GS NFV-SEC 009 V1.1.1, “NFV Security:\nReport on use cases and technical approaches for multi-layer host administration”, December 2015 - https://www.etsi.org/deliver/etsi_gs/nfv-sec/001_099/009/01.01.01_60/gs_nfv-sec009v010101p.pdf", "[4] N. Huq, “PoS RAM Scraper Malware: Past, Present, and Future,” Trend Micro, accessed May 25, 2023 - https://www.wired.com/wp-content/uploads/2014/09/wp-pos-ram-scraper-malware.pdf", "[5] J. Hizver, “Taxonomic Modeling of Security Threats in Software Defined Networking”, Blackhat Conference, Aug. 2015 - https://www.blackhat.com/docs/us-15/materials/us-15-Hizver-Taxonomic-Modeling-Of-Security-Threats-In-Software-Defined-Networking-wp.pdf", "[6] R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield, “Towards dynamic threat modelling in 5G core networks based on MITRE ATT&CK”, October 2021 - https://arxiv.org/abs/2108.11206", "https://fight.mitre.org/data%20sources/DS0015", "https://fight.mitre.org/data%20sources/DS0029", "https://fight.mitre.org/mitigations/FGM5090", "https://fight.mitre.org/mitigations/M1033", "https://fight.mitre.org/mitigations/M1047", "https://fight.mitre.org/techniques/FGT5005" ], "status": "Observed in earlier 3GPP generations and expected in 5G.", "typecode": "fight_technique" }, "related": [ { "dest-uuid": "22139148-14ef-5a59-a345-d4fcd502a317", "type": "mitigated-by" }, { "dest-uuid": "d77cd76e-6cf8-5345-ba70-cd17b9215573", "type": "mitigated-by" }, { "dest-uuid": "a30b7d01-b740-5538-b28d-d87befd5fd29", "type": "mitigated-by" }, { "dest-uuid": "3c23d0f7-d55c-5891-90b9-c744e976f0ef", "type": "detected-by" }, { "dest-uuid": "becdcf31-3d2a-53bb-8251-51e9da4a0df6", "type": "detected-by" } ], "uuid": "e72f4c00-8cb5-5e2e-b2ef-24a4c5609efe", "value": "Memory Scraping" }, { "description": "Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1437)", "meta": { "access-required": "NF Service Account credentials", "addendums": [ "#### Addendum Name: Control plane signaling disguise for C2\r\n##### Architecture Segments: Control Plane\r\n An adversary may use Control Plane signaling between Network Functions (NFs) of the Service Based Architecture to disguise adversary’s C2 communication.\r\n\r\nThe 5G NFs may implement TLS and HTTP/2 for their communications (e.g. via Service Based Interfaces), which means the traffic will be encrypted. This type of communication between authorized NFs may be used to avoid detection by using legitimate protocols and port numbers and encrypting that data. Encryption makes it difficult to employ detection techniques to identify suspicious traffic patterns. In addition, HTTP/2 optional parameters may be used to communicate between a core NF and an external application function via NEF or between an NF in visited PLMN and an NF in home PLMN via SEPP.\r\nIn the same fashion, an adversary may use encrypted channels between authenticated NFs to disguise C2 communication.\r\n\r\n" ], "architecture-segment": "Control Plane", "bluf": "Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic.", "criticalassets": [ { "Description": "IP addresses. FQDNs and TLS connections of core NFs are used for nefarious purposes", "Name": "Operator resource identifiers and signaling" } ], "detections": [], "external_id": "FGT1437", "kill_chain": [ "fight:Command-and-Control" ], "mitigations": [ { "fgmid": "FGM5501", "mitigates": "Employ TLS proxies with DPI firewalls. TLS proxy/firewall can employ DPI to decrypt the packets and send them off to their destination, but only after logging what the packet contains. \nThe firewalls/proxies connect to a SIEM whose data is being kept up to date with current threats. Service communication proxy (SCP) can be also used for this purpose.", "name": "TLS proxy/firewalls with DPI on the SBA" } ], "object-type": "technique", "platforms": "5G Network", "procedureexamples": [ { "Description": "The signaling AF to NEF to UDM and back from UDM to NEF to AF is used in several procedures [1]. Example: NIDD (non-IP data delivery) (see clause 4.25 of [2]), or VN (Virtual Network) group management. See clause 4.15.6 of [2].", "Name": "Third party app (AF) to Network Exposure Function (NEF) to Core NF used as a data exfiltration channel" }, { "Description": "AMF in vPLMN communicates to AUSF in hPLMN during UE authentication. This channel can be used to disguise C2 communication.", "Name": "An NF in vPLMN to an NF in hPLMN via SEPP" } ], "refs": [ "[1] R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield, “Towards dynamic threat modelling in 5G core networks based on MITRE ATT&CK”, October 2021 - https://arxiv.org/abs/2108.11206", "[2] 3rd Generation Partnership Project (3GPP TS 23.502, “Procedures for the 5G System (5GS ; Stage 2 (Release 17 ”, Technical Specification, v17.4.0, March 2022. - https://www.3gpp.org/DynaReport/23502.htm", "https://attack.mitre.org/techniques/T1437", "https://fight.mitre.org/mitigations/FGM5501", "https://fight.mitre.org/techniques/FGT1437" ], "status": "This is an observed behavior in Enterprise networks, and is theoretical in context of 5G systems.", "typecode": "attack_technique_addendum" }, "related": [ { "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", "type": "related-to" }, { "dest-uuid": "39a823fe-072a-54a2-90cb-522e0a8c149c", "type": "mitigated-by" } ], "uuid": "baac2363-a121-57f7-85e0-5fa2b3e91b5d", "value": "Application Layer Protocol" }, { "description": "Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1078/003)", "meta": { "access-required": "Administrative access", "addendums": [ "#### Addendum Name: Infrastructure local account\r\n##### Architecture Segments: OA&M\r\n An adversary may use local administrative privileges to bypass network controls responsible for access controls and software to achieve persistence. \r\n\r\nIn a 5G deployment, unmanned locations or low security sites may be exposed to adversary using local communication, auxiliary or serial interfaces to gain access to device using device local account. \r\n\r\nAn adversary with a legitimate or compromised local network operator administrative account may perform unauthorized administration of devices and systems. Some devices always maintain local accounts in addition to networked IDAM/ICAM. Unauthorized administration of devices and systems can be done using these local administrative accounts. \r\n\r\n" ], "architecture-segment": "OA&M", "bluf": "Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.", "criticalassets": [ { "Description": "Any 5G, Network, OSS and Security capability deployed as PNF supporting local accounts", "Name": "Physical Network Functions" }, { "Description": "Any Virtualization and Network host supporting local account", "Name": "Infrastructure servers" } ], "detections": [ { "detects": "User Account authentication", "fgdsid": "DS0002", "name": "User Account" }, { "detects": "Logon session", "fgdsid": "DS0028", "name": "Logon Session" } ], "external_id": "FGT1078.003", "kill_chain": [ "fight:Persistence" ], "mitigations": [ { "fgmid": "M1026", "mitigates": "Privileged account management", "name": "Privileged Account Management" }, { "fgmid": "M1027", "mitigates": "Passwords Policies to ensure secure local accounts across all devices that necessitate local accounts", "name": "Password Policies" } ], "object-type": "technique", "platforms": "Infrastructure, PNF", "refs": [ "[1] ENISA “Threat Landscape and Good Practice Guide for Software Defined Networks/5G”, Jan. 2016, Table 1, and 2 - https://www.enisa.europa.eu/publications/sdn-threat-landscape", "[2] R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield, “Towards dynamic threat modelling in 5G core networks based on MITRE ATT&CK”,  October 2021 - https://arxiv.org/abs/2108.11206", "https://attack.mitre.org/techniques/T1078/003", "https://fight.mitre.org/data%20sources/DS0002", "https://fight.mitre.org/data%20sources/DS0028", "https://fight.mitre.org/mitigations/M1026", "https://fight.mitre.org/mitigations/M1027", "https://fight.mitre.org/techniques/FGT1078.003" ], "status": "This is an observed behavior in Enterprise networks, and is theoretical in context of 5G systems.", "subtechnique-of": "FGT1078", "typecode": "attack_subtechnique_addendum" }, "related": [ { "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", "type": "related-to" }, { "dest-uuid": "177506f3-cd8d-5035-b807-6528e3a75c5f", "type": "mitigated-by" }, { "dest-uuid": "69dd1793-f0d3-51dc-974d-a43031c0b343", "type": "mitigated-by" }, { "dest-uuid": "eed23463-a7b6-555c-a7bf-2c3832fb00d0", "type": "detected-by" }, { "dest-uuid": "859ecf98-b107-5a3a-886e-dfb46999fe09", "type": "detected-by" }, { "dest-uuid": "885cc34d-43de-5539-82f0-8b7d98b8e4a1", "type": "subtechnique-of" } ], "uuid": "2e9b67f3-da8f-5680-b4e1-092cb9fba4a9", "value": "Local Accounts" }, { "description": "Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1014)", "meta": { "access-required": "Administrative access", "addendums": [ "#### Addendum Name: Unauthorized software in NFVI\r\n##### Architecture Segments: Virtualization, OA&M\r\n An adversary may implant rootkits in the Network Function Virtualization Infrastructure (NFVI) that will hide the presence of programs, files, network connections, services, drivers, and other system components.\r\n\r\nRootkits are a special type of malware designed to remain hidden on a target computer. These Rootkits can be created for hardware and firmware for CMOS and other chips, Kernel, Memory, and Applications. \r\n\r\nAdversaries may implant rootkits during device manufacturing process, use compromised CI/CD pipeline, direct access to device to implant rootkits in the Cloud, MEC, RAN, UE components.\r\n\r\nAdversaries may use rootkit compromise for other actions such as credential dumping, configuration changes, or attack other components in the network. Rootkits are hard to detect and may not be easily identified by end point protection software. Host suspected of rootkit infection may need to be quarantined and rebuilt from scratch with known good software.\r\n\r\n" ], "architecture-segment": "Virtualization, OA&M", "bluf": "Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components.", "criticalassets": [ { "Description": "NFVI components that support virtualization and network connecting the virtual functions.", "Name": "Physical, Virtual, and cloud native functions" }, { "Description": "Any compute entity that supports data processing functions, including Linux/Windows hosts, VMs, and or specialty equipment that has address and interacts with other NFVI elements.", "Name": "Hosts" } ], "detections": [ { "detects": "Software image inconsistency. Signature and checksum mismatch", "fgdsid": "DS0007", "name": "Image" }, { "detects": "Kernel executing unknown processes or unauthorized processes not typical of the host.", "fgdsid": "DS0008", "name": "Kernel" }, { "detects": "Active processes or process log may reveal unauthorized activity due to rootkits", "fgdsid": "DS0009", "name": "Process" }, { "detects": "Background services not typically associated with the host", "fgdsid": "DS0019", "name": "Service" }, { "detects": "File changes of any sort that cannot be traced back to authorized change.", "fgdsid": "DS0022", "name": "File" }, { "detects": "Network traffic pattern may reveal remote C2 communication from rootkit", "fgdsid": "DS0029", "name": "Network Traffic" } ], "external_id": "FGT1014", "kill_chain": [ "fight:Defense-Evasion" ], "mitigations": [ { "fgmid": "M1018", "mitigates": "User Account Management", "name": "User Account Management" }, { "fgmid": "M1045", "mitigates": "Code Signing", "name": "Code Signing" }, { "fgmid": "M1046", "mitigates": "Boot integrity", "name": "Boot Integrity" }, { "fgmid": "M1047", "mitigates": "System audits can reveal anomalous behavior that may be caused by rootkits.", "name": "Audit" }, { "fgmid": "M1051", "mitigates": "Update Software", "name": "Update Software" } ], "object-type": "technique", "platforms": "Infrastructure, PNF, VNF Hosts", "refs": [ "[1] ETSI NFV SEC025, Secure E2E VNF & NS management spec (WIP v006, retrieved April 26, 2021 - https://docbox.etsi.org/ISG/NFV/Open/Drafts/SEC025_Secure_E2E_VNF_%26_NS_management", "https://attack.mitre.org/techniques/T1014", "https://fight.mitre.org/data%20sources/DS0007", "https://fight.mitre.org/data%20sources/DS0008", "https://fight.mitre.org/data%20sources/DS0009", "https://fight.mitre.org/data%20sources/DS0019", "https://fight.mitre.org/data%20sources/DS0022", "https://fight.mitre.org/data%20sources/DS0029", "https://fight.mitre.org/mitigations/M1018", "https://fight.mitre.org/mitigations/M1045", "https://fight.mitre.org/mitigations/M1046", "https://fight.mitre.org/mitigations/M1047", "https://fight.mitre.org/mitigations/M1051", "https://fight.mitre.org/techniques/FGT1014" ], "status": "This is an observed behavior in Enterprise networks, and is theoretical in context of 5G systems.", "typecode": "attack_technique_addendum" }, "related": [ { "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", "type": "related-to" }, { "dest-uuid": "686a3700-8ee3-52d3-954f-d2ec4abf14aa", "type": "mitigated-by" }, { "dest-uuid": "ef3488c0-caca-5662-afbf-c906cbadb660", "type": "mitigated-by" }, { "dest-uuid": "3ea67e5f-f46e-5b5d-a987-0008b66fddfc", "type": "mitigated-by" }, { "dest-uuid": "a30b7d01-b740-5538-b28d-d87befd5fd29", "type": "mitigated-by" }, { "dest-uuid": "f54f2c17-0cf6-536a-b52e-a886652815d6", "type": "mitigated-by" }, { "dest-uuid": "9c89df80-284c-50bd-b53c-408ce950baa2", "type": "detected-by" }, { "dest-uuid": "2ba57b64-315a-54e9-a654-7780d104d173", "type": "detected-by" }, { "dest-uuid": "2251c650-0578-5b11-ab47-d05f1166dc47", "type": "detected-by" }, { "dest-uuid": "1036f262-8a54-5edc-8350-9406dd3e51ff", "type": "detected-by" }, { "dest-uuid": "6151c447-21b5-5530-8760-375ac25fb3e8", "type": "detected-by" }, { "dest-uuid": "becdcf31-3d2a-53bb-8251-51e9da4a0df6", "type": "detected-by" } ], "uuid": "5dda31ba-0fe6-57b2-8023-684e76b5ea8b", "value": "Rootkit" }, { "description": "An adversary may implant malware in the Network Function Virtualization Infrastructure (NFVI) that will load during the pre-boot sequence to achieve persistence.\r\n\r\nAn adversary may implant unauthorized software in the NFVI to persist in the boot sequence or launch malicious software. 5G VNF deployments rely on underlying NFVI (Kubernetes, Openstack) resources and do not offer any checks of their own to validate resources. Possibilities exist to add malware in deployment pipelines, image building and storage process and thru add on tools. Unless Hardware Mediated Execution Environment (HMEE) is used to validate host resources, malware inserted during boot process may not be easily detected.", "meta": { "access-required": "Administrative access", "architecture-segment": "Virtualization, OA&M", "bluf": "An adversary may implant malware in the Network Function Virtualization Infrastructure (NFVI) that will load during the pre-boot sequence to achieve persistence.", "criticalassets": [ { "Description": "Any network functions within NFVI sphere of responsibility", "Name": "Physical, Virtual, and Cloud Native Functions" }, { "Description": "Any hosts in NFVI within 5G security zone or in CI/CD pipeline, security and OSS tools", "Name": "Hosts" } ], "detections": [ { "detects": "Software image inconsistency. Signature and checksum mismatch", "fgdsid": "DS0007", "name": "Image" }, { "detects": "Kernel executing unknow processes or unauthorized processes not typical of the host.", "fgdsid": "DS0008", "name": "Kernel" }, { "detects": "Active processes or process log may reveal unauthorized activity due to rootkits", "fgdsid": "DS0009", "name": "Process" }, { "detects": "Degraded performance; system may have reboots, or unexpected performance degradation, may be slow to respond to inputs.", "fgdsid": "DS0013", "name": "Sensor Health" }, { "detects": "Background services not typically associated with the host", "fgdsid": "DS0019", "name": "Service" }, { "detects": "File changes of any sort that cannot be traced back to authorized change.", "fgdsid": "DS0022", "name": "File" }, { "detects": "Network traffic pattern may reveal remote C2 communication from rootkit", "fgdsid": "DS0029", "name": "Network Traffic" } ], "external_id": "FGT1542.501", "kill_chain": [ "fight:Persistence", "fight:Defense-Evasion" ], "mitigations": [ { "fgmid": "M1018", "mitigates": "User Account Management, active monitoring of access attempts to CI/CD tools", "name": "User Account Management" }, { "fgmid": "M1045", "mitigates": "Code Signing of all 5G NF and infra node software", "name": "Code Signing" }, { "fgmid": "M1046", "mitigates": "Boot integrity, TPM and remote attestation", "name": "Boot Integrity" }, { "fgmid": "M1047", "mitigates": "System audits can reveal anomalous behavior that may be caused by rootkits. Audits of software repositories", "name": "Audit" }, { "fgmid": "M1051", "mitigates": "Update Software for 5G NF and infra node software", "name": "Update Software" } ], "object-type": "technique", "platforms": "Infrastructure, PNF, VNF Hosts", "refs": [ "[1] ETSI NFV SEC025, Secure E2E VNF & NS management spec (WIP v006, retrieved April 26, 2021 - https://docbox.etsi.org/ISG/NFV/Open/Drafts/SEC025_Secure_E2E_VNF_%26_NS_management", "https://fight.mitre.org/data%20sources/DS0007", "https://fight.mitre.org/data%20sources/DS0008", "https://fight.mitre.org/data%20sources/DS0009", "https://fight.mitre.org/data%20sources/DS0013", "https://fight.mitre.org/data%20sources/DS0019", "https://fight.mitre.org/data%20sources/DS0022", "https://fight.mitre.org/data%20sources/DS0029", "https://fight.mitre.org/mitigations/M1018", "https://fight.mitre.org/mitigations/M1045", "https://fight.mitre.org/mitigations/M1046", "https://fight.mitre.org/mitigations/M1047", "https://fight.mitre.org/mitigations/M1051", "https://fight.mitre.org/techniques/FGT1542.501" ], "status": "This is a theoretical behavior", "subtechnique-of": "FGT1542", "typecode": "fight_subtechnique_to_attack_technique" }, "related": [ { "dest-uuid": "686a3700-8ee3-52d3-954f-d2ec4abf14aa", "type": "mitigated-by" }, { "dest-uuid": "ef3488c0-caca-5662-afbf-c906cbadb660", "type": "mitigated-by" }, { "dest-uuid": "3ea67e5f-f46e-5b5d-a987-0008b66fddfc", "type": "mitigated-by" }, { "dest-uuid": "a30b7d01-b740-5538-b28d-d87befd5fd29", "type": "mitigated-by" }, { "dest-uuid": "f54f2c17-0cf6-536a-b52e-a886652815d6", "type": "mitigated-by" }, { "dest-uuid": "9c89df80-284c-50bd-b53c-408ce950baa2", "type": "detected-by" }, { "dest-uuid": "2ba57b64-315a-54e9-a654-7780d104d173", "type": "detected-by" }, { "dest-uuid": "2251c650-0578-5b11-ab47-d05f1166dc47", "type": "detected-by" }, { "dest-uuid": "5cbb4ceb-09b7-569d-b397-30ce5f6b99cb", "type": "detected-by" }, { "dest-uuid": "1036f262-8a54-5edc-8350-9406dd3e51ff", "type": "detected-by" }, { "dest-uuid": "6151c447-21b5-5530-8760-375ac25fb3e8", "type": "detected-by" }, { "dest-uuid": "becdcf31-3d2a-53bb-8251-51e9da4a0df6", "type": "detected-by" }, { "dest-uuid": "5efe3c21-5ced-5489-a076-3b2f0515164f", "type": "subtechnique-of" } ], "uuid": "c5e6ab87-13d8-5643-bbfd-ff0ad7b0bb43", "value": "Unauthorized software in NFVI" }, { "description": "Adversaries may target the different network services provided by systems to conduct a denial of service (DoS).\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1499/002)", "meta": { "access-required": "Radio access, ", "addendums": [ "#### Addendum Name: Base station flood with fictitious access requests\r\n##### Architecture Segments: Control Plane\r\n An adversary may transmit an overwhelming number of access requests to a gNB to degrade the ability of legitimate UE to obtain access.\r\n\r\nAn adversary transmits large number of access requests over Random Access CHannel (RACH) to degrade the ability of legitimate UE to obtain access from the gNB. May be done via a compromised UE or a fake UE.\r\n\r\n\r\n", "#### Addendum Name: UDM DOS via SUCI replay\r\n##### Architecture Segments: Control Plane\r\n An adversary may use a device (user or base station) to replay registration requests with valid a Subscription Concealed Identifier (SUCI) in order to degrade the availability of UDM to other device users.\r\n\r\nAn adversary may intercept a legitimate SUCI sent by a legitimate device to a base station. The adversary can then replay this SUCI in a registration request towards the network many times, possibly from a fake base station or UE being used to send to the core network. This will cause the core network function in charge of deconcealment of the SUCI, namely the UDM-SIDF (Unified Data Management - Subscription Identifier De-Concealing Function), to work on this computationally intensive asymmetric cryptographic operation. A Denial of Service attack on the UDM can cause the available processing power of the UDM to decrease and thus impact its ability to respond to the requests of legitimate UEs.\r\n\r\n" ], "architecture-segment": "Control Plane", "bluf": "Adversaries may target the different network services provided by systems to conduct a denial of service (DoS).", "criticalassets": [ { "Description": "Adversary targets access requests in Random Access CHannel (RACH)", "Name": "RACH" }, { "Description": "UDM/SIDF resources are used for de-concealment of SUCI sent by legitimate UEs", "Name": "UDM/SIDF resources" } ], "detections": [ { "detects": "Excessive number of access requests received at gNB.", "fgdsid": "FGDS5007", "name": "UE access requests" }, { "detects": "Excessive number of SUCI containing requests received at the AMF. UDM slow response", "fgdsid": "FGDS5007", "name": "UE access requests" } ], "external_id": "FGT1499.002", "kill_chain": [ "fight:Impact" ], "mitigations": [ { "fgmid": "FGM5021", "mitigates": "Increase RACH resources.", "name": "Increase RACH (Random Access CHannel resources)" }, { "fgmid": "FGM5499", "mitigates": "Rate limiting of incoming messages at NFs. The Security Anchor Function (SEAF) or the Authentication Server Function (AUSF), which are NFs upstream from SIDF, can apply rate limiting if they receive the same SUCI multiple times within a short period.", "name": "Rate limiting by producer NF" } ], "object-type": "technique", "platforms": "5G RAN, 5G", "postconditions": [ { "Description": "Legitimate UEs have low probability of successfully requesting access", "Name": "Less service for legitimate UEs" }, { "Description": "Legitimate UEs have low probability of successfully obtaining access", "Name": "Less service for legitimate UEs" } ], "preconditions": [ { "Description": "Adversary must be able to transmit to gNB with sufficient power to be received.", "Name": "Transmit to gNB with sufficient power to succeed in flooding." }, { "Description": "Access to fake Base Station or fake UE to replay SUCI", "Name": "Acquire base station or UE" } ], "procedureexamples": [ { "Description": "Adversary transmits an overwhelming number of access requests over Random Access CHannel (RACH) to degrade the ability of legitimate UE to obtain access. May be done via a compromised UE or a SDR running OAI-5G modified software.", "Name": " Access request flooding" }, { "Description": "SUCI is replayed by fake or compromised UE or gNB to the network.\n\nUDM needs to process repeated SUCI messages from the same UE which will eventually drain resources of UDM and cause DoS attack on legitimate UE. Sections 5.2.2.1.2 & 5.2.2.2.2 of [1]", "Name": "SUCI replay" } ], "refs": [ "[1] 3rd Generation Partnership Project (3GPP TR 33.846: “Study on Authentication Enhancements in the 5G System”, Technical Report, v17.0.0, Dec. 2021. - https://www.3gpp.org/DynaReport/33846.htm", "[1] European Union Agency for Cybersecurity (ENISA : “ENISA Threat Landscape for 5G Networks” Report, December 2020. - https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks", "https://attack.mitre.org/techniques/T1499/002", "https://fight.mitre.org/data%20sources/FGDS5007", "https://fight.mitre.org/mitigations/FGM5021", "https://fight.mitre.org/mitigations/FGM5499", "https://fight.mitre.org/techniques/FGT1499.002" ], "status": "This is an observed behavior in Enterprise networks, and is theoretical in context of 5G systems.", "subtechnique-of": "FGT1499", "typecode": "attack_subtechnique_addendum" }, "related": [ { "dest-uuid": "38eb0c22-6caf-46ce-8869-5964bd735858", "type": "related-to" }, { "dest-uuid": "31078df7-f6c6-52fd-a08b-773a09160d4d", "type": "mitigated-by" }, { "dest-uuid": "8a908176-33cc-5fbc-900d-f496f04c5344", "type": "mitigated-by" }, { "dest-uuid": "654fe97f-0d42-55e8-9295-92ab625315bd", "type": "detected-by" }, { "dest-uuid": "654fe97f-0d42-55e8-9295-92ab625315bd", "type": "detected-by" }, { "dest-uuid": "73d8dd2f-14f5-5774-8b7a-ca9712f63b91", "type": "subtechnique-of" } ], "uuid": "053c159a-7cd4-54d3-b4fd-4b644abe25e2", "value": "Service Exhaustion Flood" }, { "description": "An adversary, such as an insider to the MNO or vendor, may install a malicious NF into the core network, in order to launch other attacks or get access to information. \r\n\r\nAn adversary could introduce an unauthorized network function (NF) or function embedding trojan malware in the service base architecture (SBA) by registering it in the NRF, in order to exploit other APIs. A clone of a legitimate NF can also be used to register itself in the NRF. The new NF can be deployed as a PNF, cloud VNF or containerized NF. This adversary could be an insider (to the MNO) or a vendor or service provider. By having an unauthorized network function installed or activated, an adversary may gain access to resources in the network to perform other type of attacks such as Denial of Service, the distribution of malicious software, or obtaining sensitive information.", "meta": { "access-required": "admin", "architecture-segment": "OA&M, Control Plane", "bluf": "An adversary, such as an insider to the MNO or vendor, could install a malicious NF into the core network, in order to launch other attacks or get access to information. ", "criticalassets": [ { "Description": "Network services provided to UEs.", "Name": "Network services" } ], "detections": [ { "detects": "Monitor application logs of core NFs.", "fgdsid": "DS0015", "name": "Application Log" }, { "detects": "Monitor for newly constructed containers that may deploy a container into an environment to facilitate execution or evade defenses.", "fgdsid": "DS0032", "name": "Container" } ], "external_id": "FGT5007", "kill_chain": [ "fight:Execution" ], "mitigations": [ { "fgmid": "FGM5023", "mitigates": "Cross check newly registered NFs. Out of band mechanism for cross checking new NFs that are registered in NRF are as expected by network administrator. NRF may use additional OAuth2.0 token information.", "name": "Periodic Authentication & Authorization of NFs" }, { "fgmid": "M1018", "mitigates": "Enforce the principle of least privilege by limiting container dashboard access to only the necessary users.", "name": "User Account Management" }, { "fgmid": "M1030", "mitigates": "Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls.", "name": "Network Segmentation" } ], "object-type": "technique", "platforms": "5G", "procedureexamples": [ { "Description": "Rogue or cloned NF calls Nnrf_NF Management API to register one of these functions: AMF, SMF, UDM, AUSF, NEF, PCF, SMSF, NSSF, UPF, etc. Clause 5.2.7 of [3]", "Name": "Unauthorized use of API" } ], "refs": [ "[1] European Union Agency for Cybersecurity (ENISA : “ENISA Threat Landscape for 5G Networks” Report, December 2020. - https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks", "[2] European Union Agency for Cybersecurity (ENISA : “ENISA Threat Landscape for 5G Networks” Report, November 2019. - https://www.enisa.europa.eu/publications/enisa-threat-landscape-for-5g-networks", "[3] 3rd Generation Partnership Project (3GPP TS 23.502, “Procedures for the 5G System (5GS ; Stage 2 (Release 17 ”, Technical Specification, v17.4.0, March 2022. - https://www.3gpp.org/DynaReport/23502.htm", "https://fight.mitre.org/data%20sources/DS0015", "https://fight.mitre.org/data%20sources/DS0032", "https://fight.mitre.org/mitigations/FGM5023", "https://fight.mitre.org/mitigations/M1018", "https://fight.mitre.org/mitigations/M1030", "https://fight.mitre.org/techniques/FGT5007" ], "status": "This is a theoretical behavior in context of 5G systems.", "typecode": "fight_technique" }, "related": [ { "dest-uuid": "315f5d98-1aa8-5d25-9d57-4b6a0ea9958a", "type": "mitigated-by" }, { "dest-uuid": "686a3700-8ee3-52d3-954f-d2ec4abf14aa", "type": "mitigated-by" }, { "dest-uuid": "9c376223-8d89-5179-8a56-51de20697bd2", "type": "mitigated-by" }, { "dest-uuid": "3c23d0f7-d55c-5891-90b9-c744e976f0ef", "type": "detected-by" }, { "dest-uuid": "ec826f62-f75d-54a6-ad04-6b19f808283f", "type": "detected-by" } ], "uuid": "223ee7bf-9652-51e1-a73b-62beaf017d28", "value": "Registration of malicious network functions" }, { "description": "An adversary transmits radio signals to degrade reception and demodulation of signals to the UE or gNB/eNB. \r\n\r\nConsists of numerous methods, including noise jamming, generating false synchronization signals, and replaying modified portions of legitimate signals to degrade demodulation. Jamming in 5G (NR) is different from 3G and similar to 4G, but at high level the same principles are applied. This technique is similar to the ATT&CK for Mobile technique T1464.", "meta": { "architecture-segment": "RAN, O-RAN", "bluf": "An adversary transmits radio signals to degrade reception and demodulation of signals to the UE or gNB/eNB.", "criticalassets": [ { "Description": "UE and gNB basic operations.", "Name": "Radio receivers at base station and user equipment" } ], "detections": [ { "detects": "Identify source and location of jammer.", "fgdsid": "FGDS5001", "name": "RF Spectrum Monitor" } ], "external_id": "FGT5035", "kill_chain": [ "fight:Impact" ], "mitigations": [ { "fgmid": "FGM5001", "mitigates": "Disable jamming source.", "name": "Disable malicious transmitter" }, { "fgmid": "FGM5099", "mitigates": "Move user equipment closer to base station to overpower jamming signal.", "name": "Move UE close to gNB" }, { "fgmid": "FGM5100", "mitigates": "Increase height of User Equipment to avoid jamming signal.", "name": "Raise height of UE" } ], "object-type": "technique", "platforms": "5G radio access", "procedureexamples": [ { "Description": "Jammer device is used to perform noise jamming of the radio interface, See [1].", "Name": "Noise jamming via jammer device" }, { "Description": "Rogue UE sends fake uplink synchronization signals to the gNB:\n\nSounding Reference Signal (SRS)\n\nPhase Tracking Reference Signal (PTRS)\n\nDemodulation Reference Signal (DMRS)", "Name": "False synchronization signals" }, { "Description": "Fake base station replays modified portions of legitimate signals from gNB or towards gNB.", "Name": "Replay legitimate signals" } ], "refs": [ "[1] Y. Arjoune and S. Faruque, “Smart Jamming Attacks in 5G New Radio: A Review” (2020 , 10th Annual Computing and Communication Workshop and Conference (CCWC - https://ieeexplore.ieee.org/abstract/document/9031175/", "[2] European Union Agency for Cybersecurity (ENISA : “ENISA Threat Landscape for 5G Networks” Report, December 2020. - https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks", "[3] Lichtman, et al. “5G NR Jamming, Spoofing, and Sniffing: Threat Assessment and Mitigation” (2018 , 2018 IEEE International Conference on Communications Workshops - https://arxiv.org/pdf/1803.03845.pdf", "https://fight.mitre.org/data%20sources/FGDS5001", "https://fight.mitre.org/mitigations/FGM5001", "https://fight.mitre.org/mitigations/FGM5099", "https://fight.mitre.org/mitigations/FGM5100", "https://fight.mitre.org/techniques/FGT5035" ], "status": "Observed in earlier 3GPP generations and expected in 5G.", "typecode": "fight_technique" }, "related": [ { "dest-uuid": "916de5dd-cb01-57ab-9e11-1cd147a840b4", "type": "mitigated-by" }, { "dest-uuid": "f6943911-4cc0-5825-ab1c-b889d3b3c989", "type": "mitigated-by" }, { "dest-uuid": "bd198272-946a-59c7-b50c-f7812fadf5b2", "type": "mitigated-by" }, { "dest-uuid": "975233cb-58b4-5ed0-ba6b-0989d39904f6", "type": "detected-by" } ], "uuid": "a197ad7f-265d-5d5f-afe3-da6a33bedbc9", "value": "Radio Jamming" }, { "description": "An adversary can divert user plane traffic for one or more UEs via a user-plane function, to monitor user data.\r\n\r\nTraffic diversion is a threat relating to network elements of the user plane. A compromised or misconfigured NF (as documented in the procedures below: UPF, SMF, …) is used to send or cause to send a command to a user plane (routing) function that results in altering the traffic flow. This threat involves compromising a network element to divert traffic flows and allow a malicious actor to eavesdrop on user traffic. \r\n\r\nAn adversary positioned between the UE and the UPF may intercept unprotected data packets and change the destination IP address of the packets, so that the UPF ends up sending them to a different data network. \r\n\r\nRedirection attacks on the core network result in not only communication interception, but also in billing discrepancies.", "meta": { "access-required": "N/A", "architecture-segment": "User Plane", "bluf": "An adversary can divert user plane traffic for one or more UEs via a user-plane function, to monitor user data", "criticalassets": [ { "Description": "All user plane subscriber data", "Name": "Subscriber data" } ], "detections": [ { "detects": "Monitor AF to NEF APIs for illegitimate traffic redirection requests. Monitor Nnef_TrafficInfluence_Update API calls from AF to NEF for traffic redirection requests to unauthorized DNN & S-NSSAI.", "fgdsid": "DS0015", "name": "Application Log" } ], "external_id": "FGT5008", "kill_chain": [ "fight:Collection", "fight:Impact" ], "mitigations": [ { "fgmid": "FGM5019", "mitigates": "Authorize all API calls by external AFs to NEF", "name": "Authorize external API calls" }, { "fgmid": "M1040", "mitigates": "Monitor internal API calls between NFs for suspicious activities", "name": "Behavior Prevention on Endpoint" }, { "fgmid": "M1047", "mitigates": "Audit insecure NF configurations", "name": "Audit" } ], "object-type": "technique", "platforms": "5G Network", "postconditions": [ { "Description": "If an adversary redirects to their own server, they can access the subscriber data, who will not be aware that the traffic is being intercepted.", "Name": "Subscriber data intercept" } ], "preconditions": [ { "Description": "An adversary must have control of the UPF IP address or a UPF", "Name": "Acquire UPF IP address/control" }, { "Description": "An adversary must first control the SMF or NEF, or AF", "Name": "Control SMF/NEF/AF" } ], "procedureexamples": [ { "Description": "An adversary controlling the SMF can redirect existing UE traffic by sending to UPF a N4 Session Modification Request (or: selecting another UPF- or, by sending to UPF another “Redirect server” [which the adversary controls] in the FAR in the N4 session (“The UPF reports to the SMF whether it supports traffic redirection enforcement in the UPF through the ‘UP-Function Features’ IE.” [6]) Clause 5.8.2.3.3 of [5]\n\nSimilarly, the SMF can send a session modification request to the UPF and redirect UE traffic. See clauses 4.4.1.2 & 4.4.1.3 of [4].", "Name": "Rogue or misconfigured SMF" }, { "Description": "The “Application Function influence on traffic routing” service is designed for MEC applications for local processing of data traffic in order to reduce latency. However, this capability can be misused by rogue AF or rogue/misconfigured NEF. The traffic redirection occurs after the NEF takes action that affects the UPF behavior. Clause 5.6.7 Table 5.6.7-1 first row “Traffic Description” of [5], clause 4.3.6 of [4].", "Name": "Rogue AF or rogue/misconfigured NEF" }, { "Description": "An adversary positioned e.g. on a router can exploit the fact that the N3 interface may not use IPSec protection. In this case, a UE’s uplink data may be sent to a different data network or destination in the data network: the adversary intercepts the UE packets encapsulated in GTP-U tunnel, and changes the destination IP address.", "Name": "Access on N3 interface" } ], "refs": [ "[1] European Union Agency for Cybersecurity (ENISA : “ENISA Threat Landscape for 5G Networks” Report, December 2020. - https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks", "[2] ENISA “Threat Landscape for 5G Networks Report”, Nov 2019. - https://www.enisa.europa.eu/publications/enisa-threat-landscape-for-5g-networks", "[3] “Bhadra framework”: S.P. Rao, S. Holtmanns, T. Aura, “Threat modeling framework for mobile communication systems” - https://arxiv.org/abs/2005.05110v1", "[4] 3GPP TS 23.502 “Technical Specification Group Services and System Aspects; Procedures for the 5G System (5GS ”. - https://www.3gpp.org/DynaReport/23502.htm", "[5] 3GPP TS 23.501 “Technical Specification Group Services and System Aspects; System architecture for the 5G System (5GS ”. - https://www.3gpp.org/DynaReport/23501.htm", "[6] “Ultra Cloud Core 5G User Plane Function, Release 2020.02 - Configuration and Administration Guide”, Cisco Systems, Accessed May 25, 2023 - https://www.cisco.com/c/en/us/td/docs/wireless/ucc/upf/Ultra-Cloud-Core-5G-UPF-Config-Guide.html", "[7] “5G Security Issues.” Positive Technologies - https://www.gsma.com/membership/resources/positive-technologies-5g-security-issues/", "https://fight.mitre.org/data%20sources/DS0015", "https://fight.mitre.org/mitigations/FGM5019", "https://fight.mitre.org/mitigations/M1040", "https://fight.mitre.org/mitigations/M1047", "https://fight.mitre.org/techniques/FGT5008" ], "status": "This is a theoretical behavior in context of 5G systems.", "typecode": "fight_technique" }, "related": [ { "dest-uuid": "8b7ba061-2465-5f09-a034-431bd7ca577c", "type": "mitigated-by" }, { "dest-uuid": "ebbb02f1-0909-5282-8684-a188557e45c6", "type": "mitigated-by" }, { "dest-uuid": "a30b7d01-b740-5538-b28d-d87befd5fd29", "type": "mitigated-by" }, { "dest-uuid": "3c23d0f7-d55c-5891-90b9-c744e976f0ef", "type": "detected-by" } ], "uuid": "da7624f2-39c0-5684-a81b-d33b571811e8", "value": "Redirection of traffic via user plane network function" }, { "description": "An adversary-controlled AMF registers itself in the UDM as serving a victim UE in order to pave the way for other attacks such as fraud or UE subscription data retrieval. \r\n\r\nA UE can be legitimately de-registered or be caused to de-register. The UDM is the core network function that holds the current registration status and data of an UE. UEs register with an AMF, which then becomes its serving AMF. An adversary can exploit an incorrectly implemented UDM that does not update the authentication status of a UE upon a de-registration event, or that allows the authentication status to be incorrect. This flaw allows a malicious AMF to register itself in UDM (via Nudm_UECM_Registration Request API call). That is, an adversary controlling an AMF can register that AMF Identifier in the UDM as the serving AMF for that UE. \r\n\r\nThis technique also applies to the SMF and SMSF (SMS Function), not just AMF, using the same API to the UDM. \r\n\r\nFor an adversary to achieve this, a UDM must be incorrectly implemented. The improperly configured UDM needs to be able to perform all of the basic functions, except that it does not mark a UE as de-registered when it powers off or goes to airplane mode or is legitimately (or illegitimately) de-registered by the network.", "meta": { "access-required": "admin", "architecture-segment": "Control Plane", "bluf": "An adversary-controlled AMF registers itself in the UDM as serving a victim UE in order to pave the way for other attacks such as fraud or UE subscription data retrieval.", "criticalassets": [ { "Description": "Functionality of this core network function", "Name": "UDM functionality" }, { "Description": "Data (user plane or signaling) belonging to the UE", "Name": "UE data" }, { "Description": "Physical geo-location (coarse or fine) of the UE", "Name": "UE location" } ], "detections": [], "external_id": "FGT5010", "kill_chain": [ "fight:Collection" ], "mitigations": [ { "fgmid": "FGM5023", "mitigates": "Periodic authentication / authorization of NF consumer e.g. AMF by NRF will help detect rogue AMFs. \nNot currently in 3GPP/GSMA (TBC) specs, but it can be enhanced. It’s process management (OA&M)", "name": "Periodic Authentication & Authorization of NFs" }, { "fgmid": "FGM5013", "mitigates": "Implement security as per clause 6.1.9 of [4], namely OAuth2.0", "name": "Timely updates to UE status" }, { "fgmid": "FGM5014", "mitigates": "Cross check whether the requesting AMF is likely to be the one serving that UE now. Validate the expected geography of where UE actually may be, in comparison to the area that the requester AMF is supposed to serve.", "name": "UE location plausibility" } ], "object-type": "technique", "platforms": "5G", "postconditions": [ { "Description": "A rogue AMF could mount other attacks on the victim UE, but the UE is not currently registered on the network. For example, the AMF can ask the LMF for the location of that UE; this may work if the UE is actually registered to this network, otherwise, it will return the last known location.", "Name": "Follow on attacks by rogue AMF" } ], "preconditions": [ { "Description": "If the UDM does not store the authentication status of a UE, or the authentication status is incorrect", "Name": "Faulty UDM implementation" } ], "procedureexamples": [ { "Description": "An adversary in control of an AMF registers that AMF in UDM (via Nudm_UECM_Registration Request) as serving a given UE that de-registered. If the UDM implementation does not update the authentication status of UEs as de-registered, it will accept that AMF. The adversary-controlled AMF can then potentially perform additional hostile actions such as fraud, claiming to have provided services for the UE, or obtaining other UE information from the UDM such as subscriber data, or asking for the UE location from the LMF (Location Management Function).", "Name": "Adversary registers an AMF it controls as the one serving a given UE that just de-registered" } ], "refs": [ "[1] 3rd Generation Partnership Project (3GPP TR 33.926: “Security Assurance Specification (SCAS threats and critical assets in 3GPP network product classes”, Technical Report, v17.3.0, Dec. 2021, clause E.2.2.3 - https://www.3gpp.org/DynaReport/33926.htm", "[2] 3rd Generation Partnership Project (3GPP TR 33.846,” Study on authentication enhancements in the 5G System (5GS ”, Technical Report, v17.0.0, December 2021, clause 5.3.1.2 - https://www.3gpp.org/DynaReport/33846.htm", "[3] European Union Agency for Cybersecurity (ENISA : “ENISA Threat Landscape for 5G Networks” Report, December 2020 - https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks", "[4] 3GPP TS 29.503: “5G System; Unified Data Management Services; Stage 3” - https://www.3gpp.org/DynaReport/29503.htm", "https://fight.mitre.org/mitigations/FGM5013", "https://fight.mitre.org/mitigations/FGM5014", "https://fight.mitre.org/mitigations/FGM5023", "https://fight.mitre.org/techniques/FGT5010" ], "status": "This is a theoretical behavior in context of 5G systems.", "typecode": "fight_technique" }, "related": [ { "dest-uuid": "315f5d98-1aa8-5d25-9d57-4b6a0ea9958a", "type": "mitigated-by" }, { "dest-uuid": "94fbd6a2-caec-5a7e-9698-569d2a3d4c70", "type": "mitigated-by" }, { "dest-uuid": "9878da52-42e3-59bb-b16b-30024a0a4771", "type": "mitigated-by" } ], "uuid": "125c7700-bd59-5af8-848f-8d4de790a967", "value": "Fraudulent AMF registration for UE in UDM" }, { "description": "An adversary controlling an (external) Application Function (AF) may present a fraudulent OAuth access token to access Network Exposure Function (NEF) services. \r\n\r\nA mobile network operator has access to a variety of user and network data by virtue of the services it provides to subscribers. As a business extension, some of these capabilities, events and data can be offered to other partner business entities. The Network Exposure Function securely exposes such cellular network services to authorized third-party applications. The standard mandates TLS between NEF and AF and authorization via OAuth 2.0.\r\n\r\nExamples of the data that can be shared are: device analytics, user traffic routing, device location and mobility events: for example, notifications are sent whenever a user (which is e.g. part of a group subscribed to a third party service) enters a certain geographical perimeter (e.g. a mall or campus), since the operator keeps track of the base stations to which devices are connected.\r\n\r\nA malicious AF with a fraudulent (stolen, altered, or constructed) access token may invoke the NEF services arbitrarily.", "meta": { "access-required": "admin", "architecture-segment": "Control Plane", "bluf": "An adversary controlling an (external) Application Function (AF) presents a fraudulent OAuth access token to access Network Exposure Function (NEF) services. ", "criticalassets": [ { "Description": "Network services exposed by NEF", "Name": "Operator Services" } ], "detections": [ { "detects": "Logs of connection attempts to NEF", "fgdsid": "DS0015", "name": "Application Log" } ], "external_id": "FGT5011", "kill_chain": [ "fight:Lateral-Movement", "fight:Initial-Access" ], "mitigations": [ { "fgmid": "FGM5003", "mitigates": "Ensure NEF checks AF credentials across layers (TLS, OAuth2.0), and has a list (provided out of band) with all the allowed AF by unique identifier (or type of AF), and to which service they are allowed access (this access may be general, not per UE).", "name": "Cross check between application layer and transport layer" }, { "fgmid": "FGM5019", "mitigates": "NEF should authorize API calls from external AFs for all service accesses, via OAuth token verification.", "name": "Authorize external API calls" }, { "fgmid": "M1040", "mitigates": "Prevent suspicious API calls", "name": "Behavior Prevention on Endpoint" } ], "object-type": "technique", "platforms": "5G Network", "postconditions": [ { "Description": "Adversary has access to network services exposed by NEF", "Name": "Network services exposed by NEF" } ], "preconditions": [ { "Description": "Access to some MNO services to gain knowledge about tokens to access the NEF", "Name": "MNO service access" } ], "procedureexamples": [ { "Description": "An adversary may conduct OAuth2.0 attacks that are applicable to machine-to-machine communication (not email phishing type attacks). Fraudulent token is mentioned in section I.2.2.2 of [1]. Other threats are listed in [2].", "Name": "OAuth 2.0 attacks" } ], "refs": [ "[1] 3GPP TR 33.926 Security Assurance Specification (SCAS threats and critical assets in 3GPP network product classes. - https://www.3gpp.org/DynaReport/33926.htm", "[2] Internet Engineering Task Force, IETF RFC 6819 “OAuth 2.0 Threat Model and Security Considerations”, Jan. 2013. - https://datatracker.ietf.org/doc/html/rfc6819", "https://fight.mitre.org/data%20sources/DS0015", "https://fight.mitre.org/mitigations/FGM5003", "https://fight.mitre.org/mitigations/FGM5019", "https://fight.mitre.org/mitigations/M1040", "https://fight.mitre.org/techniques/FGT5011" ], "status": "This is a theoretical behavior in context of 5G systems.", "typecode": "fight_technique" }, "related": [ { "dest-uuid": "c1144b6f-994d-5a18-9c38-f40e89a4d19f", "type": "mitigated-by" }, { "dest-uuid": "8b7ba061-2465-5f09-a034-431bd7ca577c", "type": "mitigated-by" }, { "dest-uuid": "ebbb02f1-0909-5282-8684-a188557e45c6", "type": "mitigated-by" }, { "dest-uuid": "3c23d0f7-d55c-5891-90b9-c744e976f0ef", "type": "detected-by" } ], "uuid": "1369b34e-f6b7-5549-bf07-560e65641726", "value": "Unauthorized access to Network Exposure Function (NEF) via token fraud" }, { "description": "An adversary can track a device (get cell-level location) by listening for the same device ID being sent to the network. \r\n\r\nThe AMF handles UE registration every time the UE connects to the network anew. As part of this registration, a 5G Globally Unique Temporary Identifier (5G-GUTI) is assigned to the UE, so as to protect the UE permanent identifier. The UE sends this identifier in the clear to the network as part of service procedures it initiates, and so this identifier can be eavesdropped by any UE or wireless sniffer nearby.\r\n\r\nThis is a passive attack. If AMF doesn't allocate a new 5G-GUTI in certain registration scenarios, an adversary could keep on tracking the user using the old 5G-GUTI after these registration procedures. This attack has been observed in 4G where the UE were allocated the same GUTI.", "meta": { "access-required": "Air interface", "architecture-segment": "Control Plane, RAN", "bluf": "Adversary can track a device (get cell-level location) by listening for the same device ID being sent to the network.", "criticalassets": [ { "Description": "Location is accurate to a cell area, since the sniffer device has to be close enough to hear the UE send its 5G GUTI", "Name": "UE location" } ], "detections": [], "external_id": "FGT5012.003", "kill_chain": [ "fight:Discovery", "fight:Collection" ], "mitigations": [ { "fgmid": "FGM5094", "mitigates": "Ensure AMF implementation allocates new 5G-GUTI every time possible.", "name": "Allocate new 5G identifiers judiciously" } ], "object-type": "technique", "platforms": "5G radio access", "preconditions": [ { "Description": "Adversary must be present in the same area where the UE is located.", "Name": "Adversary present in the vicinity of victim UE" } ], "procedureexamples": [ { "Description": "Reportedly several operators do not re-allocate GUTI with every UE registration, or they do not re-allocate often enough or they use predictable pattern, as in [1], [2]. \nExact 5G-GUTI refresh mechanism is left to implementation. Mandatory refresh of 5G-GUTI is to be done by AMF for initial registration, mobility registration update and network-initiated service request message due to paging, see clause 6.12.3 of [3].\nIt is not necessary for the adversary to have a UE to listen, a simpler listening device suffices.", "Name": "Listen in for re-used 5G-GUTIs to determine UE presence in that area." } ], "refs": [ "[1] B. Hong, S. Bae, Y. Kim, “GUTI Reallocation Demystified: Cellular Location Tracking with Changing Temporary Identifier”, NDSS Symposium, 2018. - https://www.ndss-symposium.org/wp-content/uploads/2018/02/ndss2018_02A-4_Hong_paper.pdf", "[2] 3rd Generation Partnership Project (3GPP TR 33.926: “Security Assurance Specification (SCAS threats and critical assets in 3GPP network product classes”, Technical Report, v17.3.0, December. 2021, clause K.2.7.1 - https://www.3gpp.org/DynaReport/33926.htm", "[3] 3rd Generation Partnership Project (3GPP TR 33.501: “Security architecture and procedures for 5G system”, Technical Specification, v17.5.0, March 2022 - https://www.3gpp.org/DynaReport/33501.htm", "https://fight.mitre.org/mitigations/FGM5094", "https://fight.mitre.org/techniques/FGT5012.003" ], "status": "Observed in earlier 3GPP generations and expected in 5G.", "subtechnique-of": "FGT5012", "typecode": "fight_subtechnique" }, "related": [ { "dest-uuid": "ea7e5e52-dd1d-5756-8311-fe6705bdb083", "type": "mitigated-by" }, { "dest-uuid": "f940f548-256a-5559-83bc-7fea99d051bf", "type": "subtechnique-of" } ], "uuid": "55a7ea1f-64ed-586b-a433-fe7cb0a9cf34", "value": "5G-GUTI reuse" }, { "description": "An adversary may alter or spoof network signaling so as to enable the NULL integrity algorithm thus allowing for manipulation of user data or signaling over the radio interface, for example to redirect traffic. \r\n\r\nSeveral procedures and interfaces can be implemented incorrectly or misused by an adversary in control over a gNB or NF and may result in a configuration that calls for the NULL integrity algorithm to protect data sent over the radio interface. The data sent is user signaling -- Non-Access Stratum (NAS) or Access Stratum (AS) Control Plane (CP) -- or subscriber data -- AS User Plane (UP)). These actions can be followed by another adversarial behavior whereby data and signaling sent over the radio interface is manipulated or tampered with.", "meta": { "architecture-segment": "RAN", "bluf": "An adversary may alter or spoof network signaling so as to enable the NULL integrity algorithm thus allowing for manipulation of user data or signaling over the radio interface, for example to redirect traffic.", "criticalassets": [ { "Description": "UE signaling and subscriber (user plane) data integrity.", "Name": "UE data" } ], "detections": [ { "detects": "Check for unusual changes in gNB, SMF, AMF user profile, policy, and configuration data. Configuration audits by OSS/BSS to detect for example, user session redirects.", "fgdsid": "DS0015", "name": "Application Log" }, { "detects": "Radio traffic content\nInspect radio traffic and watch for unauthorized changes as the packets move through the interfaces.", "fgdsid": "DS0029", "name": "Network Traffic" } ], "external_id": "FGT5009.001", "kill_chain": [ "fight:Defense-Evasion" ], "mitigations": [ { "fgmid": "FGM5024", "mitigates": "Ensure gNB implementation and SMF implementations are both checking the UE CP and UP security policy against the most trustworthy source and taking action to not enable NULL integrity except for emergency calls.", "name": "Integrity protection of data communication" }, { "fgmid": "FGM5006", "mitigates": "UE should refuse to set up radio bearer and PDU session without integrity protection.", "name": "Restrictive user profile" }, { "fgmid": "M1018", "mitigates": "Network element security safeguards for gNBs, AMFs and SMFs. Includes measures in clause 5.3.4 of [2] (e.g. software updates, OA&M access security, secure boot).", "name": "User Account Management" }, { "fgmid": "M1031", "mitigates": "Implement network intrusion prevention methods.", "name": "Network Intrusion Prevention" }, { "fgmid": "M1043", "mitigates": "Implement credential access protection methods.", "name": "Credential Access Protection" } ], "object-type": "technique", "platforms": "5G Radio", "postconditions": [ { "Description": "Control Plane (CP): All UE signaling data may be tampered with if both NAS and AS CP (i.e., RRC) algorithms are weakened. \n\nUser Plane (UP): Subscriber (user) data may be tampered with if AS UP algorithms are weakened.\n\nAs a result, subscriber data session does not get setup (DoS attack) or gets interrupted during an active session.", "Name": "UE data not integrity protected on air interface" } ], "preconditions": [ { "Description": "A rogue gNB may be required to change the UE’s CP & UP supported algorithms to NULL. It’s easier to achieve control over a gNB than over the AMF or SMF itself. But then if the AMF and SMF are not rogue just not configured to do these additional checks, then control over a rogue gNB is sufficient.\nThis attack is possible with only control over the AMF, in which case the algorithm for CP and UP protection may be changed to NULL.", "Name": "Rogue or misconfigured AMF or SMF or gNB or MME" } ], "procedureexamples": [ { "Description": "Adversary (e.g. with fake gNB) intentionally configures NULL integrity algorithm to have highest priority in gNB. These algorithms are sent to the UE in the Access Stratum (AS) Security Mode Command (SMC). Normally the activation of algorithms for the AS is done by the gNB based on that policy received from the SMF, but a fake gNB can ignore the SMF. Clauses 6.7.3 & D.1 of [2].\n\nAdversary with control over a legitimate gNB, and who currently serves the UE, tells the SMF that the UE Control Plane (CP) and User Plane (UP) policy is NULL integrity, and the (legit but not correctly implemented) SMF doesn’t check that against the locally configured UE CP & UP policy and lets the CP and UP data use NULL integrity. Clause 6.6.1 of [2].", "Name": "Fake or misconfigured base station" }, { "Description": "Adversary makes the unauthorized change in the SMF CP & UP local policy to enable NULL integrity for CP & UP traffic.\nAlternatively, adversary exploits an SMF that is not implemented to check (for every UE it serves) that the algorithm received from gNB- (which may be compromised or fake) matches the local policy. That local policy in turn should be checked that it is the same as the UE policy stored in the UDM. Any of these failures can result in the SMF enabling the CP and UP traffic over the radio interface to use NULL integrity.", "Name": "Rogue or misconfigured SMF" }, { "Description": "Adversary with control over AMF (or control over the configuration of AMF) can affect UE procedures such as NAS Security Mode Command, such that the UE's NAS data is not protected, i.e. prioritize NULL algorithm for either NAS encryption or integrity. Clause K.2.3.3. of [1]. \n\nThis can be followed by another attack behavior whereby data manipulation can be done over the air interface for signaling data. Clauses 5.3.2, 5.3.3 & 5.5.1, 5.5.2 of [2].", "Name": "Rogue or misconfigured AMF non-roaming" }, { "Description": "Compromised source AMF sends incorrect UE context information to legitimate target AMF during\nInitial registration & roaming or\nHandover (N2 based)\n\nSource AMF sends null integrity algorithm information as part of the “UEContextTransfer” (initial registration & roaming) or “CreateUEContext” (N2 handover) service request messages. All UE data will be sent without integrity protection after registration or handover is completed. Clauses 4.2.2.2.2, 4.9.1.3.1 & 5.2.2.1 of [3] The element in the UE context is the ueSecurityCapability which the rogue AMF sets to NULL only.", "Name": "Rogue or misconfigured AMF during roaming/handover" }, { "Description": "Compromised source MME sends incorrect UE context information to legitimate target AMF during EPS to 5GS handover and roaming with and without N26 interface.\n\nSource AMF sends NULL integrity algorithm information as part of the “UEContextTransfer” or \n“RelocateUEContext” service request messages. All UE data will be sent without integrity protection after roaming or handover is completed. Clauses 4.11.1.2.2.2, 4.11.1.3.3, 4.11.2.3 & 5.2.2.1 of [3] The element in the UE context is the ueSecurityCapability which the rogue AMF sets to NULL only.", "Name": "Rogue or misconfigured MME during EPS roaming/handover" } ], "refs": [ "[1] 3GPP TR 33.926 “Security Assurance Specification (SCAS threats and critical assets in 3GPP network product classes”, v17.4.0, June 2022 - https://www.3gpp.org/DynaReport/33926.htm", "[2] 3GPP TS 33.501 “Security architecture and procedures for 5G System”, v 17.6.0, June 2022 - https://www.3gpp.org/DynaReport/33501.htm", "[3] 3GPP TS 23.502 “Procedures for the 5G System (5GS ”, v17.5.0, June 2022 - https://www.3gpp.org/DynaReport/23502.htm", "https://fight.mitre.org/data%20sources/DS0015", "https://fight.mitre.org/data%20sources/DS0029", "https://fight.mitre.org/mitigations/FGM5006", "https://fight.mitre.org/mitigations/FGM5024", "https://fight.mitre.org/mitigations/M1018", "https://fight.mitre.org/mitigations/M1031", "https://fight.mitre.org/mitigations/M1043", "https://fight.mitre.org/techniques/FGT5009.001" ], "status": "This is a theoretical behavior", "subtechnique-of": "FGT5009", "typecode": "fight_subtechnique" }, "related": [ { "dest-uuid": "cccb021c-dd96-5d72-904f-c55ad24598de", "type": "mitigated-by" }, { "dest-uuid": "cce626f3-b774-5f29-b1d2-5fb96a5befef", "type": "mitigated-by" }, { "dest-uuid": "686a3700-8ee3-52d3-954f-d2ec4abf14aa", "type": "mitigated-by" }, { "dest-uuid": "519ee587-bcda-5021-997d-9fc257c4720a", "type": "mitigated-by" }, { "dest-uuid": "4d882eab-1588-508e-b3fc-f7221cad2db8", "type": "mitigated-by" }, { "dest-uuid": "3c23d0f7-d55c-5891-90b9-c744e976f0ef", "type": "detected-by" }, { "dest-uuid": "becdcf31-3d2a-53bb-8251-51e9da4a0df6", "type": "detected-by" }, { "dest-uuid": "4d8acf53-2350-5390-af4d-7ba1f5f9dc13", "type": "subtechnique-of" } ], "uuid": "955b7c23-35a9-57df-a223-ed9d9b3d14ad", "value": "Radio Interface" }, { "description": "An adversary controlling a user-plane function (gNB or UPF) may disrupt user traffic by assigning the new traffic a TEID already in use.\r\n\r\nThe Tunnel Identifier, TEID, is part of the Core Network Tunnel information and is assigned locally by the UPF and also by the gNB/ng-eNB for user plane routing for each UE served. The failure to guarantee the uniqueness of the TEID for a PDU session results in interruption of the routing of the user traffic. It also creates charging errors. If multiple PDU sessions were to share the same TEID at the same time, the counts for the network usage of a single PDU session will be in fact the counts for the network usage of multiple sessions, creating charging errors.\r\n\r\nRogue or erroneous configuration/implementation in gNB or UPF can cause an existing TEID to be assigned to a new PDU session. This can also happen during EPS to 5GS handover or roaming.", "meta": { "architecture-segment": "User Plane", "bluf": "An adversary controlling a user-plane function (gNB or UPF) disrupts user traffic by assigning the new traffic a TEID already in use.", "criticalassets": [ { "Description": "Billing data of legitimate UE", "Name": "UE billing data" }, { "Description": "UE’s reception of its data is disrupted.", "Name": "UE data interruption" } ], "detections": [ { "detects": "Packet inspection over the N3 interface. If two packets are seen to have the same TEID on the RAN to UPF interface, then it can be verified that they indeed belong to the same UE. It may be difficult to detect as it is per UE and per PDU session.", "fgdsid": "DS0029", "name": "Network Traffic" }, { "detects": "Charging system reports anomaly of subscriber CDRs. Periodic CDR audits can detect anomaly.", "fgdsid": "FGDS5003", "name": "Charging anomaly" } ], "external_id": "FGT5021", "kill_chain": [ "fight:Impact" ], "mitigations": [ { "fgmid": "FGM5094", "mitigates": "Ensure UPF and gNB/NG-eNB check for uniqueness for every new TEID they allocate locally. The newly assigned TEID must not have been in use in the past given certain amount of time (which should be set to the reasonable maximum tunnel lifetimes observed).", "name": "Allocate new 5G identifiers judiciously" }, { "fgmid": "M1035", "mitigates": "Limit Access to Resource Over Network", "name": "Limit Access to Resource Over Network" }, { "fgmid": "M1047", "mitigates": "The UPF and g/eNB must keep a log of the TEIDs currently in use (which they assigned), and purge TEIDs once the tunnel is torn down. This log must be checked every time a new TEID is allocated.", "name": "Audit" } ], "object-type": "technique", "platforms": "5G Network", "postconditions": [ { "Description": "UE user plane data gets disrupted", "Name": "UE data disruption" }, { "Description": "Incorrect subscribers' charging records are generated", "Name": "Incorrect charging" } ], "preconditions": [ { "Description": "Faulty implementation at gNB or UPF ; or, control over gNB, and UPF", "Name": "Control or misconfiguration of gNB or UPF" } ], "procedureexamples": [ { "Description": "Rogue or wrong configuration/implementation in gNB or UPF can cause existing TEID to be assigned to a new N3 reference point or PDU session. Clause J.2.2.2 of [1]\n\nDuplicate TEID allocation can happen during EPS to 5GS handover or roaming.\n\nDuplicate TEID can cause traffic disruption, charging issues and eavesdropping of legitimate subscriber data by adversary. Clause 5.8.2.3 of [2], clause 4.11.1.2.2 of [3]", "Name": "Rogue or misconfigured gNB or UPF" } ], "refs": [ "[1] 3GPP TR 33.926 “Security Assurance Specification (SCAS threats and critical assets in 3GPP network product classes”. - https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3002", "[2] 3GPP TS 23.501 “System architecture for the 5G System (5GS ”. - https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3144", "[3] 3GPP TS 23.502, “Procedures for the 5G System (5GS ; Stage 2 (Release 17 ”, Technical Specification, v17.4.0, March 2022. - https://www.3gpp.org/DynaReport/23502.htm", "https://fight.mitre.org/data%20sources/DS0029", "https://fight.mitre.org/data%20sources/FGDS5003", "https://fight.mitre.org/mitigations/FGM5094", "https://fight.mitre.org/mitigations/M1035", "https://fight.mitre.org/mitigations/M1047", "https://fight.mitre.org/techniques/FGT5021" ], "status": "This is a theoretical behavior in context of 5G systems.", "typecode": "fight_technique" }, "related": [ { "dest-uuid": "ea7e5e52-dd1d-5756-8311-fe6705bdb083", "type": "mitigated-by" }, { "dest-uuid": "79119bb4-e146-5c99-ab3f-7ed4ed1e975a", "type": "mitigated-by" }, { "dest-uuid": "a30b7d01-b740-5538-b28d-d87befd5fd29", "type": "mitigated-by" }, { "dest-uuid": "becdcf31-3d2a-53bb-8251-51e9da4a0df6", "type": "detected-by" }, { "dest-uuid": "1725d4c2-fee4-55e5-a49b-12fce10c0a1c", "type": "detected-by" } ], "uuid": "7204f27e-130a-5f8e-a146-be299759a0b1", "value": "Tunnel Endpoint ID (TEID) uniqueness failure" }, { "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service that accepts remote connections, such as telnet, SSH, and VNC.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1021)", "meta": { "access-required": "User, Administrative access", "addendums": [ "#### Addendum Name: VNF Access Services\r\n##### Architecture Segments: OA&M\r\n Adversary may use non-functional remote communication interfaces (SNMP/RPC, SSH) to change host configuration to enable host compromise.\r\n\r\nCloud tenants may deploy additional network services with their containers in their containers along with the main functionality of the 5G Virtual Network Function (VNF). These services can be deployed as part of the VNF itself, since they allow for VNF monitoring or remote configuration. To this end, it is possible that possibly unsafe remote access services such as SSH may be deployed into the containers. If these network services are directly accessible over the Internet (or from another tenant of the CaaS), then they are vulnerable to intrusion attacks. For example, adversaries may attempt to guess access credentials or to exploit known vulnerabilities in the management services APIs. If successful, the adversary now can use the access to this container through these services for additional follow-on techniques.\r\n\r\n" ], "architecture-segment": "OA&M", "bluf": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service that accepts remote connections, such as telnet, SSH, and VNC.", "criticalassets": [ { "Description": "5G or RAN Network functions including VNF and PNFs", "Name": "Network functions" }, { "Description": "Virtualized 5G environment relies on underlying compute and SDN network elements which may be of interest to adversary", "Name": "Hosts, VMs, or Infrastructure elements" } ], "detections": [ { "detects": "Audit command logs", "fgdsid": "DS0017", "name": "Command" }, { "detects": "5G NFs have defined interfaces, any other session establishment activity may be unauthorized. Monitor traffic patterns and session sources along with blocked/denied activity.", "fgdsid": "DS0028", "name": "Logon Session" }, { "detects": "Monitor network traffic for expected and unexpected attempted and established connections", "fgdsid": "DS0029", "name": "Network Traffic" } ], "external_id": "FGT1021", "kill_chain": [ "fight:Lateral-Movement", "fight:Discovery" ], "mitigations": [ { "fgmid": "M1018", "mitigates": "Limit the accounts that may use remote services. Limit the permissions for accounts that are at higher risk of compromise; for example, configure SSH so users can only run specific programs.", "name": "User Account Management" }, { "fgmid": "M1032", "mitigates": "Use multi-factor authentication on remote service logons where possible.", "name": "Multi-factor Authentication" } ], "object-type": "technique", "platforms": "PNF, VNF Hosts", "refs": [ "[1] Fraunhofer AISEC, “Threat Analysis of Container-as-a-Service for Network Function “, Retrieved April 28 2022 - https://www.aisec.fraunhofer.de/content/dam/aisec/Dokumente/Publikationen/Studien_TechReports/englisch/caas_threat_analysis_wp.pdf", "https://attack.mitre.org/techniques/T1078", "https://fight.mitre.org/data%20sources/DS0017", "https://fight.mitre.org/data%20sources/DS0028", "https://fight.mitre.org/data%20sources/DS0029", "https://fight.mitre.org/mitigations/M1018", "https://fight.mitre.org/mitigations/M1032", "https://fight.mitre.org/techniques/FGT1021" ], "status": "This is an observed behavior in Enterprise networks, and is theoretical in context of 5G systems.", "typecode": "attack_technique_addendum" }, "related": [ { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "type": "related-to" }, { "dest-uuid": "686a3700-8ee3-52d3-954f-d2ec4abf14aa", "type": "mitigated-by" }, { "dest-uuid": "83f7cc44-00e0-5ca0-99a0-51de9c080ce0", "type": "mitigated-by" }, { "dest-uuid": "b4de23d7-4248-56f9-9468-6d1217a5f7ff", "type": "detected-by" }, { "dest-uuid": "859ecf98-b107-5a3a-886e-dfb46999fe09", "type": "detected-by" }, { "dest-uuid": "becdcf31-3d2a-53bb-8251-51e9da4a0df6", "type": "detected-by" } ], "uuid": "5070a116-df07-5ad9-a3d5-fc5c9f9cb198", "value": "Remote Services" }, { "description": "Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.\n\nSupply chain compromise can take place at any stage of the supply chain including:\n\n* Manipulation of development tools\n* Manipulation of a development environment\n* Manipulation of source code repositories (public or private)\n* Manipulation of source code in open-source dependencies\n* Manipulation of software update/distribution mechanisms\n* Compromised/infected system images (multiple cases of removable media infected at the factory)(Citation: IBM Storwize)(Citation: Schneider Electric USB Malware) \n* Replacement of legitimate software with modified versions\n* Sales of modified/counterfeit products to legitimate distributors\n* Shipment interdiction\n\nWhile supply chain compromise can impact any component of hardware or software, adversaries looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels.(Citation: Avast CCleaner3 2018)(Citation: Microsoft Dofoil 2018)(Citation: Command Five SK 2011) Targeting may be specific to a desired victim set or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.(Citation: Symantec Elderwood Sept 2012)(Citation: Avast CCleaner3 2018)(Citation: Command Five SK 2011) Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of the dependency.(Citation: Trendmicro NPM Compromise).\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1195)", "meta": { "access-required": "User/NPE/Administrative access", "addendums": [ "#### Addendum Name: 5G Supply Chain Compromise\r\n##### Architecture Segments: OA&M, Virtualization, RAN, O-RAN\r\n Adversaries may manipulate products or product delivery mechanisms prior to deployment in an MNO’s production environment for the purpose of data or system compromise.\r\n\r\n5G deployments are expected to have various deployment models comprise of vendor supplied VNF/CNFs, open-source software, and dedicated physical appliances from suppliers as well as white label hardware. It is also expected that 5G services to end-consumer may include third party services to support resources required by 5G Core and RAN elements such as third party back haul, MEC or commercial Cloud data centers resources. The resources also include O-RAN elements such as O-DU, O-RU and O-CU. Adversary may use a software, hardware, or service supply chain to insert compromised components (binaries, Firmware, compromised processing chips) in the supply chain of a targeted MNO or taint entire supply chain first to have option to select a target from victims receiving compromised products. Opensource communities may be vulnerable to accidental or intentional compromise. These days a lot of reputable vendors also use open-source components in their license products, Opensource community may become a conduit to a target victim.\r\n\r\n" ], "architecture-segment": "OA&M, Virtualization, RAN, O-RAN", "bluf": "Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.\n\nSupply chain compromise can take place at any stage of the supply chain including:\n\n* Manipulation of development tools\n* Manipulation of a development environment\n* Manipulation of source code repositories (public or private)\n* Manipulation of source code in open-source dependencies\n* Manipulation of software update/distribution mechanisms\n* Compromised/infected system images (multiple cases of removable media infected at the factory)(Citation: IBM Storwize)(Citation: Schneider Electric USB Malware) \n* Replacement of legitimate software with modified versions\n* Sales of modified/counterfeit products to legitimate distributors\n* Shipment interdiction\n\nWhile supply chain compromise can impact any component of hardware or software, adversaries looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels.(Citation: Avast CCleaner3 2018)(Citation: Microsoft Dofoil 2018)(Citation: Command Five SK 2011) Targeting may be specific to a desired victim set or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.(Citation: Symantec Elderwood Sept 2012)(Citation: Avast CCleaner3 2018)(Citation: Command Five SK 2011) Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of the dependency.(Citation: Trendmicro NPM Compromise).", "criticalassets": [ { "Description": "Network functions are prime target to impact 5G communication services", "Name": "CORE, RAN VNFs" }, { "Description": "OSS tools have privileged access and broad reachability and may be used to change configuration of the network by adversary.", "Name": "OSS Tools" }, { "Description": "Security tools have privileged access and broad reachability may be used to evade defenses and allow for lateral movements by the adversary", "Name": "Security tools" }, { "Description": "CI/CD tools may be used for inserting malware or poisoned images as well as change the network elements deployed and their behavior.", "Name": "CI/CD Tools" } ], "detections": [ { "detects": "Perform physical inspection of hardware to look for potential tampering. Perform integrity checking on pre-OS boot mechanisms that can be manipulated for malicious purposes and compare against known good baseline behavior.", "fgdsid": "DS0013", "name": "Sensor Health" }, { "detects": "Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures and attempt to test software and updates prior to deployment while taking note of potential suspicious activity.", "fgdsid": "DS0022", "name": "File" } ], "external_id": "FGT1195", "kill_chain": [ "fight:Initial-Access", "fight:Credential-Access" ], "mitigations": [ { "fgmid": "M1016", "mitigates": "Vulnerability Scanning of software before it is brought into MNO environment as well as regular scans to detect abnormal behavior", "name": "Vulnerability Scanning" }, { "fgmid": "M1051", "mitigates": "Update Software regularly", "name": "Update Software" } ], "object-type": "technique", "platforms": "Infrastructure, CI/CD, OA&M Tools, VNFs", "refs": [ "[1] ETSI NFV SEC001, “Network Functions Virtualization (NFV ; NFV Security; Problem Statement”, Jan. 2014, section 6.9 - https://www.etsi.org/deliver/etsi_gs/nfv-sec/001_099/001/01.01.01_60/gs_nfv-sec001v010101p.pdf", "[2] The Untold Story of the Boldest Supply-Chain Hack Ever - https://www.wired.com/story/the-untold-story-of-solarwinds-the-boldest-supply-chain-hack-ever/", "https://attack.mitre.org/techniques/T1195", "https://fight.mitre.org/data%20sources/DS0013", "https://fight.mitre.org/data%20sources/DS0022", "https://fight.mitre.org/mitigations/M1016", "https://fight.mitre.org/mitigations/M1051", "https://fight.mitre.org/techniques/FGT1195" ], "status": "This is an observed behavior in Enterprise networks, and is theoretical in context of 5G systems.", "typecode": "attack_technique_addendum" }, "related": [ { "dest-uuid": "3f18edba-28f4-4bb9-82c3-8aa60dcac5f7", "type": "related-to" }, { "dest-uuid": "182337e0-b8d6-55da-9e9b-141029f9eb9b", "type": "mitigated-by" }, { "dest-uuid": "f54f2c17-0cf6-536a-b52e-a886652815d6", "type": "mitigated-by" }, { "dest-uuid": "5cbb4ceb-09b7-569d-b397-30ce5f6b99cb", "type": "detected-by" }, { "dest-uuid": "6151c447-21b5-5530-8760-375ac25fb3e8", "type": "detected-by" } ], "uuid": "6d098b34-48eb-5f31-88ac-0a1f8028541c", "value": "Supply Chain Compromise" }, { "description": "Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1072)", "meta": { "access-required": "User/NPE/Administrative access", "addendums": [ "#### Addendum Name: 5G Orchestration and Deployment Tools\r\n##### Architecture Segments: OA&M, Virtualization, Supply Chain, RAN, UE\r\n An adversary may use CI/CD tools to gain access to production hosts/VNFs for discovery, data exfiltration and for deployment of lateral movements tools. \r\n\r\nIn 5G deployments, MNO’s development and deployment tools offer a conduit to 5G production RAN and Core network functions. CI/CD tools have a greater access to Software during development lifecycle, an adversary may be able to find a back door to software in production environment- a very similar scenario to SolarWinds hack, where compromised software was deployed on thousands of hosts via a software upgrade carrying compromised image. \r\n\r\nManagement and Orchestration is a framework for managing and orchestrating network functions virtualization (NFV) infrastructure, resources, and services. It provides a standard approach for the management and orchestration of network services in NFV environments, including the automation of tasks such as network service deployment, scaling, and network function lifecycle management. MANO toolset if misconfigured or APIs not properly secured can provide an attack vector to adversary with grave consequences to network and its services.\r\n\r\n" ], "architecture-segment": "OA&M, Virtualization, Supply Chain, RAN, UE", "bluf": "Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network.", "criticalassets": [ { "Description": "Software development and deployment tools in MNO (and supplier) environments", "Name": "CI/CD Tools" }, { "Description": "Scanning, monitoring, and end point protection tools", "Name": "Security Tools" }, { "Description": "Operation and system support tools", "Name": "OSS Tools" } ], "detections": [ { "detects": "Monitor for newly executed processes that do not correlate to known good software. Analyze the process execution trees, historical activities from the third-party application (such as what types of files are usually pushed), and the resulting activities or events from the file/binary/script pushed to systems.", "fgdsid": "DS0009", "name": "Process" }, { "detects": "Often these third-party applications will have logs of their own that can be collected and correlated with other data from the environment. Ensure that third-party application logs are on-boarded to the enterprise logging system and the logs are regularly reviewed. Audit software deployment logs and look for suspicious or unauthorized activity. A system not typically used to push software to clients that suddenly is used for such a task outside of a known admin function may be suspicious. Monitor account login activity on these applications to detect suspicious/abnormal usage. Perform application deployment at regular times so that irregular deployment activity stands out.", "fgdsid": "DS0015", "name": "Application Log" } ], "external_id": "FGT1072", "kill_chain": [ "fight:Execution", "fight:Lateral-Movement" ], "mitigations": [ { "fgmid": "M1018", "mitigates": "User Account Management, limited and least privileged user accounts", "name": "User Account Management" }, { "fgmid": "M1026", "mitigates": "Privileged Account Management, unique, least privileged accounts and regularly audit access attempts audits", "name": "Privileged Account Management" }, { "fgmid": "M1027", "mitigates": "Password Policies, no credential sharing, create traceability", "name": "Password Policies" }, { "fgmid": "M1029", "mitigates": "Remote Data Storage, restrict access and monitor repository activity", "name": "Remote Data Storage" }, { "fgmid": "M1030", "mitigates": "Network Segmentation allows limit movements, insert application aware firewalls between segments", "name": "Network Segmentation" }, { "fgmid": "M1032", "mitigates": "Multi-factor Authentication adds additional layer of security for compromised credentials as well as increased accountability", "name": "Multi-factor Authentication" }, { "fgmid": "M1051", "mitigates": "Update Software regularly to eliminate persistence", "name": "Update Software" } ], "object-type": "technique", "platforms": "Infrastructure, PNF, VNF Hosts, ", "procedureexamples": [ { "Description": "Silence has used RAdmin, a remote software tool used to remotely control workstations and ATMs", "Name": "[G0091](https://attack.mitre.org/groups/G0091)" }, { "Description": "It is believed that a patch management system for an anti-virus product commonly installed among targeted companies was used to distribute the Wiper malware", "Name": "[S0041](https://attack.mitre.org/software/S0041)" } ], "refs": [ "[1] ETSI NFV SEC001, “Network Functions Virtualization (NFV ; NFV Security; Problem Statement”, Jan. 2014, section 6.9 - https://www.etsi.org/deliver/etsi_gs/nfv-sec/001_099/001/01.01.01_60/gs_nfv-sec001v010101p.pdf", "[2] R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield, “Towards dynamic threat modelling in 5G core networks based on MITRE ATT&CK”,  October 2021 - https://arxiv.org/abs/2108.11206", "[3] Dell SecureWorks. (2013, March 21 . Wiper Malware Analysis Attacking Korean Financial Sector. Retrieved May 13, 2015. - http://www.secureworks.com/cyber-threat-intelligence/threats/wiper-malware-analysis-attacking-korean-financial-sector/", "[4] Silence – a new Trojan attacking financial organizations (accessed 06/20/2023 - https://securelist.com/the-silence/83009/", "https://attack.mitre.org/techniques/T1072", "https://fight.mitre.org/data%20sources/DS0009", "https://fight.mitre.org/data%20sources/DS0015", "https://fight.mitre.org/mitigations/M1018", "https://fight.mitre.org/mitigations/M1026", "https://fight.mitre.org/mitigations/M1027", "https://fight.mitre.org/mitigations/M1029", "https://fight.mitre.org/mitigations/M1030", "https://fight.mitre.org/mitigations/M1032", "https://fight.mitre.org/mitigations/M1051", "https://fight.mitre.org/techniques/FGT1072" ], "status": "This is an observed behavior in Enterprise networks, and is theoretical in context of 5G systems.", "typecode": "attack_technique_addendum" }, "related": [ { "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", "type": "related-to" }, { "dest-uuid": "686a3700-8ee3-52d3-954f-d2ec4abf14aa", "type": "mitigated-by" }, { "dest-uuid": "177506f3-cd8d-5035-b807-6528e3a75c5f", "type": "mitigated-by" }, { "dest-uuid": "69dd1793-f0d3-51dc-974d-a43031c0b343", "type": "mitigated-by" }, { "dest-uuid": "17ed120e-33c6-5992-a6f6-dad8dbb2e1aa", "type": "mitigated-by" }, { "dest-uuid": "9c376223-8d89-5179-8a56-51de20697bd2", "type": "mitigated-by" }, { "dest-uuid": "83f7cc44-00e0-5ca0-99a0-51de9c080ce0", "type": "mitigated-by" }, { "dest-uuid": "f54f2c17-0cf6-536a-b52e-a886652815d6", "type": "mitigated-by" }, { "dest-uuid": "2251c650-0578-5b11-ab47-d05f1166dc47", "type": "detected-by" }, { "dest-uuid": "3c23d0f7-d55c-5891-90b9-c744e976f0ef", "type": "detected-by" } ], "uuid": "b3ff1c97-374b-57b4-b58a-05a026d58889", "value": "Software Deployment Tools" }, { "description": "Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1078/004)", "meta": { "access-required": "User/NPE/Administrative access", "addendums": [ "#### Addendum Name: Container Management- Unauthorized access\r\n##### Architecture Segments: Virtualization, OA&M, RAN, O-RAN\r\n An adversary may use privileged accounts of valid, role-based accounts for management services to gain access to network elements.\r\n\r\nAn adversary may also use a valid account with excessive privileges (i.e., does not follow least privilege policy) to gain access to container execution environment. If access rights are not tailored to specific needs of users, the risk to attack container execution increases.\r\n\r\nInternal or external adversary may gain access to management account credentials (e.g. due to weak account management practices) allowing access to VNF containers for persistence, and defense evasion.\r\n\r\n" ], "architecture-segment": "Virtualization, OA&M, RAN, O-RAN", "bluf": "Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion.", "criticalassets": [ { "Description": "RAN and Core CNFs", "Name": "Containerized network functions" }, { "Description": "Cloud, Kubernetes, or Openstack administrative controllers", "Name": "Cloud/virtualized container Management controllers" } ], "detections": [ { "detects": "Monitor user account authentication activity. Monitor the activity of cloud accounts to detect abnormal or malicious behavior, such as accessing information outside of the normal function of the account or account usage at atypical hours. Repeated attempts may be indictive of password guessing or brute force password cracking. Password policies supporting lockout requiring administrative reset may help.", "fgdsid": "DS0002", "name": "User Account" }, { "detects": "Monitor for suspicious account behavior across cloud services that share account. Logon session logs and meta data helps determine if the session was an authorized activity.", "fgdsid": "DS0028", "name": "Logon Session" } ], "external_id": "FGT1078.004", "kill_chain": [ "fight:Defense-Evasion", "fight:Persistence", "fight:Privilege-Escalation", "fight:Initial-Access" ], "mitigations": [ { "fgmid": "M1017", "mitigates": "Applications may send push notifications to verify a login as a form of multi-factor authentication (MFA). Train users to only accept valid push notifications and to report suspicious push notifications.", "name": "User Training" }, { "fgmid": "M1018", "mitigates": "Periodically review user accounts and remove those that are inactive or unnecessary. Limit the ability for user accounts to create additional accounts.", "name": "User Account Management" }, { "fgmid": "M1026", "mitigates": "Review privileged cloud account permission levels routinely to look for those that could allow an adversary to gain wide access.", "name": "Privileged Account Management" }, { "fgmid": "M1027", "mitigates": "Ensure that cloud accounts, particularly privileged accounts, have complex, unique passwords across all systems on the network. Passwords and access keys should be rotated regularly. This limits the amount of time credentials can be used to access resources if a credential is compromised without your knowledge. Rotate access keys regularly.", "name": "Password Policies" }, { "fgmid": "M1032", "mitigates": "Use multi-factor authentication for cloud and virtualization OSS accounts used for VNF deployments, especially privileged accounts.", "name": "Multi-factor Authentication" } ], "object-type": "technique", "platforms": "Infrastructure, CI/CD, OA&M Tools", "procedureexamples": [ { "Description": "Peirates is a post-exploitation Kubernetes exploitation framework with a focus on gathering service account tokens for lateral movement and privilege escalation. The tool is written in GoLang and publicly available on GitHub", "Name": "S0683" } ], "refs": [ "[1] ETSI NFV SEC023, Container Security Spec, section 5.4.4, Accessed 6/27/2022 - https://docbox.etsi.org/ISG/NFV/Open/Drafts/SEC023_Container_Security_Spec/NFV-SEC023v005.zip", "[2] Peirates - https://github.com/inguardians/peirates", "[3] Kubernetes Used in Brute-Force Attacks Tied to Russia’s APT28 - https://vulners.com/threatpost/THREATPOST:B25070E6CF075EEA6B20C4D8D25ADBE8", "https://attack.mitre.org/techniques/T1078/004", "https://fight.mitre.org/data%20sources/DS0002", "https://fight.mitre.org/data%20sources/DS0028", "https://fight.mitre.org/mitigations/M1017", "https://fight.mitre.org/mitigations/M1018", "https://fight.mitre.org/mitigations/M1026", "https://fight.mitre.org/mitigations/M1027", "https://fight.mitre.org/mitigations/M1032", "https://fight.mitre.org/techniques/FGT1078.004" ], "status": "This is an observed behavior in Enterprise networks, and is theoretical in context of 5G systems.", "subtechnique-of": "FGT1078", "typecode": "attack_subtechnique_addendum" }, "related": [ { "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "type": "related-to" }, { "dest-uuid": "aa26e841-b71e-59d1-840b-15d8fec5e032", "type": "mitigated-by" }, { "dest-uuid": "686a3700-8ee3-52d3-954f-d2ec4abf14aa", "type": "mitigated-by" }, { "dest-uuid": "177506f3-cd8d-5035-b807-6528e3a75c5f", "type": "mitigated-by" }, { "dest-uuid": "69dd1793-f0d3-51dc-974d-a43031c0b343", "type": "mitigated-by" }, { "dest-uuid": "83f7cc44-00e0-5ca0-99a0-51de9c080ce0", "type": "mitigated-by" }, { "dest-uuid": "eed23463-a7b6-555c-a7bf-2c3832fb00d0", "type": "detected-by" }, { "dest-uuid": "859ecf98-b107-5a3a-886e-dfb46999fe09", "type": "detected-by" }, { "dest-uuid": "885cc34d-43de-5539-82f0-8b7d98b8e4a1", "type": "subtechnique-of" } ], "uuid": "0d675425-11e0-58a1-a076-bc39275c7c13", "value": "Cloud Accounts" }, { "description": "An adversary may use a fake or compromised container management controller to deploy fake VNFs to collect information from the network.\r\n\r\nInstantiation of malicious Virtual Network Functions (VNF) can also be achieved by compromised VIM by inclusion of concealed software within legitimate (Virtual Infrastructure Manager) VIM, or allocating virtual resources for fake instances, or using malicious or compromised identity provider (reuses the same identity for several VNFs with same key pair without knowledge of MANO). Adversary may use malicious attestation server attacks, etc. VNF instantiation may allow adversary to register VNF with 5G core to launch further attacks.", "meta": { "access-required": "User/NPE/Administrative access, compromised Keys/tokens", "architecture-segment": "OA&M, Virtualization", "bluf": "An adversary may use a fake or compromised container management controller to deploy fake VNFs to collect information from the network.", "criticalassets": [ { "Description": "Container and container engine may expose privileged information to adversary directly from process or through container engine.", "Name": "Container and Container engines" }, { "Description": "In Container management architecture (Kubernetes for example) adversary may use Kublet commands or API proxy to gain access to information and control of the container.", "Name": "Container Management Controller system" }, { "Description": "NF orchestrators", "Name": "NFO" } ], "detections": [ { "detects": "Monitor POD creation and modification events.", "fgdsid": "DS0014", "name": "Pod" }, { "detects": "Audit application logs (NFVO, VIM). Configuration management databases (CMDB) and other asset management systems may help with the detection of computer systems or network devices that should not exist on a network.", "fgdsid": "DS0015", "name": "Application Log" }, { "detects": "Monitor container creation, container start events", "fgdsid": "DS0032", "name": "Container" } ], "external_id": "FGT5013", "kill_chain": [ "fight:Discovery", "fight:Collection" ], "mitigations": [ { "fgmid": "M1018", "mitigates": "Enforce the principle of least privilege by limiting container dashboard access to only the necessary users.", "name": "User Account Management" }, { "fgmid": "M1030", "mitigates": "Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls.", "name": "Network Segmentation" }, { "fgmid": "M1035", "mitigates": "Limit communications with the container service to local Unix sockets or remote access via SSH. Require secure port access to communicate with the APIs over TLS by disabling unauthenticated access to the Docker API, Kubernetes API Server, and container orchestration web applications.", "name": "Limit Access to Resource Over Network" }, { "fgmid": "M1047", "mitigates": "Scan images before deployment, and block those that are not in compliance with security policies. In Kubernetes environments, the admission controller can be used to validate images after a container deployment request is authenticated but before the container is deployed.", "name": "Audit" } ], "object-type": "technique", "platforms": "ICAM, CI/CD, OA&M Tools", "procedureexamples": [ { "Description": "Peirates can deploy a pod that mounts its node’s root file system, then execute a command to create a reverse shell on the node", "Name": "S0683" }, { "Description": "Doki was run through a deployed container", "Name": "S0600" }, { "Description": "TeamTNT has deployed different types of containers into victim environments to facilitate execution.", "Name": "G0139" } ], "refs": [ "[1] ETSI NFV SEC025, Secure End-to-End VNF and NS management specification\nRelease 4, section 4.4.3, accessed 6/28/2022 - https://docbox.etsi.org/ISG/NFV/Open/Drafts/SEC025_Secure_E2E_VNF_&_NS_management/NFV-SEC025v0012.zip", "https://fight.mitre.org/data%20sources/DS0014", "https://fight.mitre.org/data%20sources/DS0015", "https://fight.mitre.org/data%20sources/DS0032", "https://fight.mitre.org/mitigations/M1018", "https://fight.mitre.org/mitigations/M1030", "https://fight.mitre.org/mitigations/M1035", "https://fight.mitre.org/mitigations/M1047", "https://fight.mitre.org/techniques/FGT5013" ], "status": "This is a theoretical behavior in context of 5G systems.", "typecode": "fight_technique" }, "related": [ { "dest-uuid": "686a3700-8ee3-52d3-954f-d2ec4abf14aa", "type": "mitigated-by" }, { "dest-uuid": "9c376223-8d89-5179-8a56-51de20697bd2", "type": "mitigated-by" }, { "dest-uuid": "79119bb4-e146-5c99-ab3f-7ed4ed1e975a", "type": "mitigated-by" }, { "dest-uuid": "a30b7d01-b740-5538-b28d-d87befd5fd29", "type": "mitigated-by" }, { "dest-uuid": "e133dc78-4dc5-5302-85b6-ad5c552803ad", "type": "detected-by" }, { "dest-uuid": "3c23d0f7-d55c-5891-90b9-c744e976f0ef", "type": "detected-by" }, { "dest-uuid": "ec826f62-f75d-54a6-ad04-6b19f808283f", "type": "detected-by" } ], "uuid": "41195cb9-821e-5ae3-8a07-ff966e809743", "value": "Malicious VNF Instantiation" }, { "description": "An adversary may use an NFVI controller to gain access to data from a suspended or stopped VNF to extract sensitive information.\r\n\r\nA container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment. An unauthorized access to terminated/suspended VNF in NFVI can expose data not erased from a state change process. This may include virtual resources released from a terminated VNF or from a VNF that has released resources after a move or a scaling process. This may also enable inclusion of concealed software in NFVI to prevent the deletion/erasure of data and states of the VNF that has been terminated. Data may include application data, cryptographic keys (service accounts).", "meta": { "access-required": "User/NPE/Administrative access, compromised Keys/tokens", "architecture-segment": "OA&M, Virtualization", "bluf": "An adversary may use an NFVI controller to gain access to data from a suspended or stopped VNF to extract sensitive information.", "criticalassets": [ { "Description": "Container and container engine may expose privileged information to adversary directly from process or thru container engine.", "Name": "Container and Container engines" }, { "Description": "In Container management architecture (Kubernetes for example) adversary may use Kublet commands or API proxy to gain access to information and control of the container.", "Name": "Container Management Controller system" } ], "detections": [], "external_id": "FGT1609.501", "kill_chain": [ "fight:Credential-Access", "fight:Discovery" ], "mitigations": [ { "fgmid": "M1018", "mitigates": "Enforce authentication and role-based access control on the container service to restrict users to the least privileges required.", "name": "User Account Management" }, { "fgmid": "M1026", "mitigates": "In Kubernetes environments, consider defining a Pod Security Policy that prevents pods from running privileged containers", "name": "Privileged Account Management" }, { "fgmid": "M1035", "mitigates": "Limit communications with the container service to local Unix sockets or remote access via SSH. Require secure port access to communicate with the APIs over TLS by disabling unauthenticated access to the Docker API and Kubernetes API Server", "name": "Limit Access to Resource Over Network" }, { "fgmid": "M1038", "mitigates": "Use read-only containers, read-only file systems, and minimal images when possible to prevent the execution of commands.", "name": "Execution Prevention" } ], "object-type": "technique", "platforms": "CI/CD, OA&M Tools", "procedureexamples": [ { "Description": "Peirates can use kubectl or the Kubernetes API to run commands.", "Name": "Kubectl" }, { "Description": "Siloscape can send kubectl commands to victim clusters through an IRC channel and can run kubectl locally to spread once within a victim cluster.", "Name": "Kubectl via IRC channels" } ], "refs": [ "[1] ETSI NFV SEC025, Secure End-to-End VNF and NS management specification\nRelease 4, section 4.4.6, accessed 6/28/2022 - https://docbox.etsi.org/ISG/NFV/Open/Drafts/SEC025_Secure_E2E_VNF_&_NS_management/NFV-SEC025v0012.zip", "https://fight.mitre.org/mitigations/M1018", "https://fight.mitre.org/mitigations/M1026", "https://fight.mitre.org/mitigations/M1035", "https://fight.mitre.org/mitigations/M1038", "https://fight.mitre.org/techniques/FGT1609.501" ], "status": "This is a theoretical behavior", "subtechnique-of": "FGT1609", "typecode": "fight_subtechnique_to_attack_technique" }, "related": [ { "dest-uuid": "686a3700-8ee3-52d3-954f-d2ec4abf14aa", "type": "mitigated-by" }, { "dest-uuid": "177506f3-cd8d-5035-b807-6528e3a75c5f", "type": "mitigated-by" }, { "dest-uuid": "79119bb4-e146-5c99-ab3f-7ed4ed1e975a", "type": "mitigated-by" }, { "dest-uuid": "9a269951-76a2-5c22-9f28-a2be9ba89a7f", "type": "mitigated-by" }, { "dest-uuid": "2e0867ae-af8b-5750-bccd-b2c00d4586d6", "type": "subtechnique-of" } ], "uuid": "5da5a574-4e9e-595f-abd1-b23a3aa71fbe", "value": "Accessing Terminated VNF" }, { "description": "An adversary running a malicious Virtual Network Function (VNF) may identify network resources co-resident on the same physical host.\r\n\r\nAn adversary may identify a VNF in shared resource by observing protocols or standard ports in use on the node. A hardware and network resource separation is required to provide isolation and protection from an adversary mapping capabilities in the network for certain VNF/VNFc (container).", "meta": { "access-required": "User/NPE/Administrative access", "architecture-segment": "Virtualization, OA&M", "bluf": "An adversary running a malicious Virtual Network Function (VNF) may identify network resources co-resident on the same physical host.", "criticalassets": [ { "Description": "Adversary may identify high value 5G network functions targets for its exploits", "Name": "VNF identity" }, { "Description": "Adversary may identify RAN, Core or slice VNFs for further exploits.", "Name": "Network identity" } ], "detections": [ { "detects": "Monitor POD creation and modification events.", "fgdsid": "DS0014", "name": "Pod" }, { "detects": "Audit application logs (NFVO, VIM). Configuration management databases (CMDB) and other asset management systems may help with the detection of computer systems or network devices that should not exist on a network.", "fgdsid": "DS0015", "name": "Application Log" }, { "detects": "Monitor command history on VNFs and hosts", "fgdsid": "DS0017", "name": "Command" }, { "detects": "Monitor container creation, container start events", "fgdsid": "DS0032", "name": "Container" } ], "external_id": "FGT5014", "kill_chain": [ "fight:Discovery" ], "mitigations": [ { "fgmid": "M1018", "mitigates": "Enforce the principle of least privilege by limiting container dashboard access to only the necessary users.", "name": "User Account Management" }, { "fgmid": "M1030", "mitigates": "Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. Segment execution environment with node and network.", "name": "Network Segmentation" }, { "fgmid": "M1035", "mitigates": "Limit communications with the container service to local Unix sockets or remote access via SSH. Require secure port access to communicate with the APIs over TLS by disabling unauthenticated access to the Docker API, Kubernetes API Server, and container orchestration web applications.", "name": "Limit Access to Resource Over Network" }, { "fgmid": "M1047", "mitigates": "Scan images before deployment, and block those that are not in compliance with security policies. In Kubernetes environments, the admission controller can be used to validate images after a container deployment request is authenticated but before the container is deployed.", "name": "Audit" } ], "object-type": "technique", "platforms": "virtualization, CI/CD, OA&M Tools", "procedureexamples": [ { "Description": "Peirates can deploy a pod that mounts its node’s root file system, then execute a command to create a reverse shell on the node", "Name": "S0683" }, { "Description": "Doki was run through a deployed container", "Name": "S0600" }, { "Description": "TeamTNT has deployed different types of containers into victim environments to facilitate execution.", "Name": "G0139" } ], "refs": [ "[1] Network Functions Virtualisation (NFV Release 4;\nSecurity;Isolation and trust domain specification\nRelease 4, section 4.2.1, Access 4/12/2022 - https://docbox.etsi.org/ISG/NFV/Open/Drafts/SEC026_Isolation_and_trust_domain", "https://fight.mitre.org/data%20sources/DS0014", "https://fight.mitre.org/data%20sources/DS0015", "https://fight.mitre.org/data%20sources/DS0017", "https://fight.mitre.org/data%20sources/DS0032", "https://fight.mitre.org/mitigations/M1018", "https://fight.mitre.org/mitigations/M1030", "https://fight.mitre.org/mitigations/M1035", "https://fight.mitre.org/mitigations/M1047", "https://fight.mitre.org/techniques/FGT5014" ], "status": "This is a theoretical behavior in context of 5G systems.", "typecode": "fight_technique" }, "related": [ { "dest-uuid": "686a3700-8ee3-52d3-954f-d2ec4abf14aa", "type": "mitigated-by" }, { "dest-uuid": "9c376223-8d89-5179-8a56-51de20697bd2", "type": "mitigated-by" }, { "dest-uuid": "79119bb4-e146-5c99-ab3f-7ed4ed1e975a", "type": "mitigated-by" }, { "dest-uuid": "a30b7d01-b740-5538-b28d-d87befd5fd29", "type": "mitigated-by" }, { "dest-uuid": "e133dc78-4dc5-5302-85b6-ad5c552803ad", "type": "detected-by" }, { "dest-uuid": "3c23d0f7-d55c-5891-90b9-c744e976f0ef", "type": "detected-by" }, { "dest-uuid": "b4de23d7-4248-56f9-9468-6d1217a5f7ff", "type": "detected-by" }, { "dest-uuid": "ec826f62-f75d-54a6-ad04-6b19f808283f", "type": "detected-by" } ], "uuid": "953fe631-28f3-539a-9ec6-0119fbba6208", "value": "Shared resource discovery" }, { "description": "An adversary may compromise a target Virtual Network Function (VNF) to gain unauthorized access to the data from the underlying resources shared with other VNFs.\r\n\r\nA malicious VNF instantiated in the VNF infrastructure may be able to access the resources reserved for another tenant VNF, if root or escalated privilege is gained due to misconfiguration of host or container. This exploitation can lead to unauthorized data access in shared resources. Multiple techniques can be used to isolate VNF or VNFc (container) where sharing virtualization resources is a business requirement to ensure a co-resident compromised or malicious VNF/VNFc cannot access shared resources or read data therein.", "meta": { "access-required": "User/NPE/Administrative access", "architecture-segment": "OA&M, Virtualization", "bluf": "An adversary may compromise a target Virtual Network Function (VNF) to gain unauthorized access to the data from the underlying resources shared with other VNFs.", "criticalassets": [ { "Description": "Adversary may identify high value 5G network functions targets for its exploits", "Name": "VNF and VNF Data" } ], "detections": [ { "detects": "Monitor process activity on node, hosts and VNFs.", "fgdsid": "DS0009", "name": "Process" }, { "detects": "Audit application logs (NFVO, VIM). Configuration management databases (CMDB) and other asset management systems may help with the detection of computer systems or network devices that should not exist on a network.", "fgdsid": "DS0015", "name": "Application Log" }, { "detects": "Monitor container creation, container start events", "fgdsid": "DS0032", "name": "Container" }, { "detects": "Monitor volume or storage modifications, attachment or read actions.", "fgdsid": "DS0034", "name": "Volume" } ], "external_id": "FGT1611.501", "kill_chain": [ "fight:Privilege-Escalation" ], "mitigations": [ { "fgmid": "M1018", "mitigates": "Enforce the principle of least privilege by limiting container dashboard access to only the necessary users.", "name": "User Account Management" }, { "fgmid": "M1030", "mitigates": "Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. Segment execution environment with node and network.", "name": "Network Segmentation" }, { "fgmid": "M1035", "mitigates": "Limit communications with the container service to local Unix sockets or remote access via SSH. Require secure port access to communicate with the APIs over TLS by disabling unauthenticated access to the Docker API, Kubernetes API Server, and container orchestration web applications.", "name": "Limit Access to Resource Over Network" }, { "fgmid": "M1047", "mitigates": "Scan images before deployment, and block those that are not in compliance with security policies. In Kubernetes environments, the admission controller can be used to validate images after a container deployment request is authenticated but before the container is deployed.", "name": "Audit" } ], "object-type": "technique", "platforms": "CI/CD, OA&M Tools", "procedureexamples": [ { "Description": "Peirates can deploy a pod that mounts its node’s root file system, then execute a command to create a reverse shell on the node", "Name": "S0683" }, { "Description": "Doki was run through a deployed container", "Name": "S0600" }, { "Description": "TeamTNT has deployed different types of containers into victim environments to facilitate execution.", "Name": "G0139" } ], "refs": [ "[1] Network Functions Virtualisation (NFV Release 4;\nSecurity; Isolation and trust domain specification\nRelease 4, section 4.2.1, Accessed 4/12/2022 - https://docbox.etsi.org/ISG/NFV/Open/Drafts/SEC026_Isolation_and_trust_domain", "https://fight.mitre.org/data%20sources/DS0009", "https://fight.mitre.org/data%20sources/DS0015", "https://fight.mitre.org/data%20sources/DS0032", "https://fight.mitre.org/data%20sources/DS0034", "https://fight.mitre.org/mitigations/M1018", "https://fight.mitre.org/mitigations/M1030", "https://fight.mitre.org/mitigations/M1035", "https://fight.mitre.org/mitigations/M1047", "https://fight.mitre.org/techniques/FGT1611.501" ], "status": "This is a theoretical behavior", "subtechnique-of": "FGT1611", "typecode": "fight_subtechnique_to_attack_technique" }, "related": [ { "dest-uuid": "686a3700-8ee3-52d3-954f-d2ec4abf14aa", "type": "mitigated-by" }, { "dest-uuid": "9c376223-8d89-5179-8a56-51de20697bd2", "type": "mitigated-by" }, { "dest-uuid": "79119bb4-e146-5c99-ab3f-7ed4ed1e975a", "type": "mitigated-by" }, { "dest-uuid": "a30b7d01-b740-5538-b28d-d87befd5fd29", "type": "mitigated-by" }, { "dest-uuid": "2251c650-0578-5b11-ab47-d05f1166dc47", "type": "detected-by" }, { "dest-uuid": "3c23d0f7-d55c-5891-90b9-c744e976f0ef", "type": "detected-by" }, { "dest-uuid": "ec826f62-f75d-54a6-ad04-6b19f808283f", "type": "detected-by" }, { "dest-uuid": "656442c9-cfef-567b-8ee3-8df729d3eff2", "type": "detected-by" }, { "dest-uuid": "ece5710d-4edb-5077-acb5-65ec7c7b6eb3", "type": "subtechnique-of" } ], "uuid": "e347167e-d1f5-5309-a052-e8517cb4f476", "value": "Malicious privileged container VNF Shared Resource Access" }, { "description": "Adversaries may gain unauthorized access to information via a Virtual Network Function (VNF) shared for service designed for two different slices.\r\n\r\n5G functions deployment and slice creation is supported by NFVI resources. Network Function Virtualization Infrastructure (NFVI) can be exploited by compromise or abuse of trust on a VNF Orchestrator (VNFO) or VNF Manager (VNFM). An adversary may be able to create a network slice (NS) using the VNF (Common VNF) of a target Slice or create slice resources that share the NFVI resources of the target slice. Malicious co-tenancy activities can lead to unauthorized access to data, misuse of resources, or management actions.", "meta": { "access-required": "User/NPE/Administrative access", "architecture-segment": "Network Slice, Cloud Service Provider", "bluf": "Adversaries may gain unauthorized access to information via a Virtual Network Function (VNF) shared for service designed for two different slices. ", "criticalassets": [ { "Description": "NFVI includes orchestrators, network managers, and network elements", "Name": "NFVI" }, { "Description": "5G Core, RAN and NON-SBI functions, virtual resources supporting VNF", "Name": "VNFs" }, { "Description": "Network slice SLA data, some information may be exposed if application functions are shared", "Name": "Slice Control and User Plane data" }, { "Description": "The application related data and sensitive parameters associated with a VNF", "Name": "VNF application data and sensitive parameters" } ], "detections": [ { "detects": "Monitor systems performance", "fgdsid": "DS0013", "name": "Sensor Health" }, { "detects": "Audit logs - Auditing logs for security, authentication and authorization activity, host access, hosts, virtualization orchestrator and managers can reveal behavioral anomalies", "fgdsid": "DS0015", "name": "Application Log" }, { "detects": "Audit Policy Violations - Automated user and resource policy compliance checks and instrumentation to alert on violation attempts", "fgdsid": "DS0028", "name": "Logon Session" }, { "detects": "Monitor network flows", "fgdsid": "DS0029", "name": "Network Traffic" } ], "external_id": "FGT1599.501", "kill_chain": [ "fight:Defense-Evasion" ], "mitigations": [ { "fgmid": "FGM5505", "mitigates": "Hardware Mediated Execution Environment -Employ secure, hardware- based execution integrity as part of host/server design", "name": "Hardware mediated execution environment" }, { "fgmid": "FGM5506", "mitigates": "Use of Network Slice Templates -Use of templates for network slicing can enforce baseline security and isolation requirements. These templates can be created for networks, compute and 5G slice functions deployments.", "name": "network slice templates" }, { "fgmid": "M1026", "mitigates": "Least Privilege Access Control Policy - Access control policies should be granular to allow for optimal access to service requirements.", "name": "Privileged Account Management" }, { "fgmid": "M1030", "mitigates": "Security and Trust zones -Security and trust zones can help isolate resources and can be mapped to business needs.\nMicro and Nano segmentation- Implementing segmentation policy at granular level, network and compute resources can prevent some co-residency threats when mapped to SLAs, Users, and Resource policies.\n\nPhysical separation- Hardware, network, and point of presence can be separated to provide additional isolation.", "name": "Network Segmentation" }, { "fgmid": "M1035", "mitigates": "Resource Policy enforcement -Create and enforce resource policy; policy can include SLA, quotas, QOS etc.", "name": "Limit Access to Resource Over Network" }, { "fgmid": "M1041", "mitigates": "Encryption can be used to protect data at rest and in transit", "name": "Encrypt Sensitive Information" } ], "object-type": "technique", "platforms": "OA&M, Virtualization, Slice", "procedureexamples": [ { "Description": "A legitimate tenant 1 uses the Os-ma-nfvo interface to read the NS information of another tenant 2 sharing the NFVO. The tenant 1 may get sensitive information on the NS topology for a NS of a competitor (tenant 2).", "Name": "Create Malicious Co-Tenancy" }, { "Description": "A malicious tenant on-boards unused NS/VNF just to consume on-boarding resources (e.g. fill the NS and VNF registries or software image repository) to limit the space available for other tenant.", "Name": "Consume on-boarding resources" }, { "Description": "A malicious tenant uses the Os-ma-nfvo interface to manage the NSs of another tenant. For example, this malicious tenant may scale down the NS of a competitor to get more resources for his own NS or scale up to increase resource cost of another tenant.", "Name": "Manipulate network slices of another tenant" } ], "refs": [ "[1] ETSI NFV SEC026 Isolation and trust domain specification, section 4.2.2 - https://docbox.etsi.org/ISG/NFV/Open/Drafts/SEC026_Isolation_and_trust_domain", "https://fight.mitre.org/data%20sources/DS0013", "https://fight.mitre.org/data%20sources/DS0015", "https://fight.mitre.org/data%20sources/DS0028", "https://fight.mitre.org/data%20sources/DS0029", "https://fight.mitre.org/mitigations/FGM5505", "https://fight.mitre.org/mitigations/FGM5506", "https://fight.mitre.org/mitigations/M1026", "https://fight.mitre.org/mitigations/M1030", "https://fight.mitre.org/mitigations/M1035", "https://fight.mitre.org/mitigations/M1041", "https://fight.mitre.org/techniques/FGT1599.501" ], "status": "This is a theoretical behavior", "subtechnique-of": "FGT1599", "typecode": "fight_subtechnique_to_attack_technique" }, "related": [ { "dest-uuid": "f3a29b91-8b44-53ed-8fe3-1c417f3ff8b9", "type": "mitigated-by" }, { "dest-uuid": "3fc82d7f-294b-59fd-9885-ec3c24d4259b", "type": "mitigated-by" }, { "dest-uuid": "177506f3-cd8d-5035-b807-6528e3a75c5f", "type": "mitigated-by" }, { "dest-uuid": "9c376223-8d89-5179-8a56-51de20697bd2", "type": "mitigated-by" }, { "dest-uuid": "79119bb4-e146-5c99-ab3f-7ed4ed1e975a", "type": "mitigated-by" }, { "dest-uuid": "71801a06-41bd-5336-a539-e8bea9d647f7", "type": "mitigated-by" }, { "dest-uuid": "5cbb4ceb-09b7-569d-b397-30ce5f6b99cb", "type": "detected-by" }, { "dest-uuid": "3c23d0f7-d55c-5891-90b9-c744e976f0ef", "type": "detected-by" }, { "dest-uuid": "859ecf98-b107-5a3a-886e-dfb46999fe09", "type": "detected-by" }, { "dest-uuid": "becdcf31-3d2a-53bb-8251-51e9da4a0df6", "type": "detected-by" }, { "dest-uuid": "45468bb6-5eb7-5f36-922a-5ee8f3da68d0", "type": "subtechnique-of" } ], "uuid": "1f9f31c2-085b-5268-8dc8-31854ae51883", "value": "Malicious co-tenancy exploit of NFVI (Network Slice)" }, { "description": "Adversaries may use a less secure slice to gain access to information in a more secure slice that uses the VNF (Common VNF) built on common infrastructure to misuse resources allocated to target VNFs or slice.\r\n\r\nA compromised (intentionally or simply misconfigured) VNF instantiated in one slice subnet may access resources of another slice subnet. A common Network function Virtualization Orchestrator (NFVO) or Virtualized Infrastructure Manager (VIM) without proper safeguards may allow an adversary to starve a target slice or VNFs of the resources it needs to meet the SLA and to create opportunities information exposure.", "meta": { "access-required": "User/NPE/Administrative access", "architecture-segment": "Network Slice, Cloud Service Provider", "bluf": "Adversaries may use a less secure slice to gain access to information in a more secure slice that uses the VNF (Common VNF) built on common infrastructure to misuse resources allocated to target VNFs or slice.", "criticalassets": [ { "Description": "NFVI includes orchestrators, network managers, and network elements", "Name": "NFVI" }, { "Description": "5G Core, RAN and NON-SBI functions, virtual resources supporting VNF", "Name": "VNFs" }, { "Description": "Network slice SLA data, some information may be exposed if application functions are shared", "Name": "Slice Control and User Plane data" }, { "Description": "The application related data and sensitive parameters associated with a VNF", "Name": "VNF application data and sensitive parameters" }, { "Description": "LI application server manages user activity monitoring requests and monitoring set up of the user voice calls, SMS and data", "Name": "VNF Lawful Interception (LI) data" } ], "detections": [ { "detects": "Monitor systems performance", "fgdsid": "DS0013", "name": "Sensor Health" }, { "detects": "Audit logs - Auditing logs for security, authentication and authorization activity, host access, hosts, virtualization orchestrator and managers can reveal behavioral anomalies", "fgdsid": "DS0015", "name": "Application Log" }, { "detects": "Audit Policy Violations - Automated user and resource policy compliance checks and instrumentation to alert on violation attempts", "fgdsid": "DS0028", "name": "Logon Session" }, { "detects": "Monitor network flows", "fgdsid": "DS0029", "name": "Network Traffic" } ], "external_id": "FGT1599.502", "kill_chain": [ "fight:Defense-Evasion" ], "mitigations": [ { "fgmid": "FGM5505", "mitigates": "Hardware Mediated Execution Environment -Employ secure, hardware- based execution integrity as part of host/server design", "name": "Hardware mediated execution environment" }, { "fgmid": "FGM5506", "mitigates": "Use of Network Slice Templates -Use of templates for network slicing can enforce baseline security and isolation requirements. These templates can be created for networks, compute and 5G slice functions deployments.", "name": "network slice templates" }, { "fgmid": "M1026", "mitigates": "Least Privilege Access Control Policy - Access control policies should be granular to allow for optimal access to service requirements.", "name": "Privileged Account Management" }, { "fgmid": "M1030", "mitigates": "Security and Trust zones -Security and trust zones can help isolate resources and can be mapped to business needs.\nMicro and Nano segmentation- Implementing segmentation policy at granular level, network and compute resources can prevent some co-residency threats when mapped to SLAs, Users, and Resource policies.\n\nPhysical separation- Hardware, network, and point of presence can be separated to provide additional isolation.", "name": "Network Segmentation" }, { "fgmid": "M1035", "mitigates": "Resource Policy enforcement -Create and enforce resource policy; policy can include SLA, quotas, QOS etc.", "name": "Limit Access to Resource Over Network" }, { "fgmid": "M1041", "mitigates": "Encryption can be used to protect data at rest and in transit", "name": "Encrypt Sensitive Information" } ], "object-type": "technique", "platforms": "Slice, CSP", "procedureexamples": [ { "Description": "If a service provider uses network slicing and creates two slice subnets by creating network service instances on the same NFV environment (i.e. the same NFVO and functional blocks) and thus being built with resources of the same NFVI-PoP(s), this may lead to unauthorized access to resources/data of another slice.", "Name": "Use of common virtual orchestrators and infrastructure managers" } ], "refs": [ "[1] ETSI NFV SEC026 Isolation and trust domain specification, section 4.2.3 - https://docbox.etsi.org/ISG/NFV/Open/Drafts/SEC026_Isolation_and_trust_domain", "https://fight.mitre.org/data%20sources/DS0013", "https://fight.mitre.org/data%20sources/DS0015", "https://fight.mitre.org/data%20sources/DS0028", "https://fight.mitre.org/data%20sources/DS0029", "https://fight.mitre.org/mitigations/FGM5505", "https://fight.mitre.org/mitigations/FGM5506", "https://fight.mitre.org/mitigations/M1026", "https://fight.mitre.org/mitigations/M1030", "https://fight.mitre.org/mitigations/M1035", "https://fight.mitre.org/mitigations/M1041", "https://fight.mitre.org/techniques/FGT1599.502" ], "status": "This is a theoretical behavior", "subtechnique-of": "FGT1599", "typecode": "fight_subtechnique_to_attack_technique" }, "related": [ { "dest-uuid": "f3a29b91-8b44-53ed-8fe3-1c417f3ff8b9", "type": "mitigated-by" }, { "dest-uuid": "3fc82d7f-294b-59fd-9885-ec3c24d4259b", "type": "mitigated-by" }, { "dest-uuid": "177506f3-cd8d-5035-b807-6528e3a75c5f", "type": "mitigated-by" }, { "dest-uuid": "9c376223-8d89-5179-8a56-51de20697bd2", "type": "mitigated-by" }, { "dest-uuid": "79119bb4-e146-5c99-ab3f-7ed4ed1e975a", "type": "mitigated-by" }, { "dest-uuid": "71801a06-41bd-5336-a539-e8bea9d647f7", "type": "mitigated-by" }, { "dest-uuid": "5cbb4ceb-09b7-569d-b397-30ce5f6b99cb", "type": "detected-by" }, { "dest-uuid": "3c23d0f7-d55c-5891-90b9-c744e976f0ef", "type": "detected-by" }, { "dest-uuid": "859ecf98-b107-5a3a-886e-dfb46999fe09", "type": "detected-by" }, { "dest-uuid": "becdcf31-3d2a-53bb-8251-51e9da4a0df6", "type": "detected-by" }, { "dest-uuid": "45468bb6-5eb7-5f36-922a-5ee8f3da68d0", "type": "subtechnique-of" } ], "uuid": "419a7291-db26-5987-b525-cacc5c09211c", "value": "Network Slice infrastructure resource hijacking" }, { "description": "An adversary may use compromised container management SW (or account) in MANO domain to gain access to target VNFs and its resources for unauthorized access to resources/data of another slice in NFVI or resource exhaustion of target application resulting in denial of service.\r\n\r\nNetwork Slice has a logical boundary, and within NS certain performance SLAs are guaranteed. A malicious software or adversarial actions in the NFV-MANO, modifies the affinity and anti-affinity rules for the constituents of VNFs/NSs in the catalogue or during an instantiation operation requested to the VIM, modifying the virtual resource isolation needs for these VNFs/NSs and enabling further attacks. This can result in placing adversary’s virtualized application on the same VM or container engine as target NF and allow for further attacks of container or VM escape or resource exhaustion.", "meta": { "access-required": "User/NPE/Administrative access", "architecture-segment": "Network Slice, OA&M, Virtualization", "bluf": "An adversary may use compromised container management SW (or account) in MANO domain to gain access to target VNFs and its resources for unauthorized access to resources/data of another slice in NFVI or resource exhaustion of target application resulting in denial of service.", "criticalassets": [ { "Description": "NFVI includes orchestrators, network managers, and network elements", "Name": "NFVI" }, { "Description": "5G Core, RAN and Non-SBI functions, virtual resources supporting VNF", "Name": "VNFs" }, { "Description": "Network slice SLA data, some information may be exposed if application functions are shared", "Name": "Slice Control and User Plane data" }, { "Description": "The application related data and sensitive parameters associated with a VNF", "Name": "VNF application data and sensitive parameters" } ], "detections": [ { "detects": "Monitor systems performance", "fgdsid": "DS0013", "name": "Sensor Health" }, { "detects": "Audit logs - Auditing logs for security, authentication and authorization activity, host access, hosts, virtualization orchestrator and managers can reveal behavioral anomalies", "fgdsid": "DS0015", "name": "Application Log" }, { "detects": "Audit Policy Violations - Automated user and resource policy compliance checks and instrumentation to alert on violation attempts", "fgdsid": "DS0028", "name": "Logon Session" }, { "detects": "Monitor network flows", "fgdsid": "DS0029", "name": "Network Traffic" } ], "external_id": "FGT5038", "kill_chain": [ "fight:Impact" ], "mitigations": [ { "fgmid": "FGM5505", "mitigates": "Hardware Mediated Execution Environment -Employ secure, hardware- based execution integrity as part of host/server design (M1041).", "name": "Hardware mediated execution environment" }, { "fgmid": "FGM5506", "mitigates": "Use of Network Slice Templates -Use of templates for network slicing can enforce baseline security and isolation requirements. These templates can be created for networks, compute and 5G slice functions deployments.", "name": "network slice templates" }, { "fgmid": "M1026", "mitigates": "Least Privilege Access Control Policy - Access control policies should be granular to allow for optimal access to service requirements.", "name": "Privileged Account Management" }, { "fgmid": "M1030", "mitigates": "Security and Trust zones -Security and trust zones can help isolate resources and can be mapped to business needs.\nMicro and Nano segmentation- Implementing segmentation policy at granular level, network and compute resources can prevent some co-residency threats when mapped to SLAs, Users, and Resource policies.\n\nPhysical separation- Hardware, network, and point of presence can be separated to provide additional isolation.", "name": "Network Segmentation" }, { "fgmid": "M1035", "mitigates": "Resource Policy enforcement -Create and enforce resource policy; policy can include SLA, quotas, QOS etc.", "name": "Limit Access to Resource Over Network" }, { "fgmid": "M1041", "mitigates": "Encryption can be used to protect data at rest and in transit", "name": "Encrypt Sensitive Information" } ], "object-type": "technique", "platforms": "Slice", "refs": [ "[1] Fraunhofer AISEC, “Threat Analysis of Container-as-a-Service for Network Function, accessed April 28, 2021 - https://www.aisec.fraunhofer.de/content/dam/aisec/Dokumente/Publikationen/Studien_TechReports/englisch/caas_threat_analysis_wp.pdf", "https://fight.mitre.org/data%20sources/DS0013", "https://fight.mitre.org/data%20sources/DS0015", "https://fight.mitre.org/data%20sources/DS0028", "https://fight.mitre.org/data%20sources/DS0029", "https://fight.mitre.org/mitigations/FGM5505", "https://fight.mitre.org/mitigations/FGM5506", "https://fight.mitre.org/mitigations/M1026", "https://fight.mitre.org/mitigations/M1030", "https://fight.mitre.org/mitigations/M1035", "https://fight.mitre.org/mitigations/M1041", "https://fight.mitre.org/techniques/FGT5038" ], "status": "This is a theoretical behavior", "typecode": "fight_technique" }, "related": [ { "dest-uuid": "f3a29b91-8b44-53ed-8fe3-1c417f3ff8b9", "type": "mitigated-by" }, { "dest-uuid": "3fc82d7f-294b-59fd-9885-ec3c24d4259b", "type": "mitigated-by" }, { "dest-uuid": "177506f3-cd8d-5035-b807-6528e3a75c5f", "type": "mitigated-by" }, { "dest-uuid": "9c376223-8d89-5179-8a56-51de20697bd2", "type": "mitigated-by" }, { "dest-uuid": "79119bb4-e146-5c99-ab3f-7ed4ed1e975a", "type": "mitigated-by" }, { "dest-uuid": "71801a06-41bd-5336-a539-e8bea9d647f7", "type": "mitigated-by" }, { "dest-uuid": "5cbb4ceb-09b7-569d-b397-30ce5f6b99cb", "type": "detected-by" }, { "dest-uuid": "3c23d0f7-d55c-5891-90b9-c744e976f0ef", "type": "detected-by" }, { "dest-uuid": "859ecf98-b107-5a3a-886e-dfb46999fe09", "type": "detected-by" }, { "dest-uuid": "becdcf31-3d2a-53bb-8251-51e9da4a0df6", "type": "detected-by" } ], "uuid": "6e75a12d-9572-52b2-9305-48df6aee9f56", "value": "Network Slice application resource hijacking" }, { "description": "Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1040)", "meta": { "access-required": "User/NPE/Administrative access", "addendums": [ "#### Addendum Name: Network Elements\r\n##### Architecture Segments: User Plane, Control Plane, Roaming, Virtualization\r\n Adversaries may sniff network traffic to capture information about 5G environment, control and user plane data including authentication material, equipment identifiers.\r\n\r\nA compromise of network function (NF) supporting Service based (SBI), Non-Service Based (non-SBI), Roaming interfaces, and virtual network elements may allow an adversary to capture network traffic. \r\n\r\n\r\n The following Network interfaces are in the scope of this technique addendum:\r\n\r\n1.\t“Non-SBI” (non-Service Based Interface) network interfaces are within 5G core and RAN, and between the RAN and the 5G Core (e.g. N2, N3, N4, Xn). \r\n\r\n2.\tSBI network interfaces are between core NFs within an operator network; they use REST APIs.\r\n\r\n3.\tRoaming and interconnect interfaces, including IPX, are between network operators (between SEPPs, or other interworking functions like AMF/MME (N26) and between UPFs (N9)).\r\n\r\nAn adversary with access to the non-SBI interfaces not using encryption can monitor traffic exchange and obtain UE information such as user identifiers, serving network identifiers, and location info. \r\n\r\nThe adversary with access to the SBI links, may eavesdrop signaling messages if TLS encryption is not enabled. This leads to disclosure of UE authentication and authorization information, and NF IP addresses and other topology information.\r\n\r\nThe adversary positioned on an IPX node may collect data over the N32 interface while a UE is roaming, if a SEPP has used encryption on some parts of the messages sent, or used a weak cipher for JWE encryption. Similarly, an adversary positioned on a SEPP can observe or easily decrypt signaling messages sent on the N32 interface.\r\n\r\nSimilarly, if the EPC interworking interface N26 for non-roaming is not encrypted, all subscriber signaling data may be exposed to adversary.\r\n\r\nAdversary may also use compromised virtualized network elements to (vSwitch/vRouter, Virtual Firewalls) to span traffic to a sniffing port for access to traffic flows and user/system data. In a virtualized environment access can be gained much more easily as the servers making up a function are more likely to be physically and virtually distributed and the SDN vSwitch would allow an adversary to fork IP packets flowing between hosts remotely much more easily. Such forking is very difficult to detect or prevent from within a 3GPP NF or VM, and adversaries may be able to read data in transit. \r\n\r\nAn adversary may utilize these observations for several follow-on techniques.\r\n\r\n", "#### Addendum Name: Fronthaul\r\n##### Architecture Segments: User Plane, Control Plane, Roaming, Virtualization\r\n Adversaries may sniff network traffic to capture information about fronthaul user plane.\r\n\r\nORAN Alliance has defined the open fronthaul interface which connects one O-DU to one or more O-RUs inside the gNB. The fronthaul interface makes it possible to distribute the physical layer functionalities between RU and DU, and to control RU operations from DU. ORAN Alliance has selected a specific configuration (split 7.2x) for splitting of the physical layer among those proposed by 3GPP. The lower part of the physical layer (low PHY) resides in RU and performs Orthogonal Frequency Division Multiplexing (OFDM) phase compensation, inverse FFT and Cyclic Prefix (CP) insertion for frequency-to-time conversion in downlink, and FFT and CP removal in uplink. The physical layer in DU (high PHY) performs scrambling, modulation, layer mapping, and resource element mapping. Fronthaul consists of four types of interfaces: Control or C plane is used to carry control plane messages, User or U plane is used to carry user plane data, Synchronization or S plane is used to carry timing information and Management or M plane is used to carry management data.\r\n\r\nO-RAN fronthaul interface needs to implement strict performance requirements which includes very high throughput and very low latency. See clause 4.4 of [2]. Some security features may not be implemented by MNOs to meet those requirements and to reduce processing delay. Hence, Adversary on the Side (AoTS) attack on open fronthaul interface is possible which results in passive eavesdropping of U plane data. The adversary may use a simple sniffer device to monitor all U plane communications which is normally not encrypted at lower 3 layers (RLC, MAC and PHY). Confidentiality and integrity protection requirements are not specified by ORAN alliance for control, user and synchronization (CUS) planes, and those are mandatory for M plane. See clause 6.1 of [2] and clause 5.4 of [3].\r\n\r\nNote: The user plane data in PDCP and above layers remains encrypted on Fronthaul U plane and this eavesdrop attack will not impact any of those data unless PDCP security is also broken by the adversary.\r\n\r\n" ], "architecture-segment": "User Plane, Control Plane, Roaming, Virtualization", "bluf": "Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network.", "criticalassets": [ { "Description": "Sensitive User signaling such as authentication data, user location for the N32 interface", "Name": "UE data on roaming signaling interface" }, { "Description": "User data for the N9 interface", "Name": "UE data on roaming user plane interface" }, { "Description": "Signaling data, provisioning data, service discovery", "Name": "UP, CP Data" }, { "Description": "Sensitive subscriber user plane data will be available to the adversary.", "Name": "Sensitive subscriber data" } ], "detections": [ { "detects": "Monitor processes which may sniff data.", "fgdsid": "DS0009", "name": "Process" }, { "detects": "Monitor for allowed modifications relative to the agreed upon modifications per roaming agreements and agreements with IPX.", "fgdsid": "DS0015", "name": "Application Log" }, { "detects": "Monitor commands given to NFs which may help data sniffing.", "fgdsid": "DS0017", "name": "Command" }, { "detects": "Monitoring ability to detect new ports, devices on the network", "fgdsid": "DS0039", "name": "Asset" }, { "detects": "Monitor if security configurations in O-RU and O-DU are downgraded to weak or no security levels.", "fgdsid": "FGDS5022", "name": "Monitor security configurations" } ], "external_id": "FGT1040", "kill_chain": [ "fight:Discovery", "fight:Collection", "fight:Credential-Access" ], "mitigations": [ { "fgmid": "FGM5033", "mitigates": "Use zero trust for NF protection", "name": "Zero Trust" }, { "fgmid": "M1020", "mitigates": "Encrypt using TLS all links between NFs and between NF and SCP", "name": "SSL/TLS Inspection" }, { "fgmid": "M1040", "mitigates": "Monitor to ensure configurations do not change from acceptable options", "name": "Behavior Prevention on Endpoint" }, { "fgmid": "M1041", "mitigates": "Non-SBI: Use encryption (IPSec) on these interfaces. Sections 9.2, 9.3, 9.4, 9.8, 9.9 of [2], and for N26 interfaces, see 4.3.1. of [3].\n\nSBI: Encrypt using TLS all links between NFs and between NF and SCP if one is deployed. TLS must use certificates for both client and server, and the certificate must include the SBA node type and must be checked against what the expectation is for that other party. The TLS profile should adhere to those in TS 33.210 [9]. IPSec can be optionally used to protect TLS traffic further at a lower layer. Section 13.1.0 of [2] and also [8], [9].\n\nRoaming: For SEPP, see sections 4.2.3.3, 4.3., 4.4. of [4], and sections 13.1 and 13.2 of [2].", "name": "Encrypt Sensitive Information" }, { "fgmid": "M1054", "mitigates": "Ensure for MNO services that serve roaming partners that the minimum acceptable configuration is adequate and complies with [2] TS 33.501 clause 13.2.4.9.", "name": "Software Configuration" }, { "fgmid": "M1026", "mitigates": "Implement strong access control for all types of interfaces on originating switch and any intermediary devices on the fronthaul.", "name": "Privileged Account Management" }, { "fgmid": "M1030", "mitigates": "Implement network segmentation.", "name": "Network Segmentation" }, { "fgmid": "M1041", "mitigates": "Ensure fronthaul user plane data is protected with strong encryption algorithm. This will have performance impact on devices implementing it.", "name": "Encrypt Sensitive Information" }, { "fgmid": "M1047", "mitigates": "Perform hardware and software installation audits of all O-RAN open fronthaul components.", "name": "Audit" } ], "object-type": "technique", "platforms": "5G Network, RAN", "postconditions": [ { "Description": "As a follow-on attack, adversary may launch application layer fingerprinting attack based on the data collected at MAC and RLC layers. [See FGT1040.501]", "Name": "Application layer finger printing" } ], "preconditions": [ { "Description": "Adversary must have physical access to open fronthaul network to collect data.", "Name": "Adversary has access to open fronthaul network." } ], "procedureexamples": [ { "Description": "Adversary with access to the non-SBI interfaces (Xn, N2, N3, N4, N9) not using encryption can monitor traffic exchange and obtain UE information such as user identifiers, serving network identifiers, and location info. Non-SBI interfaces may not be encrypted for at least user plane or for control plane packets. See sections D.2.2., L.2.2., L.2.3 of [1]", "Name": "Non-SBI compromise" }, { "Description": "The adversary with access to the SBI links, for example, with control over the 5G Service Communication Proxy (SCP) or a network infrastructure node (proxy, router, switch), may eavesdrop signaling messages if TLS encryption is not enabled. This leads to disclosure of UE authentication and authorization information, and NF IP addresses and other topology information. See [6], [7].", "Name": "SBI node compromise" }, { "Description": "Adversary positioned on an IPX node can observe UE data if in the clear or easily decrypted: If a SEPP has not properly removed clear text information elements (IE) when replacing them with encrypted versions consistent with the previously negotiated protection policy or if the SEPP used a weak cipher for JWE encryption. See section G.2.4 of [1].", "Name": "IPX node compromise" }, { "Description": "The adversary positioned on a SEPP, can observe information elements on the N32c interface including cipher suites used, keys, protection policies exchanged, and error messages received from the peer SEPP. Observations on the N32f interface include cell ID and Physical Cell ID, SUPI, NF to NF signaling for a given victim UE. An adversary may utilize these observations for a number of follow-on techniques.", "Name": "SEPP compromise" }, { "Description": "Adversary launches AoTS attack on open fronthaul U plane data traffic by using a simple sniffer device. The fronthaul U plane data usually does not have encryption due to stringent performance requirements. Hence an eavesdrop attack is possible by a simple device.\n\nThis attack can only eavesdrop on user plane data below PDCP layer. Any user plane data in PDCP and above layers are not impacted by this attack. See clause 5.4.1.2, T-UPLANE-01 of [1], clause 6.1 of [2] and clause 5.4 of [3].", "Name": "Eavesdrop on U plane data on open fronthaul interface." } ], "refs": [ "[10] 3GPP TR 33.848 “Study on Security Impacts of Virtualization”. (WIP Section 5.15.2 - https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3574", "[1] 3GPP TR 33.926 “Security Assurance Specification (SCAS threats and critical assets in 3GPP network product classes”, March 2022 - https://www.3gpp.org/DynaReport/33926.htm", "[1] O-RAN Threat Model 6.00 version - https://orandownloadsweb.azurewebsites.net/specifications", "[2] 3rd Generation Partnership Project (3GPP , “Security Architecture and Procedures for 5G System”, TS 33.501 v16.10.0 Release 16, March 2022 - https://www.3gpp.org/DynaReport/33501.htm", "[2] O-RAN WG4 Control, User, and Synchronization Plane Specification 12.00 version - https://orandownloadsweb.azurewebsites.net/specifications", "[3] 3GPP TS 23.501 “System architecture for the 5G System (5GS ”, March 2022 - https://www.3gpp.org/DynaReport/23501.htm", "[3] O-RAN WG4 Management Plane Specification 12.00 version - https://orandownloadsweb.azurewebsites.net/specifications", "[4] 3rd Generation Partnership Project (3GPP , “5G Security Assurance Specification (SCAS for the Security Edge Protection Proxy (SEPP network product class”, TS 33.517, ver. 17.0.0, Jun. 2021 - https://www.3gpp.org/DynaReport/33517.htm", "[5] G. Green, “5G Security when Roaming – Part 2,” Mpirical, Lancaster, UK, May 21,2021 - https://www.mpirical.com/blog/5g-security-when-roaming-part-2", "[6] R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield, “Towards dynamic threat modelling in 5G core networks based on MITRE ATT&CK”, October 2021 - https://arxiv.org/abs/2108.11206", "[7] G. Koien, \"On Threats to the 5G Service Based Architecture\", 2021. - https://www.researchgate.net/publication/349455036_On_Threats_to_the_5G_Service_Based_Architecture", "[8] “The Transport Layer Security (TLS Protocol”, Version 1.2. RFC 5246 - https://www.ietf.org/rfc/rfc5246.txt", "[9] 3GPP TS 33.210 “Network Domain Security (NDS ; IP network layer security” - https://www.3gpp.org/DynaReport/33210.htm", "https://attack.mitre.org/techniques/T1040", "https://fight.mitre.org/data%20sources/DS0009", "https://fight.mitre.org/data%20sources/DS0015", "https://fight.mitre.org/data%20sources/DS0017", "https://fight.mitre.org/data%20sources/DS0039", "https://fight.mitre.org/data%20sources/FGDS5022", "https://fight.mitre.org/mitigations/FGM5033", "https://fight.mitre.org/mitigations/M1020", "https://fight.mitre.org/mitigations/M1026", "https://fight.mitre.org/mitigations/M1030", "https://fight.mitre.org/mitigations/M1040", "https://fight.mitre.org/mitigations/M1041", "https://fight.mitre.org/mitigations/M1047", "https://fight.mitre.org/mitigations/M1054", "https://fight.mitre.org/techniques/FGT1040" ], "status": "This is an observed behavior in Enterprise networks, and is theoretical in context of 5G systems.", "typecode": "attack_technique_addendum" }, "related": [ { "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", "type": "related-to" }, { "dest-uuid": "7d0e6026-b9d9-5aa3-84d5-b6e689615605", "type": "mitigated-by" }, { "dest-uuid": "31f00f97-157f-529c-96aa-e94a74f3a271", "type": "mitigated-by" }, { "dest-uuid": "ebbb02f1-0909-5282-8684-a188557e45c6", "type": "mitigated-by" }, { "dest-uuid": "71801a06-41bd-5336-a539-e8bea9d647f7", "type": "mitigated-by" }, { "dest-uuid": "dd78a499-3b11-5095-9db9-58cef55bef9e", "type": "mitigated-by" }, { "dest-uuid": "177506f3-cd8d-5035-b807-6528e3a75c5f", "type": "mitigated-by" }, { "dest-uuid": "9c376223-8d89-5179-8a56-51de20697bd2", "type": "mitigated-by" }, { "dest-uuid": "71801a06-41bd-5336-a539-e8bea9d647f7", "type": "mitigated-by" }, { "dest-uuid": "a30b7d01-b740-5538-b28d-d87befd5fd29", "type": "mitigated-by" }, { "dest-uuid": "2251c650-0578-5b11-ab47-d05f1166dc47", "type": "detected-by" }, { "dest-uuid": "3c23d0f7-d55c-5891-90b9-c744e976f0ef", "type": "detected-by" }, { "dest-uuid": "b4de23d7-4248-56f9-9468-6d1217a5f7ff", "type": "detected-by" }, { "dest-uuid": "74329f64-d1b9-5cc2-95a6-f924acadba2b", "type": "detected-by" }, { "dest-uuid": "10ca0edd-033d-5bb2-a4f7-27fc5f5ca2f8", "type": "detected-by" } ], "uuid": "d3c6705c-75d8-5243-93c2-37052321b3b8", "value": "Network Sniffing" }, { "description": "Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1020/001)", "meta": { "access-required": "User/NPE/Administrative access", "addendums": [ "#### Addendum Name: Network traffic duplication\r\n##### Architecture Segments: OA&M, Virtualization\r\n An adversary may use compromised virtualized network elements to (vSwitch, vRouter, Virtual Firewalls) to span traffic to sniffing port for access to user plane and control plane data.\r\n\r\nIn a virtualized environment, access can be gained much more easily as the servers making up a function are more likely to be virtually distributed and the SDN vSwitch would allow an adversary to fork IP packets flowing much more easily between hosts remotely. Most network devices/software have capabilities for traffic duplication for troubleshooting or legal purposes (Lawful Interception). Such forking is very difficult to detect or prevent from within a 3GPP NF or VM. An adversary could read data in transit without being detected by application monitoring software.\r\n\r\n" ], "architecture-segment": "OA&M, Virtualization", "bluf": "Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure.", "criticalassets": [ { "Description": "Virtual switch, Virtual Router, Virtual Firewalls, Virtual Load Balancers, SDN Controllers", "Name": "Virtual elements" } ], "detections": [ { "detects": "Monitor all user accounts accessing network devices to detect abnormal activity", "fgdsid": "DS0002", "name": "User Account" }, { "detects": "Monitor Command executions on the devices", "fgdsid": "DS0017", "name": "Command" }, { "detects": "Network elements use active and start up configuration files, monitoring configuration drifts can reveal abnormal activity", "fgdsid": "DS0022", "name": "File" }, { "detects": "Monitor log on sessions and escalation to higher privilege activity on the devices", "fgdsid": "DS0028", "name": "Logon Session" }, { "detects": "Monitor network traffic for new traffic flows, analyze socket connections and protocol used to determine abnormal behavior.", "fgdsid": "DS0029", "name": "Network Traffic" } ], "external_id": "FGT1020.001", "kill_chain": [ "fight:Discovery", "fight:Exfiltration" ], "mitigations": [ { "fgmid": "M1026", "mitigates": "Manage accounts with privilege to make changes either in the device or its controller.", "name": "Privileged Account Management" }, { "fgmid": "M1041", "mitigates": "Encrypt sensitive data flows for Control plane and User plane traffic", "name": "Encrypt Sensitive Information" } ], "object-type": "technique", "platforms": "5G", "refs": [ "[1] 3GPP TR 33.848 Security Impacts of Virtualization,\nSection 5.15.2 - https://www.3gpp.org/DynaReport/33848.htm", "https://attack.mitre.org/techniques/T1020/001", "https://fight.mitre.org/data%20sources/DS0002", "https://fight.mitre.org/data%20sources/DS0017", "https://fight.mitre.org/data%20sources/DS0022", "https://fight.mitre.org/data%20sources/DS0028", "https://fight.mitre.org/data%20sources/DS0029", "https://fight.mitre.org/mitigations/M1026", "https://fight.mitre.org/mitigations/M1041", "https://fight.mitre.org/techniques/FGT1020.001" ], "status": "This is an observed behavior in Enterprise networks, and is theoretical in context of 5G systems.", "subtechnique-of": "FGT1020", "typecode": "attack_subtechnique_addendum" }, "related": [ { "dest-uuid": "7c46b364-8496-4234-8a56-f7e6727e21e1", "type": "related-to" }, { "dest-uuid": "177506f3-cd8d-5035-b807-6528e3a75c5f", "type": "mitigated-by" }, { "dest-uuid": "71801a06-41bd-5336-a539-e8bea9d647f7", "type": "mitigated-by" }, { "dest-uuid": "eed23463-a7b6-555c-a7bf-2c3832fb00d0", "type": "detected-by" }, { "dest-uuid": "b4de23d7-4248-56f9-9468-6d1217a5f7ff", "type": "detected-by" }, { "dest-uuid": "6151c447-21b5-5530-8760-375ac25fb3e8", "type": "detected-by" }, { "dest-uuid": "859ecf98-b107-5a3a-886e-dfb46999fe09", "type": "detected-by" }, { "dest-uuid": "becdcf31-3d2a-53bb-8251-51e9da4a0df6", "type": "detected-by" }, { "dest-uuid": "734aef71-1f6a-508c-94ed-8583c7d6b685", "type": "subtechnique-of" } ], "uuid": "9e8de070-7cbb-57d8-b0c4-9087088980d6", "value": "Traffic Duplication" }, { "description": "Adversaries may gain unauthorized access to a Hardware Security Module (HSM) to sign keys and/or other derived key material that can be used to achieve additional goals. \r\n\r\nAn HSM is a hardware component that handles keying material (storage, computation). They can take the form of a plug-in card or an external device that attaches directly to a server. An HSM contains secure crypto-processor chips. MNOs use HSM\r\nappliances as a Root of Trust to secure their PKI infrastructure, which is used to sign certificates for gNBs and NFs. \r\n\r\nAlthough an HSM protects key material from compromise and from export if configured properly, an adversary may obtain privileges allowing them to utilize a legitimate HSM functions, e.g., through PKCS #11 function calls, Cryptoki library, etc., such that an adversary may obtain signatures and derivative key material seen as legitimate by other MNO NFs.", "meta": { "access-required": "Service Account", "architecture-segment": "Application Layer", "bluf": "Adversaries may gain unauthorized access to a Hardware Security Module (HSMs) to sign keys and/or other derived key material that can be used to achieve additional goals.", "criticalassets": [ { "Description": "A physical computing device that safeguards and manages digital key material, performs operations such as encryption and decryption, signature generation.", "Name": "HSM" } ], "detections": [ { "detects": "Analyze the application logs for access from appropriate NFs and appropriate/typical use", "fgdsid": "DS0015", "name": "Application Log" }, { "detects": "Analyze access logs for appropriate use by admins", "fgdsid": "DS0028", "name": "Logon Session" }, { "detects": "Monitor for activity from unexpected sources", "fgdsid": "DS0029", "name": "Network Traffic" } ], "external_id": "FGT1555.501", "kill_chain": [ "fight:Credential-Access" ], "mitigations": [ { "fgmid": "M1017", "mitigates": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of unauthorized access to the HSM", "name": "User Training" }, { "fgmid": "M1018", "mitigates": "Restrict users of HSM to minimal privileges from only permitted NFs", "name": "User Account Management" }, { "fgmid": "M1026", "mitigates": "Ensure administrative accounts for HSM are carefully managed to minimize potential admin credential compromise. This may include use of privileged access workstations, privileged account management solutions, separation of duties approaches, etc.", "name": "Privileged Account Management" } ], "object-type": "technique", "platforms": "HSM", "postconditions": [ { "Description": "Adversary would have the ability to perform signing and cryptographic operations that would permit the adversary to masquerade as a legitimate authorized user and perform operations against NFs.", "Name": "Adversary is able to perform crypto operations fraudulenty." } ], "preconditions": [ { "Description": "Adversary acquires credentials with legitimate privileges to conduct operations using the HSM. Adversary has a position to initiate transactions with the HSM.", "Name": "Obtain service account credentials" } ], "procedureexamples": [ { "Description": "An adversary would compromise a function or service that has privileges to perform operations using the HSM and use other techniques to obtain the credentials. The adversary may perform operations from the compromised environment or exfiltrate the credentials to another system to perform the operations and conduct further activities.", "Name": "Credential compromise" } ], "refs": [ "[1] Baseline Security Controls –NO-009, FS.31 version 2.0,GSMA, February 2020 - https://www.gsma.com/security/wp-content/uploads/2020/02/FS.31-v2.0.pdf", "[2] A New Trust Model For The 5G Era, Thales, October 2020 - https://cpl.thalesgroup.com/sites/default/files/content/research_reports_white_papers/field_document/2020-10/New-Trust-Model-For-5G-Era-WP.pdf", "https://fight.mitre.org/data%20sources/DS0015", "https://fight.mitre.org/data%20sources/DS0028", "https://fight.mitre.org/data%20sources/DS0029", "https://fight.mitre.org/mitigations/M1017", "https://fight.mitre.org/mitigations/M1018", "https://fight.mitre.org/mitigations/M1026", "https://fight.mitre.org/techniques/FGT1555.501" ], "status": "This is a theoretical behavior in context of 5G systems.", "subtechnique-of": "FGT1555", "typecode": "fight_subtechnique_to_attack_technique" }, "related": [ { "dest-uuid": "aa26e841-b71e-59d1-840b-15d8fec5e032", "type": "mitigated-by" }, { "dest-uuid": "686a3700-8ee3-52d3-954f-d2ec4abf14aa", "type": "mitigated-by" }, { "dest-uuid": "177506f3-cd8d-5035-b807-6528e3a75c5f", "type": "mitigated-by" }, { "dest-uuid": "3c23d0f7-d55c-5891-90b9-c744e976f0ef", "type": "detected-by" }, { "dest-uuid": "859ecf98-b107-5a3a-886e-dfb46999fe09", "type": "detected-by" }, { "dest-uuid": "becdcf31-3d2a-53bb-8251-51e9da4a0df6", "type": "detected-by" }, { "dest-uuid": "e60d9edc-1991-55e6-bd53-fad92e88de9e", "type": "subtechnique-of" } ], "uuid": "50ebe22e-551f-5940-84fb-bd8afa677022", "value": "Hardware Security Module Key Signing" }, { "description": "An adversary may compromise the Equipment Identity Register (EIR) function and adds new equipment, modifies status (ok vs. stolen or prohibited) of mobile device.\r\n\r\nEIR is an optional component (applicable to 3G, 4G, 5G) storing the status of a mobile equipment and optionally which Permanent Equipment Identifier (PEI) it is allowed to use. Compromising it can allow an adversary to modify status of devices (e.g. \"stolen\", \"prohibited'). \r\n\r\nNote: Modifying the EIR does not affect the subscription data such as access to network slice, customer data, or allow fraudulent use of service.", "meta": { "architecture-segment": "Control Plane", "bluf": "An adversary may compromise the Equipment Identity Register (EIR) function and adds new equipment, modifies status (ok vs. stolen or prohibited) of mobile device.", "criticalassets": [ { "Description": "Device databases should be kept from tampering.", "Name": "Integrity of device database" }, { "Description": "UE status should be kept accurate.", "Name": "User equipment status integrity" } ], "detections": [ { "detects": "Difficult to detect unauthorized changes. Inspect logs of what changes were made and by whom in the EIR", "fgdsid": "FGDS5009", "name": "Access to operator resource" } ], "external_id": "FGT5015", "kill_chain": [ "fight:Impact" ], "mitigations": [ { "fgmid": "FGM5020", "mitigates": "Secure EIR", "name": "Secure subscriber repositories" } ], "object-type": "technique", "platforms": "5G Network", "procedureexamples": [ { "Description": "Reference [1], DC-003, calls for the MNOs to employ an EIR. The rest of the attack is theoretical: an adversary may modify some of the entries in the EIR database, e.g. device status (stolen, etc.)\n\nThe AMF is the only function that checks the EIR based on PEI, upon UE registration (using the API N5g-eir_EquipmentIdentityCheck_Get).", "Name": "EIR database compromise" } ], "refs": [ "[1] GSM Association, “GSM Association Official Document FS.31, Baseline Security Controls.”, v3.0, Sep. 2023 - https://www.gsma.com/security/resources/fs-31-gsma-baseline-security-controls", "https://fight.mitre.org/data%20sources/FGDS5009", "https://fight.mitre.org/mitigations/FGM5020", "https://fight.mitre.org/techniques/FGT5015" ], "status": "This is a theoretical behavior in context of 5G systems.", "typecode": "fight_technique" }, "related": [ { "dest-uuid": "87b2315f-db71-566b-878f-9e579fb242af", "type": "mitigated-by" }, { "dest-uuid": "48956a40-c7df-5979-b4d3-4846eef3e0bb", "type": "detected-by" } ], "uuid": "c495a257-7155-54b2-abf8-86d87cf5693e", "value": "Device Database Manipulation" }, { "description": "An adversary-controlled UE may send high volumes of signaling messages to core network functions in order to cause a denial of service.\r\n\r\nUpon power on or coming out of flight mode, a UE needs to register with 5G network in order to get services from the network. After it gets connected to the network, UE sends several signaling messages to maintain the connection and to request new services. If any of those signaling messages are sent repeatedly to 5G network, the network spends its resources to process those request messages, which may overwhelm some critical Network Functions (NFs) such as Access and Mobility Function (AMF).\r\n\r\nA malicious UE sends repeated Attach requests which cause AMF to start many registrations. Alternatively, when a load balancing Service Communication Proxy (SCP) is not employed, an adversary in the network sends many otherwise-legitimate control messages to a NF so as to overload it. Network service is degraded for all other users in that area (served by AMF).", "meta": { "access-required": "N/A", "architecture-segment": "Control Plane, Network Slice", "bluf": "An adversary-controlled UE may send high volumes of signaling messages to core network functions in order to cause a denial of service.", "criticalassets": [ { "Description": "AMF functionality serving the UEs should be available always.", "Name": "Network services (AMF)" } ], "detections": [ { "detects": "Application layer DoS attack detection mechanism can be used to detect repeated attempt of UE attach-detach cycle within a short period.", "fgdsid": "DS0018", "name": "Firewall" } ], "external_id": "FGT1498.501", "kill_chain": [ "fight:Impact" ], "mitigations": [ { "fgmid": "FGM5498", "mitigates": "Employ a firewall or other rate control box on the N2 interface [from RAN to AMF]\n\n(May not be available in the market). Employ a NAS-MM (Non-access stratum Mobility Mgmt) application layer proxy at the edge of the network, having the capability to limit UE request rate.\nIn addition, SCP can act as load balancer between the service consumer (AMF) and service producer (UDM). (Annex E of [2])", "name": "Limit incoming signaling and user plane traffic" } ], "object-type": "technique", "platforms": "5G network", "postconditions": [ { "Description": "If AMF services are down, all services for the existing UEs which use NAS layer will not be available. For example: mobility, session management (QoS etc.), PDU session set up / tear down, SMS over NAS, location management. New UE connection attempts will also fail when AMF services are down. Clause 8.2.2.1 of [2].", "Name": "AMF service will not be available to legitimate users during attack." } ], "procedureexamples": [ { "Description": "Because network slices and network functions can be shared, malicious UE can create control plane storms.\n\nAMF Message Flooding for a shared slice with shared NFs:\n(1) An initial AMF validates if the user (UE) is allowed to access the subscribed S-NSSAI: AMF contacts the UDM to request the UE’s Slice Selection Subscription data. The initial UDM may contact the UDR for the UE's Slice Selection Subscription data, then provides the data to the AMF.\n(2) During the t0 to t-delta time interval that it takes to perform (1), the UE drops the initial AMF then re-attaches to the AMF, restarting the validation.\n(3) The UE recursively performs (2), which recursively performs (1), creating a \"UE-AMF-UDM-UDR-AMF\" message storm sandwiched in between an \"Attach-Detach\" storm.\n(4) Since this is a shared slice with shared NFs, the control plane storm (Attach-UE-AMF-UDM-UDR-AMF-Detach-Attach-recursively repeat) creates a DoS condition.", "Name": "Control plane signaling storm from (at least) one malicious UE" } ], "refs": [ "[1] European Union Agency for Cybersecurity (ENISA : “ENISA Threat Landscape for 5G Networks” Report, December 2020. - https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks", "[2] 3GPP TS 23.501: System architecture for the 5G System (5GS - https://www.3gpp.org/DynaReport/23501.htm", "https://fight.mitre.org/data%20sources/DS0018", "https://fight.mitre.org/mitigations/FGM5498", "https://fight.mitre.org/techniques/FGT1498.501" ], "status": "Observed in earlier 3GPP generations and expected in 5G.", "subtechnique-of": "FGT1498", "typecode": "fight_subtechnique_to_attack_technique" }, "related": [ { "dest-uuid": "d5c6ff64-176e-5935-9d33-7d7b78fd2b14", "type": "mitigated-by" }, { "dest-uuid": "1ede7e7c-4b97-5bad-b45f-559cdc364c62", "type": "detected-by" }, { "dest-uuid": "8583ca5f-ce71-5341-abda-f2b110994b7a", "type": "subtechnique-of" } ], "uuid": "db54d004-c3b2-50ed-a591-314aa64c3cfe", "value": "Flooding of core network component" }, { "description": "An adversary exploits interconnection/interworking between MNOs to obtain information about roaming user sessions or commit fraud. \r\n\r\nThe adversary with a position on a trusted partners environment, see [FGT1199.501](/techniques/FGT1199.501), is in a position to send legitimate looking messages to a PLMN interfaces and network functions and modify, in some circumstances, legitimate messages. Through these messages, the adversary may obtain sensitive information about the PLMN’s subscribers. With the ability to send messages seen by the PLMN as legitimate, the trusted partner may also commit fraud.", "meta": { "architecture-segment": "Roaming", "bluf": "An adversary exploits interconnection/interworking between MNOs to obtain information about roaming user sessions or commit fraud.", "criticalassets": [ { "Description": "Adversaries may need to compromise a vSEPP to perform certain activities to ensure they look legitimate.", "Name": "SEPP" }, { "Description": "Adversaries may need to compromise a vPLMN NF to perform certain activities to ensure they look legitimate", "Name": "NFs in the vPLMN" }, { "Description": "Adversary will need to compromise keys used to sign IE modifications at IPX", "Name": "IPX signing keys" } ], "detections": [ { "detects": "Monitor for use of IE modification by IPX and respond when unexpected IE modifications are seen.", "fgdsid": "DS0015", "name": "Application Log" } ], "external_id": "FGT5016", "kill_chain": [ "fight:Collection", "fight:Fraud" ], "mitigations": [ { "fgmid": "M1041", "mitigates": "Block or limit cipher choices used for JWS. Use of weak JWS ciphers could allow unauthorized disclosure", "name": "Encrypt Sensitive Information" }, { "fgmid": "M1054", "mitigates": "Block unauthorized IE modifications by IPX. Allow only communication where authorized IpxId is not NULL", "name": "Software Configuration" }, { "fgmid": "M1056", "mitigates": "Avoid using PRINS and use direct SEPP-SEPP with HTTP/s. Use of the SEPP to SEPP solution instead of allowing an IPX to potentially observe and manipulate information avoids the problem. A future SEPP hub solution may also mitigate this risk by providing a more scalable SEPP to SEPP solution.", "name": "Pre-compromise" } ], "object-type": "technique", "platforms": "IPX, SEPP, VAS", "preconditions": [ { "Description": "Adversary will need to compromise keys used to sign IE modifications at IPX", "Name": "IPX key compromise" }, { "Description": "Compromise of the initiating SEPP, typically the VPLMN SEPP, would permit an adversary to establish a protection policy that would allow IPX modification.", "Name": "Compromise of initiating SEPP" } ], "procedureexamples": [ { "Description": "In one approach, the adversary, in a position on an IPX, could modify the messages between the vPLMN (visited PLMN) and hPLMN (home PLMN) if PRINS is used, resulting in possible information modification and/or disclosure. Modification of an Information element (IE) could enable possible denial of service and/or information disclosure and this is addressed in [FGT5029](/techniques/FGT5029).", "Name": "Manipulate data between two PLMNs" }, { "Description": "If the adversary controls a vPLMN SEPP they may modify signaling on N32 and/or generate requests to hPLMN NFs. The adversary controlled vSEPP could terminate TLS connections to hPLMN NFs and proxy requests as an adversary-in-the-middle, see [FGT1557.502](/techniques/FGT1557.502). Legitimate looking requests that could result in information disclosure or fraud may involve Value Added Service (VAS), e.g., VAS providing SEPP to the VPLMN", "Name": "Compromise SEPP and modify signaling it sends" } ], "refs": [ "[1] S.P. Rao, S. Holtmanns, T. Aura: “Threat modeling framework for mobile communication systems”, May 2020 - https://arxiv.org/abs/2005.05110v1", "[2] “Security Assurance Specification (SCAS threats and critical assets in 3GPP network product classes,” 3rd Generation Partnership Project (3GPP , TR 33.926 ver.17.3.0, Dec. 2021, sec. G.2.4.1-G.2.4.2 - https://www.3gpp.org/DynaReport/33926.htm", "[3] G. Green, “5G Security when Roaming – Part 2,” Mpirical, Lancaster, UK, May 21, 2021 - https://www.mpirical.com/blog/5g-security-when-roaming-part-2", "[4] “Security architecture and procedures for 5G System,” 3GPP, TS 33.501 ver. 16.3.0, July 2020, Sec. 13.1.2,13.2 - https://www.3gpp.org/DynaReport/33501.htm", "[5] “5G System; Public Land Mobile Network (PLMN Interconnection; Stage 3,” 3GPP, TS 29.573 ver.16.9.0, March 2022 - https://www.3gpp.org/DynaReport/29573.htm", "[6] P.Tommassen, “5G Security When Roaming,” iBasis, October 6, 2020 - https://ibasis.com/5g-security-when-roaming/", "https://fight.mitre.org/data%20sources/DS0015", "https://fight.mitre.org/mitigations/M1041", "https://fight.mitre.org/mitigations/M1054", "https://fight.mitre.org/mitigations/M1056", "https://fight.mitre.org/techniques/FGT5016" ], "status": "This is a theoretical behavior in context of 5G systems.", "typecode": "fight_technique" }, "related": [ { "dest-uuid": "71801a06-41bd-5336-a539-e8bea9d647f7", "type": "mitigated-by" }, { "dest-uuid": "dd78a499-3b11-5095-9db9-58cef55bef9e", "type": "mitigated-by" }, { "dest-uuid": "7d8b78b4-09f2-516d-b81e-1b3dc8336d08", "type": "mitigated-by" }, { "dest-uuid": "3c23d0f7-d55c-5891-90b9-c744e976f0ef", "type": "detected-by" } ], "uuid": "08f36eb6-949f-5c5b-a21c-89632af4992e", "value": "Abuse of Inter-operator Interfaces" }, { "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1018)", "meta": { "addendums": [ "#### Addendum Name: Core-network scanning\r\n##### Architecture Segments: OA&M\r\n An adversary may discover operator network related information (identifiers). \r\n\r\nAdversaries may attempt to get a listing of earlier generation systems (e.g. 3G) that do not use IP address, hostname, but instead, other identifiers, such as point codes (like IP addresses for SS7 protocols, point to point) and Global Titles. Examples are GTScan, SigPloit, SCTPScan and GTPScan. \r\n\r\nNote: This is scanning for 3G, 4G and 5G core components address info. This is scanning for open ports to determine protocol use without compromising the host/NF.\r\n\r\n" ], "architecture-segment": "OA&M", "bluf": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.", "criticalassets": [ { "Description": "Data (IP address or FQDN, ports) relating to network nodes.", "Name": "MNO core network component data." } ], "detections": [ { "detects": "SIEM tools using network firewalls. Detect port scanners.", "fgdsid": "DS0029", "name": "Network Traffic" } ], "external_id": "FGT1018", "kill_chain": [ "fight:Discovery" ], "mitigations": [ { "fgmid": "M1030", "mitigates": "Ensure proper network segmentation is followed to protect critical servers and devices.", "name": "Network Segmentation" }, { "fgmid": "M1031", "mitigates": "Use network intrusion detection/prevention systems to detect and prevent remote service scans.", "name": "Network Intrusion Prevention" }, { "fgmid": "M1042", "mitigates": "Ensure that unnecessary ports and services are closed to prevent risk of discovery and potential exploitation.", "name": "Disable or Remove Feature or Program" } ], "object-type": "technique", "platforms": "5G Network", "postconditions": [ { "Description": "Adversary now knows identifiers of some network nodes, and so these nodes can now be spoofed or targeted for Denial of Service.", "Name": "Identifier of some network nodes is known" } ], "preconditions": [ { "Description": "Adversaries need access to such tools.", "Name": "Access to scanning tool" } ], "procedureexamples": [ { "Description": "Adversaries may employ pen testing tools such as GTScan, SigPloit, SCTPScan and GTPScan.", "Name": "Use of pen testing tools." } ], "refs": [ "[1] S.P. Rao, S. Holtmanns, T. Aura: “Threat modeling framework for mobile communication systems”, May 2020 - https://arxiv.org/abs/2005.05110v1", "https://attack.mitre.org/techniques/T1018", "https://fight.mitre.org/data%20sources/DS0029", "https://fight.mitre.org/mitigations/M1030", "https://fight.mitre.org/mitigations/M1031", "https://fight.mitre.org/mitigations/M1042", "https://fight.mitre.org/techniques/FGT1018" ], "status": "This is an observed behavior in Enterprise networks, and is theoretical in context of 5G systems.", "typecode": "attack_technique_addendum" }, "related": [ { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "related-to" }, { "dest-uuid": "9c376223-8d89-5179-8a56-51de20697bd2", "type": "mitigated-by" }, { "dest-uuid": "519ee587-bcda-5021-997d-9fc257c4720a", "type": "mitigated-by" }, { "dest-uuid": "3dddab8a-adb1-5340-a0a0-6101660290de", "type": "mitigated-by" }, { "dest-uuid": "becdcf31-3d2a-53bb-8251-51e9da4a0df6", "type": "detected-by" } ], "uuid": "37523488-caf0-501a-8932-3a5e0792babf", "value": "Remote System Discovery" }, { "description": "Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1046)", "meta": { "addendums": [ "#### Addendum Name: Core-network scanning\r\n##### Architecture Segments: OA&M\r\n An adversary may discover operator network related information (identifiers). \r\n\r\nAdversaries may attempt to get a listing of earlier generation systems (e.g. 3G) that do not use IP address, hostname, but instead, other identifiers, such as point codes (like IP addresses for SS7 protocols, point to point) and Global Titles. Examples are GTScan, SigPloit, SCTPScan and GTPScan. \r\n\r\nNote: This is scanning for 3G, 4G and 5G core components address info. This is scanning for open ports to determine protocol use without compromising the host/NF.\r\n\r\n" ], "architecture-segment": "OA&M", "bluf": "Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.", "criticalassets": [ { "Description": "Data (IP address or FQDN, ports) relating to network nodes.", "Name": "MNO core network component data." } ], "detections": [ { "detects": "SIEM tools using network firewalls. Detect port scanners.", "fgdsid": "DS0029", "name": "Network Traffic" } ], "external_id": "FGT1046", "kill_chain": [ "fight:Discovery" ], "mitigations": [ { "fgmid": "M1030", "mitigates": "Ensure proper network segmentation is followed to protect critical servers and devices.", "name": "Network Segmentation" }, { "fgmid": "M1031", "mitigates": "Use network intrusion detection/prevention systems to detect and prevent remote service scans.", "name": "Network Intrusion Prevention" }, { "fgmid": "M1042", "mitigates": "Ensure that unnecessary ports and services are closed to prevent risk of discovery and potential exploitation.", "name": "Disable or Remove Feature or Program" } ], "object-type": "technique", "platforms": "5G Network", "postconditions": [ { "Description": "Adversary now knows identifiers of some network nodes, and so these nodes can now be spoofed or targeted for Denial of Service.", "Name": "Identifier of some network nodes revealed" } ], "preconditions": [ { "Description": "Adversaries need access to such tools.", "Name": "Access to scanning tool" } ], "procedureexamples": [ { "Description": "Adversaries may employ pen testing tools such as GTScan, SigPloit, SCTPScan and GTPScan.", "Name": "Use of pen testing tools." } ], "refs": [ "[1] S.P. Rao, S. Holtmanns, T. Aura: “Threat modeling framework for mobile communication systems”, May 2020 - https://arxiv.org/abs/2005.05110v1", "https://attack.mitre.org/techniques/T1046", "https://fight.mitre.org/data%20sources/DS0029", "https://fight.mitre.org/mitigations/M1030", "https://fight.mitre.org/mitigations/M1031", "https://fight.mitre.org/mitigations/M1042", "https://fight.mitre.org/techniques/FGT1046" ], "status": "This is an observed behavior in Enterprise networks, and is theoretical in context of 5G systems.", "typecode": "attack_technique_addendum" }, "related": [ { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "related-to" }, { "dest-uuid": "9c376223-8d89-5179-8a56-51de20697bd2", "type": "mitigated-by" }, { "dest-uuid": "519ee587-bcda-5021-997d-9fc257c4720a", "type": "mitigated-by" }, { "dest-uuid": "3dddab8a-adb1-5340-a0a0-6101660290de", "type": "mitigated-by" }, { "dest-uuid": "becdcf31-3d2a-53bb-8251-51e9da4a0df6", "type": "detected-by" } ], "uuid": "324d139b-10ba-5228-9da1-61464a09a63a", "value": "Network Service Discovery" }, { "description": "Adversaries may bridge network boundaries by compromising perimeter network devices or internal devices responsible for network segmentation.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1599)", "meta": { "access-required": "User/NPE/Administrative access", "addendums": [ "#### Addendum Name: Compromise Network Isolation\r\n##### Architecture Segments: OA&M, Virtualization, Network Slice\r\n An adversary may compromise network separation controls to gain access to one or more of the 5G security zones or networks. \r\n\r\n5G is a system of systems and may be composed of several network and security zones, as well as slices. A compromise of controls placed to maintain security zones or network segmentation based on IP networks, application groups or slices may allow an adversary to gain unauthorized access to networks or services. This may occur at a Core, RAN, Cloud or Slice boundary.\r\n\r\nOnce the adversary has infiltrated the internals of the network, it has ample opportunities and a much broader attack surface to explore. The adversary can, e.g., conduct privilege escalation and process injection for gaining administrative rights, attempt password cracking of valid user accounts on the nodes, exploit vulnerabilities in databases and file systems, and take advantage of improper configurations of routers and switches.\r\n\r\nThe boundaries of a network and its security zones can exist between various technologies, such as 4G and 5G, or between different partners, such as private networks, mobile operators, or Mobile Virtual Network Operators (MVNOs). These boundaries can also exist between different network components, such as radio access, core, edge, and cloud, as well as between national or international links and operator cores, and service providers or operator cores.\r\nIn some cases, firewalls may be used to separate these zones, such as SS7 protocol, Diameter protocol, 5G APIs, enhanced SCP (Service Communication Proxy), IP (Internet Protocol), SIP (Session Initiation Protocol), and GTP (GPRS Tunneling Protocols) firewalls. Alternatively, an interworking function may be used to translate one protocol into another. However, it's important to note that privileged access is not always necessary to bypass a firewall or exploit an interworking function. Often, insufficient filtering may be the cause, or the filtering may not be sufficiently deep.\r\n\r\n\r\n" ], "architecture-segment": "OA&M, Virtualization, Network Slice", "bluf": "Adversaries may bridge network boundaries by compromising perimeter network devices or internal devices responsible for network segmentation.", "criticalassets": [ { "Description": "Devices enforcing network segmentation and creating perimeter for applications may include firewalls, SDN controllers, or Proxies.", "Name": "Devices enforcing segmentation controls" } ], "detections": [ { "detects": "Network Traffic should be monitored for traffic flows and messaging contents to determine abnormal activity.", "fgdsid": "DS0029", "name": "Network Traffic" } ], "external_id": "FGT1599", "kill_chain": [ "fight:Defense-Evasion" ], "mitigations": [ { "fgmid": "M1026", "mitigates": "Manage accounts for privileged users for the security zones in the 5G network.", "name": "Privileged Account Management" }, { "fgmid": "M1027", "mitigates": "Password Policies – follow NIST Guidelines. This may also include token policies if security tokens are used.", "name": "Password Policies" }, { "fgmid": "M1032", "mitigates": "Enable Multi-factor Authentication for privileged users", "name": "Multi-factor Authentication" }, { "fgmid": "M1037", "mitigates": "Filter Network Traffic, per protocol", "name": "Filter Network Traffic" }, { "fgmid": "M1043", "mitigates": "Protect credentials of management entities", "name": "Credential Access Protection" } ], "object-type": "technique", "platforms": "OA&M", "postconditions": [ { "Description": "If network boundaries are breached, monitoring system may detect unusual network flow", "Name": "Unusual network traffic flows" }, { "Description": "Adversary may attempt to discover networks and live hosts on the networks", "Name": "Network mapping activity" }, { "Description": "Adversary may attempt connect to hosts in the target network after profiling hosts and network mapping.", "Name": "Connection attempts from unusual hosts" } ], "preconditions": [ { "Description": "Privileged access to device implementing the network separation controls", "Name": "Privileged access" } ], "procedureexamples": [ { "Description": "An adversary may impersonate a trusted source (roaming partner or VAS) to avoid filtering by firewall, and to transport data in and out of the targeted operator’s network. ([1])", "Name": "Impersonate roaming partner/VAS (Value Added Service) provider" }, { "Description": "An adversary may abuse the remote service offered for network MANO tools, to make configuration changes to SDN flow tables and cause packet filtering to not detect flow across boundaries. ([2])", "Name": "MANO abuse to change SDN (Software Defined Networking) configuration" } ], "refs": [ "[1] S.P. Rao, S. Holtmanns, T. Aura: “Threat modeling framework for mobile communication systems”, May 2020 - https://arxiv.org/abs/2005.05110v1", "[2] R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield, “Towards dynamic threat modelling in 5G core networks based on MITRE ATT&CK”, October 2021 - https://arxiv.org/abs/2108.11206", "https://attack.mitre.org/techniques/T1599", "https://fight.mitre.org/data%20sources/DS0029", "https://fight.mitre.org/mitigations/M1026", "https://fight.mitre.org/mitigations/M1027", "https://fight.mitre.org/mitigations/M1032", "https://fight.mitre.org/mitigations/M1037", "https://fight.mitre.org/mitigations/M1043", "https://fight.mitre.org/techniques/FGT1599" ], "status": "This is an observed behavior in Enterprise networks, and is theoretical in context of 5G systems.", "typecode": "attack_technique_addendum" }, "related": [ { "dest-uuid": "b8017880-4b1e-42de-ad10-ae7ac6705166", "type": "related-to" }, { "dest-uuid": "177506f3-cd8d-5035-b807-6528e3a75c5f", "type": "mitigated-by" }, { "dest-uuid": "69dd1793-f0d3-51dc-974d-a43031c0b343", "type": "mitigated-by" }, { "dest-uuid": "83f7cc44-00e0-5ca0-99a0-51de9c080ce0", "type": "mitigated-by" }, { "dest-uuid": "ed391833-59f3-5049-9017-66427a8d8a17", "type": "mitigated-by" }, { "dest-uuid": "4d882eab-1588-508e-b3fc-f7221cad2db8", "type": "mitigated-by" }, { "dest-uuid": "becdcf31-3d2a-53bb-8251-51e9da4a0df6", "type": "detected-by" } ], "uuid": "45468bb6-5eb7-5f36-922a-5ee8f3da68d0", "value": "Network Boundary Bridging" }, { "description": "An adversary aims to destroy, expose, alter, disable, steal, or gain unauthorized access to physical assets such as infrastructure, hardware, or interconnection, affecting Quality of Service (QoS) or service availability. \r\n\r\nActions taken by actors aimed at destroying, disabling, or stealing physical assets supporting the 5G Network. A physical attack to 5G critical assets may disrupt, interfere, and ultimately cause unavailability of the network service. Despite the existence of physical protection mechanisms (e.g., physical surveillance and surveillance cameras, security locks, security guards), physical breaches and insider threat attacks may still occur.", "meta": { "access-required": "Physical", "architecture-segment": "Physical & Environmental", "bluf": "An adversary aims to destroy, expose, alter, disable, steal, or gain unauthorized access to physical assets such as infrastructure, hardware, or interconnection, affecting QoS or service availability. ", "criticalassets": [ { "Description": "Radio access units, information and communications technology equipment, optical interconnection facilities, cloud data center, edge computing facilities", "Name": "Physical infrastructure" } ], "detections": [ { "detects": "Asset tracking tools. Security Management and Detection", "fgdsid": "DS0040", "name": "Operational Databases" } ], "external_id": "FGT5018", "kill_chain": [ "fight:Impact" ], "mitigations": [ { "fgmid": "FGM5005", "mitigates": "Communications Centers.\nCommunication centers should provide a full set of physical and environmental controls aimed to assure access control, monitoring, continuity of operations and protection against environmental disasters.", "name": "Physical and environmental protection" } ], "object-type": "technique", "platforms": "Physical", "postconditions": [ { "Description": "Destruction or damage of these assets may cause an unavailability of resources.", "Name": "Service unavailability" }, { "Description": "Destruction or damage of these assets may cause information destruction.", "Name": "Information destruction" } ], "preconditions": [ { "Description": "Improper physical security of Data Centers / Telecommunication equipment room. \n\nImproper isolation of physical security perimeter between tenants.\n\nImproper environmental protection controls.\n\nInadequate / defective security devices.", "Name": "Improper physical security of 5G core component infrastructure" }, { "Description": "Improper physical security of telecommunications equipment rooms and equipment sited in partners’ or users’ premises.\n\nImproper physical security of physically isolated operation areas.\n\nInadequate / defective security devices.", "Name": "gNB component infrastructure" }, { "Description": "Improper physical security of telecommunications equipment rooms.\n\nImproper physical security of physically isolated operations areas.\n\nInadequate / defective security devices.", "Name": "NFVI" }, { "Description": "Unprotected data center interconnection channels.\n\nImproper physical security perimeter or isolation between tenants.", "Name": "SDN" }, { "Description": "Improper physical and environmental security of edge computing facilities\n\nImproper security monitoring of edge computing facilities\n\nInsecure service environment.", "Name": "MEC host" } ], "procedureexamples": [ { "Description": "Unauthorized access, destruction of assets and impairment of operations", "Name": "Communication center" }, { "Description": "Unauthorized access, destruction of assets and impairment of operations", "Name": "Telecommunications equipment room" }, { "Description": "Unauthorized access, destruction of assets and impairment of operations", "Name": "Physically isolated operation areas" }, { "Description": "unauthorized access, destruction of assets and impairment of operations", "Name": "Equipment sited in other carrier's or partner's premises" } ], "refs": [ "[1] European Union Agency for Cybersecurity (ENISA : “ENISA Threat Landscape for 5G Networks” Report, December 2020. - https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks", "[2] European Union Agency for Cybersecurity (ENISA : “ENISA Threat Landscape for 5G Networks” Report, November 2019. - https://www.enisa.europa.eu/publications/enisa-threat-landscape-for-5g-networks", "https://fight.mitre.org/data%20sources/DS0040", "https://fight.mitre.org/mitigations/FGM5005", "https://fight.mitre.org/techniques/FGT5018" ], "status": "Observed in earlier 3GPP generations and expected in 5G.", "typecode": "fight_technique" }, "related": [ { "dest-uuid": "a22ac7a1-fb1e-57f9-988c-8205b22cc619", "type": "mitigated-by" }, { "dest-uuid": "22bdace6-45b5-553b-9391-00a9b800d218", "type": "detected-by" } ], "uuid": "e68305ff-66cd-561c-ad2a-ec52af816e49", "value": "Vandalism of Network Infrastructure" }, { "description": "An adversary targets unprotected cables and junction boxes in order to disrupt service.\r\n \r\nFibers routed between pieces of equipment without proper physical protection are susceptible to damage, which can critically affect network reliability.", "meta": { "access-required": "None", "architecture-segment": "Physical & Environmental", "bluf": "An adversary targets unprotected cables and junction boxes in order to disrupt service.", "criticalassets": [ { "Description": "Data cables used in the operator network infrastructure", "Name": "Data cables" }, { "Description": "Power cables used in the operator network infrastructure", "Name": "Power cables" } ], "detections": [ { "detects": "Security Incident and event monitoring\nEvent logs recording user activities, exceptions, faults and information security events should be produced, kept and regularly reviewed. Additional considerations: development of use-case specific alert rules, integration and correlation of data at all levels (network, application), integration and correlation with service provider-level monitoring mechanisms.", "fgdsid": "FGDS5012", "name": "SIEM" } ], "external_id": "FGT5018.001", "kill_chain": [ "fight:Impact" ], "mitigations": [ { "fgmid": "FGM5005", "mitigates": "Secure junction boxes.\nOptical fiber junction boxes / splice closures should only be accessible to maintenance personnel and maintenance vehicles. A closure should be located away from high traffic or conditions that could cause damage to the closure or injury to personnel. [2] 11.2.3 advocates for cabling security.", "name": "Physical and environmental protection" }, { "fgmid": "FGM5540", "mitigates": "Power supply facilities in the isolated area such as mobile base stations should preferably provide an uninterruptible power supply with capacity for all loading and capable of withstanding primary power supply failures for the duration of likely outages. If that is impossible, a mechanism to provide uninterruptible power to critical equipment should be installed. Batteries may need to be augmented with a private electric generator, especially in isolated areas.", "name": "Power supplies" } ], "object-type": "technique", "platforms": "Data transmission infrastructure and power supply", "postconditions": [ { "Description": "Destruction or damage of these assets may cause an unavailability of resources.", "Name": "Service unavailability" }, { "Description": "Destruction or damage of these assets may cause information destruction", "Name": "Information destruction" } ], "preconditions": [ { "Description": "Fibers routed between pieces of equipment without proper protection are susceptible to damage, which can critically affect network reliability. The fiber cable management system should therefore ensure that every fiber is protected from physical damage.", "Name": "Unprotected cables" }, { "Description": "Lack of protection of junction boxes / splice closures. Improper cable routing also causes increased congestion in the termination panel and the cableways, increasing the possibility of bend radius violations and long-term failure.", "Name": " Unprotected junction boxes" } ], "procedureexamples": [ { "Description": "An adversary may damage cabling and junction boxes", "Name": "Disrupt service via physical damage" } ], "refs": [ "[1] European Union Agency for Cybersecurity (ENISA : “ENISA Threat Landscape for 5G Networks” Report, page 210, December 2020. - https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks", "[2] ISO/IEC 27011:(2016 , “Information technology — Security techniques — Code of practice for Information security controls based on ISO/IEC 27002 for telecommunications organizations” - https://www.iso.org/obp/ui/#iso:std:iso-iec:27011:ed-2:v1:en", "https://fight.mitre.org/data%20sources/FGDS5012", "https://fight.mitre.org/mitigations/FGM5005", "https://fight.mitre.org/mitigations/FGM5540", "https://fight.mitre.org/techniques/FGT5018.001" ], "status": "Observed in earlier 3GPP generations and expected in 5G.", "subtechnique-of": "FGT5018", "typecode": "fight_subtechnique" }, "related": [ { "dest-uuid": "a22ac7a1-fb1e-57f9-988c-8205b22cc619", "type": "mitigated-by" }, { "dest-uuid": "9b7c8176-c017-5f3c-96f3-bb3072df525e", "type": "mitigated-by" }, { "dest-uuid": "7a823dc9-a6c0-5d4f-95ca-b13ba57696df", "type": "detected-by" }, { "dest-uuid": "e68305ff-66cd-561c-ad2a-ec52af816e49", "type": "subtechnique-of" } ], "uuid": "9b4ab0a5-6569-5ce5-ac35-4f632ad26368", "value": "Cabling and junction boxes" }, { "description": "An adversary uses unrestricted access to exploit, damage, or destroy Radio Access hardware that lack adequate security.\r\n\r\nThe use of small-cell antennas requires hardware to be placed in highly accessible locations, such as, commercial and residential buildings, ground-level structures, and existing street furniture (bus stops, info kiosks, and billboards). These solutions count on sharing site spaces in existing infrastructure to reduce costs due to the increased amount of hardware required to maintain Quality of Service (QoS).", "meta": { "access-required": "Physical", "architecture-segment": "Physical & Environmental", "bluf": "An adversary uses unrestricted access to exploit, damage, or destroy Radio Access hardware that lack adequate security", "criticalassets": [ { "Description": " RAN-CU & DU, C-RAN MEC and mmWave equipment", "Name": "Radio access hardware (gNB)" } ], "detections": [ { "detects": "Event logs recording user activities, exceptions, faults and information security events should be produced, kept and regularly reviewed. Additional considerations: development of use-case specific alert rules, integration and correlation of data at all levels (network, application), integration and correlation with service provider-level monitoring mechanisms.", "fgdsid": "DS0040", "name": "Operational Databases" } ], "external_id": "FGT5018.002", "kill_chain": [ "fight:Impact" ], "mitigations": [ { "fgmid": "FGM5005", "mitigates": "Sites should be provided with a full set of physical and environmental controls aimed to assure access control, monitoring, continuity of operations and protection against vandalism.", "name": "Physical and environmental protection" } ], "object-type": "technique", "platforms": "Radio access hardware", "postconditions": [ { "Description": "Destruction or damage of these assets may cause unavailability of resources", "Name": "Service unavailability" }, { "Description": "Destruction or damage of these assets may cause information destruction", "Name": "Information destruction" } ], "preconditions": [ { "Description": "Despite the virtualized structure of the 5G network and all involved network functions, there will be a strong dependency on the physical infrastructure, especially in the initial migration/hybrid 5G deployments.", "Name": "Improper physical security of radio access hardware" } ], "procedureexamples": [ { "Description": "Classified as a deliberate physical attack, this threat relates to actions taken by actors aimed at destroying, disabling or stealing physical assets supporting the 5G Network. A physical attack to 5G critical assets may disrupt, interfere and ultimately cause unavailability of the network service. Despite the existence of physical protection mechanisms (e.g., physical surveillance and surveillance cameras, security locks, security guards), physical breaches and insider threat attacks may still occur.", "Name": "Physical sabotage/vandalism of the network infrastructure" } ], "refs": [ "[1] European Union Agency for Cybersecurity (ENISA : “ENISA Threat Landscape for 5G Networks” Report, page 202, December 2020. - https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks", "[2] El-Shorbagy, A.-moniem. “5G Technology and the Future of Architecture”. Procedia Computer Science, (2021 , volume 182, p121–131. - https://doi.org/10.1016/j.procs.2021.02.017", "https://fight.mitre.org/data%20sources/DS0040", "https://fight.mitre.org/mitigations/FGM5005", "https://fight.mitre.org/techniques/FGT5018.002" ], "status": "This is a theoretical behavior in context of 5G systems.", "subtechnique-of": "FGT5018", "typecode": "fight_subtechnique" }, "related": [ { "dest-uuid": "a22ac7a1-fb1e-57f9-988c-8205b22cc619", "type": "mitigated-by" }, { "dest-uuid": "22bdace6-45b5-553b-9391-00a9b800d218", "type": "detected-by" }, { "dest-uuid": "e68305ff-66cd-561c-ad2a-ec52af816e49", "type": "subtechnique-of" } ], "uuid": "01ff78f1-27a8-553e-bc67-299a1a9203d1", "value": "Radio Access Hardware" }, { "description": "An adversary may seek physical access to isolated/remote edge servers using covert methods of entry with the intent to damage or destroy edge computing facilities, gaining unauthorized access at system level as an entry point to all hosted resources, theft of data on local storage, vandalism, and sabotage.\r\n\r\nEdge computing facilities are, by their nature, seated in geographically distributed locations. Normally, the first choice will be communications shelters already operated by MNO. While communications shelters have physical security controls in place, these are calibrated to risks associated with communication equipment value. An additional risk assessment is needed to assess suitability in the context of additional risks incurred by presence of computing facilities and data.", "meta": { "access-required": "None", "architecture-segment": "Physical & Environmental", "bluf": "An adversary may seek physical access to isolated/remote edge servers using covert methods of entry with the intent to damage or destroy edge computing facilities, gaining unauthorized access at system level as an entry point to all hosted resources, theft of data on local storage, vandalism, and sabotage.", "criticalassets": [ { "Description": "Destruction of edge computing facilities, unauthorized access at system level as an entry point to all hosted resources, theft of data on local storage, vandalism and/or sabotage of equipment.", "Name": "Edge facility equipment" } ], "detections": [ { "detects": "Event logs recording user activities, exceptions, faults and information security events should be produced, kept and regularly reviewed. Additional considerations: development of use-case specific alert rules, integration and correlation of data at all levels (network, application), integration and correlation with service provider-level monitoring mechanisms.", "fgdsid": "FGDS5012", "name": "SIEM" } ], "external_id": "FGT5018.003", "kill_chain": [ "fight:Impact" ], "mitigations": [ { "fgmid": "FGM5005", "mitigates": "Edge sites should be provided with a full set of physical and environmental controls aimed to assure access control, monitoring, continuity of operations and protection against environmental disasters. Failure to do so may lead to unauthorized access, destruction of assets and impairment of operations.", "name": "Physical and environmental protection" } ], "object-type": "technique", "platforms": "Edge server", "postconditions": [ { "Description": "Destruction of assets, unauthorized access, theft of data on local storage, vandalism, sabotage", "Name": "Service unavailability" }, { "Description": "Destruction or damage of these assets may cause information destruction", "Name": "Information destruction" } ], "preconditions": [ { "Description": "Mobile-edge computing have to be integrated in the network-wide Security Incident and Monitoring System, but with additional considerations: development of use-case specific alert rules, integration and correlation of data at all levels (network, application), integration and correlation with service provider -level monitoring mechanisms. Failure to do so may leave advanced or sustained threats undetected, as well as technical failures or malfunctions of local resources.", "Name": "Improper security monitoring of edge computing facilities" } ], "procedureexamples": [ { "Description": "Adversary may obtain physical access to remote edge servers and cause damage to them.", "Name": "Damage edge servers" } ], "refs": [ "[1] European Union Agency for Cybersecurity (ENISA : “ENISA Threat Landscape for 5G Networks” Report, page 202, December 2020. - https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks", "[2] ISO/IEC 27011:(2016 , “Information technology — Security techniques — Code of practice for Information security controls based on ISO/IEC 27002 for telecommunications organizations” - https://www.iso.org/obp/ui/#iso:std:iso-iec:27011:ed-2:v1:en", "https://fight.mitre.org/data%20sources/FGDS5012", "https://fight.mitre.org/mitigations/FGM5005", "https://fight.mitre.org/techniques/FGT5018.003" ], "status": "This is a theoretical behavior in context of 5G systems.", "subtechnique-of": "FGT5018", "typecode": "fight_subtechnique" }, "related": [ { "dest-uuid": "a22ac7a1-fb1e-57f9-988c-8205b22cc619", "type": "mitigated-by" }, { "dest-uuid": "7a823dc9-a6c0-5d4f-95ca-b13ba57696df", "type": "detected-by" }, { "dest-uuid": "e68305ff-66cd-561c-ad2a-ec52af816e49", "type": "subtechnique-of" } ], "uuid": "43f379c1-07a7-5d2d-beac-368ceedf469a", "value": "Edge servers" }, { "description": "An adversary accesses a shared site, or remote location, with intent to steal valuable materials (such as copper, batteries, and fuel) for resale.\r\n\r\nAs towers are often located in remote locations, base stations are prime marks for thieves and vandals in search of an easy target. These sites contain a wealth of valuable copper wire, high-performance batteries, and fuel. Thieves and vandals take advantage of remote locations of cell sites by trespassing freely, without the fear of being identified. Copper wires and battery theft exploit the second-hand market fueled by the worldwide demand for these goods.", "meta": { "access-required": "Physical", "architecture-segment": "Physical & Environmental", "bluf": "An adversary accesses a shared site, or remote location, with intent to steal valuable materials (such as copper, batteries, and fuel) for resale.", "criticalassets": [ { "Description": "Physical assets and commodities used by the mobile network operators in their infrastructure.", "Name": "Physical assets and commodities" } ], "detections": [ { "detects": "Event logs recording user activities, exceptions, faults and information security events should be produced, kept and regularly reviewed. Additional considerations: development of use-case specific alert rules, integration and correlation of data at all levels (network, application), integration and correlation with service provider-level monitoring mechanisms.", "fgdsid": "FGDS5012", "name": "SIEM" } ], "external_id": "FGT5018.004", "kill_chain": [ "fight:Impact" ], "mitigations": [ { "fgmid": "FGM5005", "mitigates": "Implement physical and environmental controls\nShared/Remote sites should be provided with a full set of physical and environmental controls aimed to assure access control, monitoring, continuity of operations and protection against environmental disasters. Failure to do so may lead to unauthorized access, destruction of assets and impairment of operations.", "name": "Physical and environmental protection" } ], "object-type": "technique", "platforms": "remote/shared location physical assets", "postconditions": [ { "Description": "Theft of these assets may cause an unavailability of resources.", "Name": "Service unavailability" }, { "Description": "Theft of these assets may cause an increase in maintenance costs for the operator.", "Name": "Increased maintenance costs" } ], "preconditions": [ { "Description": "Remote/shared sites have to be integrated in the network-wide Security Incident and Monitoring System, but with additional considerations: development of use-case specific alert rules, integration and correlation of data at all levels (network, application), integration and correlation with service provider -level monitoring mechanisms. Failure to do so may leave advanced or sustained threats undetected, as well as technical failures or malfunctions of local resources.", "Name": "Improper security monitoring of remote/shared facilities" } ], "procedureexamples": [ { "Description": "Copper’s value transforms remote cellular base stations into prime targets for thieves. The costs for telecom and tower operators to replace the cost of the cable and damage to the site can be thousands of dollars per incident. This is not taking into consideration the additional costs of loss of network service. Even the theft of a small amount of copper can cause extensive damage to site equipment, costing cell towers owners thousands of dollars in repairs, replacement, and network downtime. There are several expensive copper items at cell sites that are very attractive to thieves, such as the ground wires, copper grounding busbars, and waveguides", "Name": "Cable/Copper Theft" }, { "Description": "Battery theft can easily become the root cause of cell services outage. Similarly, to the case of cable theft, telecom towers are increasingly affected by the rise of battery theft and vandalism incidents.", "Name": "Battery Theft" }, { "Description": "Fuel is a major asset at telecom sites that can easily and directly be sold by thieves. The threat of diesel theft is widespread in many emerging markets and even in the rural areas of the developed markets.", "Name": " Fuel Theft" } ], "refs": [ "[1] European Union Agency for Cybersecurity (ENISA : “ENISA Threat Landscape for 5G Networks” Report, page 202, December 2020. - https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks", "[2] Baars, J. “White Paper - Telecom Sites Physical Security”, December 2019, Asentria - https://www.asentria.com/blog/telecom-sites-physical-security-white-paper/.", "https://fight.mitre.org/data%20sources/FGDS5012", "https://fight.mitre.org/mitigations/FGM5005", "https://fight.mitre.org/techniques/FGT5018.004" ], "status": "Observed in earlier 3GPP generations and expected in 5G.", "subtechnique-of": "FGT5018", "typecode": "fight_subtechnique" }, "related": [ { "dest-uuid": "a22ac7a1-fb1e-57f9-988c-8205b22cc619", "type": "mitigated-by" }, { "dest-uuid": "7a823dc9-a6c0-5d4f-95ca-b13ba57696df", "type": "detected-by" }, { "dest-uuid": "e68305ff-66cd-561c-ad2a-ec52af816e49", "type": "subtechnique-of" } ], "uuid": "82950003-cd95-54ed-8988-4ad75642e467", "value": "Theft of Assets" }, { "description": "An adversary in the core network exploits signaling protocols to obtain the location of the UE. \r\n\r\nUser location tracking is part of normal cellular operation. Adversaries with access to core network or a core network function (NF) can misuse signaling protocols (e.g., SS7, GTP and Diameter or the SBI API calls), or exploit vulnerabilities in the signaling plane, in order to obtain location information for a given UE.\r\n\r\nNote: In case of 3G/4G core networks using SS7, this technique is covered by [ATT&CK Mobile T1430.002 Location Tracking: Impersonate SS7 nodes]().", "meta": { "access-required": "admin/user", "architecture-segment": "Control Plane", "bluf": "An adversary in the core network exploits signaling protocols to obtain the location of the UE.", "criticalassets": [ { "Description": "NEF, AMF, SMF, UPF, NWDAF, GMLC, LMF", "Name": "Operator network components" }, { "Description": "UE/Subscriber geographical location", "Name": "UE location" } ], "detections": [], "external_id": "FGT5012.004", "kill_chain": [ "fight:Discovery", "fight:Collection" ], "mitigations": [ { "fgmid": "FGM5023", "mitigates": "Periodic authentication / authorization of NF consumer e.g. AMF by NRF will help detect rogue AMFs. Not currently in 3GPP specs, but it can be enhanced.", "name": "Periodic Authentication & Authorization of NFs" }, { "fgmid": "FGM5019", "mitigates": "NEF authorizes 3rd party AFs for location service using policy. Nnef_Location API called by AF should be authorized properly. AF uses GPSI as UE identity.", "name": "Authorize external API calls" }, { "fgmid": "M1037", "mitigates": "Filter out request messages that come from external (to the operator) sources to guard against SS7 attacks.", "name": "Filter Network Traffic" } ], "object-type": "technique", "platforms": "5G", "preconditions": [ { "Description": "Adversary may pretend to be an operator supporting only earlier generations.", "Name": "Access to SS7 network" }, { "Description": "Adversary has to gain control of one core NF.", "Name": "Access to operator’s network function" }, { "Description": "UE identifier required for all Core network function abuse.", "Name": "Knowledge of the UE SUPI or GPSI 5G-GUTI of target UE" } ], "procedureexamples": [ { "Description": "From [3], there were recent successful attacks on SS7 whereby an attacker with access to the SS7 interconnection can find a user’s location, as well as billing data and Short Message Service (SMS) messages. In addition, the attacker can also eavesdrop on user data.", "Name": "Adversary uses SS7 interconnect (IWF) to a 5G network without protection (firewalls, etc). to obtain UE location information" }, { "Description": "The AMF gets UE location legitimately from LMF (Nlmf-loc API). Clause 8.3 of [5]. In addition, an adversary can modify AMF behavior so that it doesn't allocate a new 5G-GUTI to a given UE, so that that UE can be tracked via listening devices in the area, see [FGT5012.003](/techniques/FGT5012.003).", "Name": "Adversary gains control of a core NF to get location info for a given UE: AMF case" }, { "Description": "Incorrect implementation/configuration in NEF can allow a rogue application function (AF) to access UE location information using LMF services. Clause 6.1.2 of [5].", "Name": "Adversary gains control of a core NF to get location info for a given UE: AF case" }, { "Description": "The SMF can obtain a UE's location whenever the AMF sends it a PDU update request: Nsmf_PDUSession_UpdateSMContextRequest (which contains UE location info, which can be: E-UTRA or NR cell id, location timestamp, “geographicalInformation” in hex format as in TS 23.032, only ellipsoid point with uncertainty circle.). Clause 5.2.8.2.6 of [4].", "Name": "Adversary gains control of a core NF to get location info for a given UE: SMF case" }, { "Description": "The UDM can legitimately ask the AMF for the location of a UE using Namf_Location service. Clause 5.2.2.1 of [4].", "Name": "Adversary gains control of a core NF to get location info for a given UE: UDM case" }, { "Description": "The UPF has access to serving cell ID for UEs that are actively sending data (RRC connected).", "Name": "Adversary gains control of a core NF to get location info for a given UE: UPF case" }, { "Description": "The NEF can legitimately ask AMF Namf_EventExposure or ask GMLC directly - then GMLC gives the NEF a location report (Note: NEFs serve as location proxies to internal and external AFs in the same way GMLCs serve as proxies to external LCS clients). Clause 5.2.2.1 of [4].", "Name": "Adversary gains control of a core NF to get location info for a given UE: NEF case" }, { "Description": "The NWDAF can get coarse UE location by subscribing to events from AMF. Clause 5.2.2.1 of [4].", "Name": "Adversary gains control of a core NF to get location info for a given UE: NWDAF case" }, { "Description": "The GMLC can legitimately ask the AMF for the location of a given UE using Namf_Location service. Clause 5.2.2.1 of [4].", "Name": "Adversary gains control of a core NF to get location info for a given UE: GMLC case" }, { "Description": "The LMF can initiate location procedure with the UE. Clauses 6.11.1, 6.11.2, 6.11.3 of [5].", "Name": "Adversary gains control of a core NF to get location info for a given UE: LMF case" } ], "refs": [ "[1] S.P. Rao, S. Holtmanns, T. Aura: “Threat modeling framework for mobile communication systems”, May 2020 - https://arxiv.org/abs/2005.05110v1", "[2] R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield, “Towards dynamic threat modelling in 5G core networks based on MITRE ATT&CK”,  October 2021 - https://arxiv.org/abs/2108.11206", "[3] S. Holtmanns, S. P. Rao, I. Oliver, “User location tracking attacks for LTE networks using the interworking functionality”, 2016 IFIP Networking Conference. - https://ieeexplore.ieee.org/document/7497239", "[4] 3GPP TS 23.502 “Procedures for the 5G System (5GS ” - https://www.3gpp.org/DynaReport/23502.htm", "[5] 3GPP TS 23.273 “5G System (5GS Location Services (LCS ” - https://www.3gpp.org/DynaReport/23273.htm", "https://fight.mitre.org/mitigations/FGM5019", "https://fight.mitre.org/mitigations/FGM5023", "https://fight.mitre.org/mitigations/M1037", "https://fight.mitre.org/techniques/FGT5012.004" ], "status": "Observed in earlier 3GPP generations and expected in 5G.", "subtechnique-of": "FGT5012", "typecode": "fight_subtechnique" }, "related": [ { "dest-uuid": "315f5d98-1aa8-5d25-9d57-4b6a0ea9958a", "type": "mitigated-by" }, { "dest-uuid": "8b7ba061-2465-5f09-a034-431bd7ca577c", "type": "mitigated-by" }, { "dest-uuid": "ed391833-59f3-5049-9017-66427a8d8a17", "type": "mitigated-by" }, { "dest-uuid": "f940f548-256a-5559-83bc-7fea99d051bf", "type": "subtechnique-of" } ], "uuid": "c1cb90f5-0769-5e16-bcad-458b68448290", "value": "Core Network Function Signaling" }, { "description": "An adversary may attempt to position themselves between two mobile network operators as an adversary in the middle (AITM) to support follow-on behaviors such as [Network Sniffing](/techniques/FGT1040) or [Transmitted Data Manipulation](/techniques/FGT1565.002).\r\n\r\nRoaming and interconnect interfaces, including IPX, are between network operators, namely: between Security Edge Protection Proxy (SEPP)s, or between interworking functions like Access and Mobility Management Function (AMF) / 4G Mobility Management Function (MME) (N26 interface), or between User Plane Function (UPF)s (N9 interface).\r\n\r\nAn adversary with control of the Visited Public Land Mobile Network (VPLMN) SEPP may obtain roaming subscriber information by providing fraudulent signaling information to the Home PLMN (HPLMN) and collect information about the roaming subscriber. The adversary could be an insider on a VPLMN that is a roaming partner, having connections to the HPLMN via one or more IPX providers or directly between V-SEPP and H-SEPP. The HPLMN trusts the info from the VPLMN, but it is being sent fraudulently by the VPLMN. The V-SEPP may also be located at a Value-Added-Services (VAS) provider [1] where compromise of the VAS is a pre-condition instead of compromise of the VPLMN.\r\n\r\nThe adversary may possibly achieve an AITM position on an IP Exchange (IPX) network used by either the home PLMN or the visited PLMN and through which the roaming traffic may flow. The adversary may attempt to control a device in the path or re-direct traffic to a device the adversary controls.", "meta": { "access-required": "admin", "architecture-segment": "Roaming", "bluf": "An adversary may attempt to position themselves between two mobile network operators as an adversary in the middle (AITM) to support follow-on behaviors such as [Network Sniffing](/techniques/FGT1040) or [Transmitted Data Manipulation](/techniques/FGT1565.002).", "criticalassets": [ { "Description": "Adversary would target the SEPP", "Name": "SEPP function" } ], "detections": [ { "detects": "Monitor for access to SEPP application/appliance for unexpected access.", "fgdsid": "DS0015", "name": "Application Log" }, { "detects": "Analyze network traffic to/from SEPP to determine if from unexpected source/dest and consistent with expected traffic from other operators.", "fgdsid": "DS0029", "name": "Network Traffic" } ], "external_id": "FGT1557.502", "kill_chain": [ "fight:Collection", "fight:Credential-Access" ], "mitigations": [ { "fgmid": "M1030", "mitigates": "Limit network exposure of vSEPP from other core services in hPLMN", "name": "Network Segmentation" }, { "fgmid": "M1035", "mitigates": "Minimize access to vSEPP from limited locations such as a privileged access workstation", "name": "Limit Access to Resource Over Network" }, { "fgmid": "M1037", "mitigates": "Ensure only traffic from expected sources can reach the SEPP", "name": "Filter Network Traffic" } ], "object-type": "technique", "platforms": "SEPP, VAS, IPX", "preconditions": [ { "Description": "Adversary would need to be in control of the vSEPP which may be managed by a VAS", "Name": "SEPP control" } ], "refs": [ "[1] P.Tommassen, “5G Security When Roaming,” iBasis, October 6, 2020 - https://ibasis.com/5g-security-when-roaming/", "[2] “5G System; Public Land Mobile Network (PLMN Interconnection; Stage 3,” 3GPP, TS 29.573 ver.16.9.0, March 2022 - https://www.3gpp.org/DynaReport/29573.htm", "[3] “Security architecture and procedures for 5G System,” 3GPP, TS 33.501 ver. 16.3.0, July 2020, Sec. 13.1.2,13.2 - https://www.3gpp.org/DynaReport/33501.htm", "https://fight.mitre.org/data%20sources/DS0015", "https://fight.mitre.org/data%20sources/DS0029", "https://fight.mitre.org/mitigations/M1030", "https://fight.mitre.org/mitigations/M1035", "https://fight.mitre.org/mitigations/M1037", "https://fight.mitre.org/techniques/FGT1557.502" ], "status": "This is a theoretical behavior in context of 5G systems.", "subtechnique-of": "FGT1557", "typecode": "fight_subtechnique_to_attack_technique" }, "related": [ { "dest-uuid": "9c376223-8d89-5179-8a56-51de20697bd2", "type": "mitigated-by" }, { "dest-uuid": "79119bb4-e146-5c99-ab3f-7ed4ed1e975a", "type": "mitigated-by" }, { "dest-uuid": "ed391833-59f3-5049-9017-66427a8d8a17", "type": "mitigated-by" }, { "dest-uuid": "3c23d0f7-d55c-5891-90b9-c744e976f0ef", "type": "detected-by" }, { "dest-uuid": "becdcf31-3d2a-53bb-8251-51e9da4a0df6", "type": "detected-by" }, { "dest-uuid": "5ecccab0-9d6d-504c-92c4-408091a3c114", "type": "subtechnique-of" } ], "uuid": "c7db9e6c-f847-5493-9906-ea167f5817f6", "value": "Roaming and Interconnection" }, { "description": "An adversary may obtain a UE permanent identifier via various means.\r\n\r\nAn adversary may obtain UE identifying information from 5G UEs after the UE has been bid down (downgraded) to a lower security protocol e.g. 4G, since in 4G and 3G it is possible for the network to ask the UE to send its IMSI (International Subscriber Identifier) in the clear over the radio interface. The UE identity can also be obtained by the adversary if NULL scheme is used for Subscriber Permanent Identifier (SUPI) concealment.\r\n\r\nThe 5G UE sends an encrypted identifier (called Subscriber Concealed Identifier (SUCI)) over the radio interface as part of the initial registration to the 5G network. Some non-UE specific information is part of the Subscriber Permanent Identifier or SUPI and is not encrypted (e.g., home network name).", "meta": { "architecture-segment": "RAN, Control Plane", "bluf": "An adversary may discover the permanent subscriber identifier via various means", "criticalassets": [ { "Description": "UE/User IMSI, SUPI", "Name": "UE Permanent identifier" } ], "detections": [], "external_id": "FGT5019", "kill_chain": [ "fight:Discovery", "fight:Collection" ], "mitigations": [], "object-type": "technique", "platforms": "5G", "procedureexamples": [ { "Description": "Adversary may use the radio access network to determine the IMSI of a particular UE is in the area.", "Name": "Use radio access to obtain UE permanent identifier" }, { "Description": "Adversary may use the core network signaling find the IMSI of a particular UE, given e.g., MSISDN", "Name": "Use core network signaling to obtain UE permanent identifier" } ], "refs": [ "[1] European Union Agency for Cybersecurity (ENISA : “ENISA Threat Landscape for 5G Networks” Report, December 2020. - https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks", "[2] S.P. Rao, S. Holtmanns, T. Aura: “Threat modeling framework for mobile communication systems”, May 2020 - https://arxiv.org/abs/2005.05110v1", "https://fight.mitre.org/techniques/FGT5019" ], "status": "Observed in earlier 3GPP generations and expected in 5G.", "typecode": "fight_technique" }, "uuid": "0eaef533-4472-5d77-a665-3a40de657c70", "value": "Subscriber Profile Identifier Discovery" }, { "description": "An adversary may intercept unencrypted radio transmissions of a UE’s SUCI to identify the home network of the UE. \r\n\r\nAdversary can tell what the home network of UE is from the unencrypted portion of the Subscriber Concealed Identity (SUCI), which is normally sent over the radio interface by a UE seeking to connect. This can be of value to an adversary when the home location is unusual. \r\n\r\nBackground information: In 5G, the UE’s permanent identity, SUPI (Subscriber Permanent Identifier), includes a home network identifier and a user-specific identifier, and is never sent unencrypted over the radio interface. Instead, a SUCI is sent when the UE goes through initial registration to the serving network procedures; this de-concealment operation can only be done by the UE’s home network. However, the Home Network identifier part of the SUCI is sent unencrypted, so that the serving network (while UE is roaming in another country or region) knows how to route the registration message to UE’s home network for authentication. The home network may constitute sensitive information in some special cases.", "meta": { "architecture-segment": "RAN", "bluf": "An adversary may intercept unencrypted radio transmissions of a UE's SUCI to identify the home network of the UE. ", "criticalassets": [ { "Description": "Home network identifier is sent unconcealed by UE over the air per standard. UE privacy such as its home network location is revealed to the adversary when UE is roaming in another country or region.", "Name": "UE privacy" } ], "detections": [], "external_id": "FGT5019.001", "kill_chain": [ "fight:Discovery", "fight:Collection" ], "mitigations": [ { "fgmid": "FGM5022", "mitigates": "When the subscriber affiliation is reflected in the home network identifier (part of subscriber identifier) and would benefit from not being sent in the clear, the subscriber's provider (home network) should be a proxy mobile network operator - whose identifier does not reveal the true affiliation of the subscriber.", "name": "Proxy home network" } ], "object-type": "technique", "platforms": "5G", "postconditions": [ { "Description": "When home network is unusual (e.g., US home network in Afghanistan), allows attacker to identify UE as target of interest for geolocation, degradation of service, loss of traffic confidentiality, or physical attack.", "Name": "Target association" } ], "preconditions": [ { "Description": "Adversary requires sufficient signal to noise and interference ratio and must be present in the same area as the UE.", "Name": "Ability to receive SUCI over the air" } ], "procedureexamples": [ { "Description": "Receive SUCI and extract the field “home network identifier”, which is never concealed.", "Name": "Intercept home network over the radio interface" } ], "refs": [ "[1] 3GPP TS 23.003: \"Numbering, Addressing and Identification”, Version 17.6.0, Section 2.2B - https://www.3gpp.org/DynaReport/23003.htm", "https://fight.mitre.org/mitigations/FGM5022", "https://fight.mitre.org/techniques/FGT5019.001" ], "status": "This is a theoretical behavior in context of 5G systems.", "subtechnique-of": "FGT5019", "typecode": "fight_subtechnique" }, "related": [ { "dest-uuid": "381fd134-4653-5c81-aeb3-8987d97be831", "type": "mitigated-by" }, { "dest-uuid": "0eaef533-4472-5d77-a665-3a40de657c70", "type": "subtechnique-of" } ], "uuid": "81928f19-4fcf-5b24-9387-b03f3c19ba64", "value": "Intercept Home Network via SUCI" }, { "description": "An adversary may intercept the UE permanent identifier (SUPI) from a UE that is bid down to a less secure protocol. \r\n\r\nThe UE SUPI constitutes key data that identifies UE as target of interest for other follow-on behaviors such as geolocation, degradation of service, loss of traffic confidentiality, or physical attack. From the network side, the SUPI can be used to obtain other sensitive information about this UE.\r\n\r\nBackground information: In 5G, the UE’s permanent identity, SUPI (Subscriber Permanent Identifier), is never sent unencrypted over the radio interface. In WiFi, 3G and 4G however, the UE’s permanent identity IMSI may be sent unencrypted over the radio interface (e.g. in cases where the serving network is not able to identify the UE via a temporary identifier). In 5G, SUPI can be either IMSI or Network Access Identifier (NAI). See clause 2.2A of [3].\r\n\r\nWhen a 5G UE’s Radio Capability profile allows the bidding down of the cellular protocol from 5G to 4G or 3G or WiFi an adversary can take advantage of this. The adversary first denies service to 5G and bids down victim UE to less secure protocol, for example by using a fake base station. Then, the adversary actively interrogates or passively intercepts unencrypted International Mobile Subscriber Identifier (IMSI) for 2G/3G/4G or Media Access Control (MAC) for WiFi.", "meta": { "architecture-segment": "RAN", "bluf": "An adversary may intercept the UE permanent identifier (SUPI) from a UE that is bid down to a less secure protocol.", "criticalassets": [ { "Description": "Unique and non-transient user identity", "Name": "UE identifier" } ], "detections": [ { "detects": "UE transitions to less secure service", "fgdsid": "FGDS5010", "name": "UE transition to less secure service" } ], "external_id": "FGT5019.002", "kill_chain": [ "fight:Discovery", "fight:Collection" ], "mitigations": [ { "fgmid": "FGM5006", "mitigates": "Restrictive user security profile can dictate that the UE will refuse to networks that are not 5G. The prevention of bidding-down is achieved via user security profile stored in the UE.", "name": "Restrictive user profile" } ], "object-type": "technique", "platforms": "5G radio", "postconditions": [ { "Description": "Allows an adversary to identify UE as target of interest for geolocation, degradation of service, loss of traffic confidentiality, or physical attack.", "Name": "Target association" } ], "preconditions": [ { "Description": "User security profile must allow bidding down.", "Name": "Permissive user security profile" }, { "Description": "Denying service to 5G and bidding down (e.g. from a fake or compromised base station) must have occurred for this 5G UE. Adversary must be present in the same area as the UE.", "Name": "Bid down operation successful" } ], "procedureexamples": [ { "Description": "Adversary with fake or compromised base station sends an Identity Request NAS message to the UE to get back the SUPI. This occurs after the UE has been bid down from 5G. Clause 5.4.4 of [2]", "Name": "Obtain permanent UE identifier SUPI from bid-down UE" } ], "refs": [ "[1] European Union Agency for Cybersecurity (ENISA : “ENISA Threat Landscape for 5G Networks” Report, December 2020. - https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks", "[2] 3GPP TS 24.301 “Non-Access-Stratum (NAS protocol for Evolved Packet System (EPS ”; Stage 3 - https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=1072", "[3] 3GPP TS 23.003: \"Numbering, Addressing and Identification”, Version 17.6.0, Section 2.2B - https://www.3gpp.org/DynaReport/23003.htm", "https://fight.mitre.org/data%20sources/FGDS5010", "https://fight.mitre.org/mitigations/FGM5006", "https://fight.mitre.org/techniques/FGT5019.002" ], "status": "This is a theoretical behavior", "subtechnique-of": "FGT5019", "typecode": "fight_subtechnique" }, "related": [ { "dest-uuid": "cce626f3-b774-5f29-b1d2-5fb96a5befef", "type": "mitigated-by" }, { "dest-uuid": "d8cdf251-95c8-5624-bf93-4b468c59011f", "type": "detected-by" }, { "dest-uuid": "0eaef533-4472-5d77-a665-3a40de657c70", "type": "subtechnique-of" } ], "uuid": "339962a1-33fa-57b3-be62-29fee78e33ce", "value": "Intercept bid-down SUPI" }, { "description": "An adversary may non-cooperatively geolocate a UE from UE radio signal externals.\r\n\r\nAn adversary may geolocate an unknown UE by using Radio access technology or “RF externals”, such as Direction of Arrival, Time of Arrival, Frequency of Arrival, Time Difference of Arrival, and Frequency Difference of Arrival of UE signals, or the 5G New Radio (5G NR) multi RTT (Round trip time) and angle-based methods, or non-3GPP access data (e.g. WiFi access points/IP addresses).\r\n\r\nThe UE does its own geolocation from base station transmissions, but an adversary with multiple receivers can geolocate a UE from the differential time of arrival of UE transmitted signal events completely independently of the process the UE is doing to geo-locate itself.", "meta": { "access-required": "None", "architecture-segment": "RAN", "bluf": "An adversary may non-cooperatively geolocate a UE from UE radio signals externals.", "criticalassets": [ { "Description": "UE/subscriber geographical location", "Name": "UE location" } ], "detections": [], "external_id": "FGT5012.001", "kill_chain": [ "fight:Discovery", "fight:Collection" ], "mitigations": [ { "fgmid": "FGM5098", "mitigates": "Reduce usage. Use UE only when needed. Turn UE off if not needed for period of time.", "name": "Reduce UE usage" }, { "fgmid": "FGM5099", "mitigates": "Move UE closer to base station and/or reduce height of UE above terrain and/or move indoors or into multipath environment.", "name": "Move UE close to gNB" } ], "object-type": "technique", "platforms": "5G", "postconditions": [ { "Description": "Geolocation can make electronic attack for degradation of service more effective, bidding down to defeat ID and traffic confidentiality more effective, and can expose subscriber to physical attack.", "Name": "Subsequent attack" } ], "preconditions": [ { "Description": "Attacker must have radio line-of-sight to target for most accurate geolocation.", "Name": "Line-of-sight" } ], "procedureexamples": [ { "Description": "Adversary geolocates unknown UE using some combination of Direction of Arrival, Time-of-Arrival, and/or Frequency-of-Arrival of UE signal externals.", "Name": "Externals geolocation" } ], "refs": [ "[1] European Union Agency for Cybersecurity (ENISA : “ENISA Threat Landscape for 5G Networks” Report, December 2020. - https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks", "[2] X. Hu et.al. “A Systematic Analysis Method for 5G Non-Access Stratum Signaling Security”, IEEE Access, August 2019. - https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=8817957", "https://fight.mitre.org/mitigations/FGM5098", "https://fight.mitre.org/mitigations/FGM5099", "https://fight.mitre.org/techniques/FGT5012.001" ], "status": "Observed in earlier 3GPP generations and expected in 5G.", "subtechnique-of": "FGT5012", "typecode": "fight_subtechnique" }, "related": [ { "dest-uuid": "6902c7fa-b716-5673-b870-1e48e576845b", "type": "mitigated-by" }, { "dest-uuid": "f6943911-4cc0-5825-ab1c-b889d3b3c989", "type": "mitigated-by" }, { "dest-uuid": "f940f548-256a-5559-83bc-7fea99d051bf", "type": "subtechnique-of" } ], "uuid": "aba33a6e-1a01-557c-9523-dea3f568ca8b", "value": "Passive radio signals observation" }, { "description": "An adversary may elicit location reports from UE that is bid down to less secure format or may passively observe location reports from UE employing null encryption.\r\n\r\nAn adversary may eavesdrop messages exchanged between the UE and the network, if encryption for the radio interface is not employed. These messages of interest contain location reports that the UE sends to the network upon (legitimate) request from the network.", "meta": { "access-required": "RAN", "architecture-segment": "RAN", "bluf": "An adversary may elicit location reports from UE that is bid down to less secure format or passively observes location reports from UE employing null encryption.", "criticalassets": [ { "Description": "UE/Subscriber geographical location", "Name": "UE location" } ], "detections": [ { "detects": "Subscriber transitions to less secure service.", "fgdsid": "FGDS5010", "name": "UE transition to less secure service" } ], "external_id": "FGT5012.002", "kill_chain": [ "fight:Discovery", "fight:Collection" ], "mitigations": [ { "fgmid": "FGM5006", "mitigates": "Restrictive subscriber security profile. Do not use unencrypted systems. Set subscriber security profile to prohibit bidding down to less secure service.", "name": "Restrictive user profile" }, { "fgmid": "FGM5096", "mitigates": "Disable location on UE device for all applications which use UE’s physical location. This is only a partial mitigation because location measurements will be sent by the UE to gNB.", "name": "Disable UE location use" }, { "fgmid": "M1041", "mitigates": "Avoid systems that employ null encryption. De-register when only NULL encryption is offered", "name": "Encrypt Sensitive Information" } ], "object-type": "technique", "platforms": "5G", "postconditions": [ { "Description": "Geolocation can make electronic attack for degradation of service more effective, bidding down to defeat ID and traffic confidentiality more effective, and can expose subscriber to physical attack.", "Name": "Subsequent attack" } ], "preconditions": [ { "Description": "Subscriber security profile must allow bidding down to less secure format OR system does not employ over-the-air encryption.", "Name": "Permissive subscriber security profile OR system does not employ over-the-air encryption." }, { "Description": "Adversary must be present in the same area where the UE is located.", "Name": "Adversary present in the vicinity of victim UE" } ], "procedureexamples": [ { "Description": "Victim UE is using a 5G system with null encryption or is bid down to a less secure protocol. UE geolocation or geolocation measurement data is passively observed or, if bid down, actively ordered through illegitimate signaling.", "Name": "Self-location measurement" } ], "refs": [ "[1] European Union Agency for Cybersecurity (ENISA : “ENISA Threat Landscape for 5G Networks” Report, December 2020. - https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks", "https://fight.mitre.org/data%20sources/FGDS5010", "https://fight.mitre.org/mitigations/FGM5006", "https://fight.mitre.org/mitigations/FGM5096", "https://fight.mitre.org/mitigations/M1041", "https://fight.mitre.org/techniques/FGT5012.002" ], "status": "Observed in earlier 3GPP generations and expected in 5G.", "subtechnique-of": "FGT5012", "typecode": "fight_subtechnique" }, "related": [ { "dest-uuid": "cce626f3-b774-5f29-b1d2-5fb96a5befef", "type": "mitigated-by" }, { "dest-uuid": "eac71fab-a7af-5480-a48f-310ebb01fd07", "type": "mitigated-by" }, { "dest-uuid": "71801a06-41bd-5336-a539-e8bea9d647f7", "type": "mitigated-by" }, { "dest-uuid": "d8cdf251-95c8-5624-bf93-4b468c59011f", "type": "detected-by" }, { "dest-uuid": "f940f548-256a-5559-83bc-7fea99d051bf", "type": "subtechnique-of" } ], "uuid": "0551e810-74ac-5a51-82c1-abaebeb3dfd4", "value": "Self Location Measurement" }, { "description": "An adversary may position itself on the radio interface, to support follow-on behaviors such as [Network Sniffing](/techniques/FGT1040) or [Transmitted Data Manipulation](/techniques/FGT1565.002).\r\n\r\nAdversary can deploy a fake gNB, eNB (a 4G base station) or WiFi access point, or a back-to-back fake gNB-UE combination to act as an adversary-in-the-middle, in order to intercept, inject and possibly modify communication and relay communication to and from intended recipient over the radio interface. \r\n\r\nThis attack assumes the following to have taken place: the UE has been bid-down (see [Bid down UE](/techniques/FGT1562.501)) to a less secure Radio Access Network such as 4G, or the UE connects to an eNB because the network is 5G Non-Standalone, or due to EPS fallback, or the UE connects to a WiFi access point (to access 5G services).", "meta": { "architecture-segment": "RAN", "bluf": "An adversary may position itself on the radio interface, to support follow-on behaviors such as [Network Sniffing](/techniques/FGT1040) or [Transmitted Data Manipulation](/techniques/FGT1565.002).", "criticalassets": [ { "Description": "All signaling transmitted to and from subscriber can be modified or intercepted in the clear", "Name": "Subscriber signaling" }, { "Description": "UE/subscriber geographical location can be intercepted.", "Name": "UE location" }, { "Description": "All data and voice transmitted to and from subscriber can be modified or intercepted in the clear", "Name": "Subscriber traffic" } ], "detections": [ { "detects": "UE measurements of received power levels from all base stations nearby, and their identifiers Reference clause 6.24 of [3]", "fgdsid": "FGDS5002", "name": "UE signal measurements" } ], "external_id": "FGT1557.501", "kill_chain": [ "fight:Collection", "fight:Credential-Access" ], "mitigations": [], "object-type": "technique", "platforms": "5G", "postconditions": [ { "Description": "Transient technique; works only as long as adversary-in-the-middle is able to retain connection.", "Name": "Temporary loss of subscriber data confidentiality or integrity." } ], "preconditions": [ { "Description": "Subscriber security profile must allow bidding down to less secure service OR system must employ null integrity or encryption.", "Name": "Permissive subscriber security profile OR system employs null integrity or encryption." } ], "procedureexamples": [ { "Description": "The adversary employs a back to back gNB-UE combination. When UE security profile allows bidding down, or the UE connects to 4G due to EPS fallback, or to WiFi, an adversary acts as an adversary-in-the-middle to intercept and possibly modify communication to and from intended recipient.", "Name": "Adversary-in-the-Middle on air interface for a given UE" }, { "Description": "Alternatively, if the 5G system employs null integrity or encryption, subscriber data traffic can be eavesdropped or modified in transit over the air interface", "Name": "Adversary-in-the-Middle on air interface for any UE" }, { "Description": "Adversary uses a fake base station to broadcast spoofed configuration messages to UEs nearby. Reference [3] (appendix B) contains a taxonomy of attacks against 5G UEs, passive and active. One concerns message attacks (fake MIB/SIB – Master Information Block/System Information Block)", "Name": "Spoofed configuration messages from fake base station" } ], "refs": [ "[1] European Union Agency for Cybersecurity (ENISA : “ENISA Threat Landscape for 5G Networks” Report, section 4.4, December 2020. - https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks", "[2] Hu, X. et al: “A Systematic Analysis Method for 5G Non-Access Stratum Signalling Security”, August 2019 - https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=8817957", "[3] 3rd Generation Partnership Project (3GPP TR 33.809: “Study on 5G security enhancements against False Base Stations (FBS ”, Technical Report, v0.18.0, February 2022. - https://www.3gpp.org/DynaReport/33809.htm", "https://fight.mitre.org/data%20sources/FGDS5002", "https://fight.mitre.org/techniques/FGT1557.501" ], "status": "Observed in earlier 3GPP generations and expected in 5G.", "subtechnique-of": "FGT1557", "typecode": "fight_subtechnique_to_attack_technique" }, "related": [ { "dest-uuid": "fa9ee8fb-7f25-554c-9682-0e50e774812d", "type": "detected-by" }, { "dest-uuid": "5ecccab0-9d6d-504c-92c4-408091a3c114", "type": "subtechnique-of" } ], "uuid": "125336d2-ca71-57b5-a46e-faca5013c555", "value": "Radio interface" }, { "description": "A malicious app consumes subscriber data allocation to deny or degrade service to that UE. \r\n\r\nA malicious application might consume a UE's limited data plan, denying or throttling service.", "meta": { "architecture-segment": "UE", "bluf": "A malicious app consumes subscriber data allocation so as to deny or degrade service to that UE", "criticalassets": [ { "Description": "Communications is denied until additional data usage is purchased.", "Name": "Assured user communications" } ], "detections": [ { "detects": "Excessive data usage reported by UE or service provider.", "fgdsid": "FGDS5006", "name": "UE data usage" } ], "external_id": "FGT1499.501", "kill_chain": [ "fight:Impact" ], "mitigations": [ { "fgmid": "FGM5007", "mitigates": "Unlimited data plan. Attack is mitigated with a true unlimited data plan", "name": "Unlimited data plan" }, { "fgmid": "FGM5008", "mitigates": "Monitor installed applications on UE for data usage.", "name": "Monitor installed applications for data usage" } ], "object-type": "technique", "platforms": "5G UE", "postconditions": [ { "Description": "Sustained degraded communication of legitimate UEs until additional data is purchased.", "Name": "Degraded communication of legitimate UEs." } ], "preconditions": [ { "Description": "There are several methods to achieve this", "Name": "A malicious app or set of apps have to have been installed on the UE" } ], "procedureexamples": [ { "Description": "Convince user to download or maliciously introduce application that consumes excessive data", "Name": "Malicious data consumption application" } ], "refs": [ "[1] Android devices ensnared in DDoS botnet, Feb. 2021 - https://www.zdnet.com/article/android-devices-ensnared-in-ddos-botnet/", "[2] Massive Android DDoS Botnet Derailed, Aug. 2017 - https://www.darkreading.com/attacks-breaches/massive-android-ddos-botnet-derailed", "https://fight.mitre.org/data%20sources/FGDS5006", "https://fight.mitre.org/mitigations/FGM5007", "https://fight.mitre.org/mitigations/FGM5008", "https://fight.mitre.org/techniques/FGT1499.501" ], "status": "This is a theoretical behavior", "subtechnique-of": "FGT1499", "typecode": "fight_subtechnique_to_attack_technique" }, "related": [ { "dest-uuid": "4ccdd7b7-9def-5930-99ed-d397e1d5b4c5", "type": "mitigated-by" }, { "dest-uuid": "1a002036-92d8-5319-bfd7-248f2e6434f9", "type": "mitigated-by" }, { "dest-uuid": "f6a1601e-dab5-5382-88a5-c64c8d34570f", "type": "detected-by" }, { "dest-uuid": "73d8dd2f-14f5-5774-8b7a-ca9712f63b91", "type": "subtechnique-of" } ], "uuid": "e1f9e40f-2345-5140-bf1f-4d53e69451f8", "value": "Consume data allocation to deny or degrade service" }, { "description": "An adversary may trigger a fraud alert by sending fake registrations for a given UE.\r\n\r\nAn adversary might deny RAN access to a UE by triggering a fraud alert through attempting simultaneous registrations at geographically impossible locations. When the UE security profile allows, the adversary can illegitimately use a known Subscription Permanent Identifier (SUPI) or, if a valid Subscription Concealed Identifier (SUCI) is known, use a legitimate SUCI for false registrations.", "meta": { "architecture-segment": "RAN", "bluf": "An adversary may trigger a fraud alert by sending fake registrations for a given UE.", "criticalassets": [ { "Description": "Communications is denied", "Name": "Assured user communications" } ], "detections": [ { "detects": "Subscriber contacts service provider to determine why service is denied.", "fgdsid": "FGDS5011", "name": "Subscriber notify provider" } ], "external_id": "FGT1499.502", "kill_chain": [ "fight:Impact" ], "mitigations": [ { "fgmid": "FGM5093", "mitigates": "UDM/SIDF checks the freshness parameter of SUCI received from the same UE (having the same SUPI). If replayed by adversary within a short period of time, freshness test will fail.", "name": "SUCI freshness parameter" } ], "object-type": "technique", "platforms": "5G", "postconditions": [ { "Description": "Denial of service continues until service provider is convinced there is no fraud.", "Name": "Sustained denial of service" } ], "preconditions": [ { "Description": "There are several methods to achieve this by capturing over the air messages using a wireless sniffer.", "Name": "A valid SUPI or SUCI must be intercepted by attacker." } ], "procedureexamples": [ { "Description": "Adversary may capture a registration attempt for a given UE, then replay it right away to a gNB much further away – so that the network receives two registrations at about the same time e.g. from two regions far away: New York and Georgia. \nThe network will trigger a fraud alert. Thus, RAN access may be denied to that victim UE because of the attempted simultaneous registrations at geographically impossible locations.", "Name": "Adversary replays registration attempt for a victim UE to a gNB much further away (“geographically impossible”)." } ], "refs": [ "https://fight.mitre.org/data%20sources/FGDS5011", "https://fight.mitre.org/mitigations/FGM5093", "https://fight.mitre.org/techniques/FGT1499.502" ], "status": "This is a theoretical behavior", "subtechnique-of": "FGT1499", "typecode": "fight_subtechnique_to_attack_technique" }, "related": [ { "dest-uuid": "5eb89efa-6c06-510d-8925-36acf823336c", "type": "mitigated-by" }, { "dest-uuid": "d753b96b-6097-546e-bfc0-e64c588eec13", "type": "detected-by" }, { "dest-uuid": "73d8dd2f-14f5-5774-8b7a-ca9712f63b91", "type": "subtechnique-of" } ], "uuid": "bd995aff-6175-5cef-a78a-652632ab62f8", "value": "Trigger fraud alert to deny service" }, { "description": "An adversary may alter the subscriber profile to achieve fraud, via SBI (Service Based Interfaces) or OA&M interfaces.\r\n\r\nThe subscriber profile is a mostly static set of data relating to a device, such as: phone number, group membership, data access configuration, and others. The dynamic data is the serving AMF (which is associated with a very coarse geographical location). This profile resides in the UDM. If the UDM is compromised, it can make any change to the user profile. The AMF serving the UE can get a fresh copy of the subscriber profile. \r\n\r\nAnother type of profile is the “UE context”, and is also held at the UDM; it is a dynamic (valid for a session) set of data relating to the current state of the UE. The UE context can be modified in the UDM legitimately by certain NF such as AMF and SMF.\r\n\r\nAn adversary in the core network (e.g. in control of a core NF such as AMF, UDM or PCF) can retrieve subscriber profile from the repository UDM/UDR, and may be able to alter at least part of it, e.g., AMF can update the serving AMF entry. The UDM can naturally alter any portion of the profile.\r\n\r\nAn OA&M based attack (adversary has access to the provisioning interface) on the UDM/UDR would allow all changes to the UE profile (e.g., change from post-paid to pre-paid or vice-versa).", "meta": { "architecture-segment": "Control Plane, OA&M", "bluf": "An adversary may alter the subscriber profile to achieve fraud, via SBI (Service Based Interfaces) or OA&M interfaces.", "criticalassets": [ { "Description": "UE voice and data records accuracy", "Name": "UE call/data records" }, { "Description": "The UE static profile data", "Name": "UE static profile" } ], "detections": [ { "detects": "Subscriber contacts Customer service to complain (in some limited cases)", "fgdsid": "FGDS5011", "name": "Subscriber notify provider" } ], "external_id": "FGT5022", "kill_chain": [ "fight:Fraud" ], "mitigations": [ { "fgmid": "FGM5020", "mitigates": "Secure subscriber repositories", "name": "Secure subscriber repositories" } ], "object-type": "technique", "platforms": "5G Network", "procedureexamples": [ { "Description": "AMF/SMF can use Nudm_UECM_Update to modify UE context in the UDM. AMF or SMF can change some parameters in the UE context (which is like a subscriber profile, but valid only for a session; Clause 5.2.3.2.5 of [3]. The parameters are: PEI (Permanent Equipment Identifier), analyticsID (for NWDAF), UE capabilities, Intersystem continuity context, SMF FQDN", "Name": "AMF or SMF modifies UE context." }, { "Description": "Rogue AF/NEF via UDM can modify UE’s configuration for a given external service (e.g. pay for video for a game today). When the victim UE changes state from idle mode to connected mode, it will receive the modified services which may be inferior to the services originally provisioned. Example: NEF can use Nudm_ParameterProvision update service to update UE subscription data. Clause 5.6.2.2 of [4] & clauses 4.15.6.2, 4.15.6.3, 4.15.6.3a of [3].", "Name": "Rogue AF/NEF modifies UE’s configuration for a given external service." }, { "Description": "Compromised GUI or CLI based attack on subscriber database in UDR", "Name": "Compromised OA&M can modify subscriber profile data in UDR" } ], "refs": [ "[1] S.P. Rao, S. Holtmanns, T. Aura: “Threat modeling framework for mobile communication systems”, May 2020 - https://arxiv.org/abs/2005.05110v1", "[2] S. Holtmanns, I. Oliver and Y. Miche, “Mobile Subscriber Profile Data Privacy Breach via 4G Diameter Interconnection”, 2017. - https://www.riverpublishers.com/journal_read_html_article.php?j=JICTS/6/3/4", "[3] 3GPP TS 23.502, “Procedures for the 5G System (5GS ; Stage 2 (Release 17 ”, Technical Specification, v17.4.0, March 2022. section 4.11.1.2.2 - https://www.3gpp.org/DynaReport/23502.htm", "[4] 3GPP TS 29.503, “5G System; Unified Data Management Services; Stage 3” - https://www.3gpp.org/DynaReport/29503.htm", "https://fight.mitre.org/data%20sources/FGDS5011", "https://fight.mitre.org/mitigations/FGM5020", "https://fight.mitre.org/techniques/FGT5022" ], "status": "This is a theoretical behavior in context of 5G systems.", "typecode": "fight_technique" }, "related": [ { "dest-uuid": "87b2315f-db71-566b-878f-9e579fb242af", "type": "mitigated-by" }, { "dest-uuid": "d753b96b-6097-546e-bfc0-e64c588eec13", "type": "detected-by" } ], "uuid": "6e09e20a-1d87-5aed-95e4-bf7042bb29bd", "value": "Alter Subscriber Profile" }, { "description": "An adversary controlling a Network Function (NF) or slice can gain access to a different network slice data by interacting with other NFs. \r\n\r\nEvery network slice has an identifier, part of which is sensitive just like a UE permanent identifier. If this Slice Differentiator (SD) is discovered, then a malicious NF and/or malicious slice can use the guessed SD to gain unauthorized information or resource access to that victim slice. This is done by tricking the NRF to issue a token for a slice that the requestor NF is not authorized to access, then using that token to get information from the shared NF. It is assumed that the shared NF is serving both own slice and the victim slice.", "meta": { "architecture-segment": "Network Slice", "bluf": "An adversary controlling a Network Function (NF) or slice can gain access to a different network slice data by interacting with other NFs. ", "criticalassets": [ { "Description": "UE (served by that slice) related information. Slice specific configuration – e.g. what NFs are part of it and SLAs of the slice.", "Name": "Confidentiality of slice-specific resources" }, { "Description": "The functionality of any core NF that is shared between slices (AMF, SMF, PCF,.. )", "Name": "Core NFs" } ], "detections": [ { "detects": "Check logs of requests/responses at the shared NF. E.g., each entry should contain UE ID (SUPI), NF consumer that requested it, slice Ids of both.", "fgdsid": "DS0015", "name": "Application Log" } ], "external_id": "FGT5027", "kill_chain": [ "fight:Defense-Evasion", "fight:Collection" ], "mitigations": [ { "fgmid": "FGM5003", "mitigates": "The attack can be mitigated if the NRF performs additional checks. The NRF authorizes the NF service consumer to obtain tokens only for authorized slice(s). (3GPP SA3 investigating as of early 2022). A cross check with the TLS certificate of requester should be performed as well at the NRF.", "name": "Cross check between application layer and transport layer" }, { "fgmid": "M1020", "mitigates": "Inspect TLS layer encryption", "name": "SSL/TLS Inspection" } ], "object-type": "technique", "platforms": "5G network", "preconditions": [ { "Description": "See [FGT5028](/techniques/FGT5028)", "Name": "Slice identifier was discovered" }, { "Description": "This is common in practice", "Name": "Two slices share one common NF" }, { "Description": "This is implicit in the standards that do not mandate this check.", "Name": "NRF does not check requester slice identifier and the target (consumer) slice identifier." } ], "procedureexamples": [ { "Description": "A malicious NF and/or malicious slice can use the guessed identifier Slice Differentiator (SD) to gain unauthorized information or resource access to a different slice. The NF asks the NRF for an OAuth token for an NF in that other slice. The reason is the requested SD (actually, the entire NSSAI) is included in the OAuth token without verification whether requester is allowed access to it. The NRF issues that OAuth token because it is for a producer NF that serves both the requester’s slice and the targeted (victim) slice. \nThis seems to be a poor approach to access control- one that relies on knowing an identifier, and so access is given if that identifier—presumably kept secret—is found out. See section 3.1.3.1 of [1].", "Name": "Adversary NF in one slice uses guessed slice identifier of another slice to gain unauthorized access to resources in that slice." } ], "refs": [ "[1] AdaptiveMobile Security, \"A Slice in Time: Slicing Security in 5G Core Networks\", 17032021-v1.00 - https://info.adaptivemobile.com/network-slicing-security", "https://fight.mitre.org/data%20sources/DS0015", "https://fight.mitre.org/mitigations/FGM5003", "https://fight.mitre.org/mitigations/M1020", "https://fight.mitre.org/techniques/FGT5027" ], "status": "This is a theoretical behavior in context of 5G systems.", "typecode": "fight_technique" }, "related": [ { "dest-uuid": "c1144b6f-994d-5a18-9c38-f40e89a4d19f", "type": "mitigated-by" }, { "dest-uuid": "31f00f97-157f-529c-96aa-e94a74f3a271", "type": "mitigated-by" }, { "dest-uuid": "3c23d0f7-d55c-5891-90b9-c744e976f0ef", "type": "detected-by" } ], "uuid": "6fb09d9b-f462-5aff-857d-1ef31a4d4036", "value": "Spoof network slice identifier" }, { "description": "An adversary may guess the identifier of a different network slice, which allows for follow-on behaviors against that slice that require that identifier.\r\n\r\nThe NSSAI is a slice identifier. It contains two elements: a Slice Service Type (SST) (several 3GPP defined values) and a Slice Differentiator (SD), which should be unique within that type. Consumer NFs may need to access services of Producer NFs belonging to a different slice. Any “consumer NF” can ask the Network Repository Function (NRF) for an OAuth token towards this goal, but it must include the Slice identity-- which contains a SD – in the request.\r\n\r\nIn Release 16 or earlier, the SD was not mandatory and random. Hence “brute forcing” or \"enumeration\" can be used to guess the SD. Thus if the consumer NF is compromised and wants to discover other slice IDs, it can ask the NRF for OAuth tokens but with guessed slice identities, until a valid one is returned.", "meta": { "architecture-segment": "Network Slice", "bluf": "An adversary may guess the identifier of a different network slice, which allows for follow-on behaviors against that slice that require that identifier.", "criticalassets": [ { "Description": "Confidentiality of slice specific resources.", "Name": "Slice-specific resources" }, { "Description": "AMF and UDM have NSSAI information. AMF requests and UDM responds.", "Name": "AMF and UDM" } ], "detections": [ { "detects": "Logs at the NRF of failed NSSAI lookups. If a NF asks for NSSAIs that do not exist, then flag that or take action.\n\nAMF can ask the UDM about NSSAIs legitimately. Keep AMF and UDM logs of transactions involving asks about NSSAIs.", "fgdsid": "DS0015", "name": "Application Log" } ], "external_id": "FGT5028", "kill_chain": [ "fight:Discovery" ], "mitigations": [ { "fgmid": "FGM5499", "mitigates": "NRF protection against brute-force attacks. NRF should not respond to requests after a given number of failed NSSAI lookups (See detections).", "name": "Rate limiting by producer NF" } ], "object-type": "technique", "platforms": "5G", "postconditions": [ { "Description": "Now the adversary knows the SD of a given slice it is not authorized to contact.", "Name": "Unauthorized disclosure of SD/NSSAI" } ], "preconditions": [ { "Description": "For NF discovery service, clause 5.2.7.1 of [3] lists the following service consumers: AMF, SMF, PCF, NEF, NSSF, SMSF, AUSF, CHF, NRF, NWDAF, I-CSCF, SCSCF, IMS-AS, SCP, UDM, AF, DCCF, MBSF, 5G DDNMF, TSCTSF.", "Name": "Compromise of core consumer NF" } ], "procedureexamples": [ { "Description": "Any “consumer NF” can ask the NRF for information with a guessed slice identifier, until a non-error response is returned. The NRF services that are candidates for this operation are ([2]): discovery and Access token (Nnrf_NFDiscovery and Nnrf_AccessToken). For the Discovery service, in the GET NF instances, the parameters can be included “plmn-specific-snssai-list”, which contains the S-NSSAIs that are served by the NF supposedly being discovered. Then the 200OK result contains the NFProfile, which includes the S-NSSAIs. Section 3.1.3 of [1].", "Name": "An adversary in control of a network function asks the NRF for a token for a guessed SD until a legitimate response is received." } ], "refs": [ "[1] AdaptiveMobile Security, \"A Slice in Time: Slicing Security in 5G Core Networks\", 17032021-v1.00. - https://info.adaptivemobile.com/network-slicing-security", "[2] 3rd Generation Partnership Project (3GPP TS 29.510, “; Network function repository services; Stage 3”, v17.4.0, Dec 2021. - https://www.3gpp.org/DynaReport/29510.htm", "[3] 3GPP TS 23.502 “Procedures for the 5G System (5GS ; Stage 2” - https://www.3gpp.org/DynaReport/23502.htm", "https://fight.mitre.org/data%20sources/DS0015", "https://fight.mitre.org/mitigations/FGM5499", "https://fight.mitre.org/techniques/FGT5028" ], "status": "This is a theoretical behavior in context of 5G systems.", "typecode": "fight_technique" }, "related": [ { "dest-uuid": "8a908176-33cc-5fbc-900d-f496f04c5344", "type": "mitigated-by" }, { "dest-uuid": "3c23d0f7-d55c-5891-90b9-c744e976f0ef", "type": "detected-by" } ], "uuid": "e337b468-e4b9-52d0-91d9-988f7ed2d446", "value": "Discover network slice identifier" }, { "description": "An adversary in a roaming partner operator may send altered service usage for a given UE to the home operator of that UE.\r\n\r\nService fraud involves bypassing controls to gain access to services or resources which the adversary is not entitled to or charged for. This applies to 3G, 4G and 5G.\r\nA dishonest roaming partner could falsify a UE service usage or route traffic through several partner networks inducing high termination fees to claim revenue in the form of service charges.", "meta": { "architecture-segment": "Roaming", "bluf": "An adversary in a roaming partner operator may send altered service usage for a given UE to the home operator of that UE. ", "criticalassets": [ { "Description": "Operator loses revenue.", "Name": "Operator revenue" } ], "detections": [ { "detects": "Usage data analysis via AI/ML", "fgdsid": "FGDS5006", "name": "UE data usage" }, { "detects": "Cross-check with subscriber services (if subscriber complains).", "fgdsid": "FGDS5011", "name": "Subscriber notify provider" } ], "external_id": "FGT5025", "kill_chain": [ "fight:Fraud" ], "mitigations": [ { "fgmid": "FGM5503", "mitigates": "Employ home-routing instead of local breakout for user traffic (but this means more delay and lower quality of service).", "name": "Increase control of home network for user plane" } ], "object-type": "technique", "platforms": "5G", "procedureexamples": [ { "Description": "Signaling fraud may be undertaken by a partner operator, via false charging over international signaling interconnection. Clause 5.3 of [1]. Reference [2] mentions service fraud.", "Name": "False charging" } ], "refs": [ "[1] European Union Agency for Cybersecurity (ENISA : “ENISA Threat Landscape for 5G Networks” Report, November 2019. - https://www.enisa.europa.eu/publications/enisa-threat-landscape-for-5g-networks", "[2] R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield, “Towards dynamic threat modelling in 5G core networks based on MITRE ATT&CK”, October 2021 - https://arxiv.org/abs/2108.11206", "https://fight.mitre.org/data%20sources/FGDS5006", "https://fight.mitre.org/data%20sources/FGDS5011", "https://fight.mitre.org/mitigations/FGM5503", "https://fight.mitre.org/techniques/FGT5025" ], "status": "Observed in earlier 3GPP generations and expected in 5G.", "typecode": "fight_technique" }, "related": [ { "dest-uuid": "002cc4aa-4570-500f-bcca-55e38a713ab8", "type": "mitigated-by" }, { "dest-uuid": "f6a1601e-dab5-5382-88a5-c64c8d34570f", "type": "detected-by" }, { "dest-uuid": "d753b96b-6097-546e-bfc0-e64c588eec13", "type": "detected-by" } ], "uuid": "77711215-9211-570f-90bf-4e441126c231", "value": "Falsify interconnect invoice" }, { "description": "Adversary may clone a SIM card (namely the SUPI, credential stored therein) and use it fraudulently to obtain telecom service at the expense of the user of the device with that legitimate SIM card.\r\n\r\nNote 1: This threat is applicable to 3G, 4G and 5G. It may or may not be possible depending on how secure the SIM/USIM card is. Some manufacturers of lower tier USIMs may leave their devices vulnerable.\r\n\r\nNote 2: USIM card technology is independent of 3GPP generations. Releases 15, 16 brought improvements to the USIM technology. \r\n\r\nNote 3: If two devices (one legitimate, one cloned SIM) from two different locations attempt to connect to that home operator at the same time, both will be dropped as a precaution against the suspected SIM cloning.", "meta": { "architecture-segment": "UE", "bluf": "Adversary may clone a SIM card (namely the IMSI, credential stored therein) and use it fraudulently to obtain telecom service at the expense of the user of the device with that legitimate SIM card", "criticalassets": [ { "Description": "SUPI, master secret key K etc.", "Name": "Subscriber sensitive data" } ], "detections": [ { "detects": "Investigate unusual USIM card patterns.", "fgdsid": "FGDS5005", "name": "SIM card pattern" } ], "external_id": "FGT5026", "kill_chain": [ "fight:Fraud", "fight:Credential-Access" ], "mitigations": [ { "fgmid": "M1017", "mitigates": "M(V)NO procures USIM cards from reputable manufacturers, and oversees delivery process.", "name": "User Training" } ], "object-type": "technique", "platforms": "5G UE", "postconditions": [ { "Description": "With the cloned USIM card, adversary now has access to the victim’s permanent identifier (SUPI), master secret key K and operator key (OPc). Those can be used for unauthorized access to 5G network.", "Name": "Access to user credentials" } ], "preconditions": [ { "Description": "Adversary needs physical access to USIM card during manufacturing of USIMs or during transport to MNOs and the cloned USIM card needs to be activated by the MNO.", "Name": "Access to USIM card" } ], "procedureexamples": [ { "Description": "Adversary gets physical access to the victim USIM card, extracts the USIM card contents (SUPI, K and OPc) and then provisions the contents in an empty and writeable USIM. This can be done via SIM cloning software.", "Name": "Duplicate captured USIM card" } ], "refs": [ "[1] Martin Brisfors, Sebastian Forsmark, Elena Dubrova: “How Deep Learning Helps Compromising USIM” - https://dl.acm.org/doi/abs/10.1007/978-3-030-68487-7_9", "[2] Jinghao Zhao, Boyan Ding, Yunqi Guo, Zhaowei Tan, Songwu Lu, “SecureSIM: Rethinking Authentication and Access Control for SIM/eSIM” - https://dl.acm.org/doi/pdf/10.1145/3447993.3483254", "https://fight.mitre.org/data%20sources/FGDS5005", "https://fight.mitre.org/mitigations/M1017", "https://fight.mitre.org/techniques/FGT5026" ], "status": "Observed in earlier 3GPP generations and expected in 5G.", "typecode": "fight_technique" }, "related": [ { "dest-uuid": "aa26e841-b71e-59d1-840b-15d8fec5e032", "type": "mitigated-by" }, { "dest-uuid": "0821a970-9001-51cc-8568-1d0b35f7ec61", "type": "detected-by" } ], "uuid": "546fe007-3842-55ef-a805-98bcd7f3ad8d", "value": "SIM cloning" }, { "description": "An adversary with access to Non-Service Based Interfaces (Non-SBI) network nodes (including routers/switches/load balancers) may position themselves in order to support follow-on behaviors such as [Network Sniffing](/techniques/FGT1040) or [Transmitted Data Manipulation](/techniques/FGT1565.002).\r\n\r\n“Non-SBI” network interfaces are within the Radio Access Network (RAN) (e.g. Xn, F1, E1) and core (e.g. N4), and between the RAN and the 5G Core (e.g. N2, N3 interfaces). \r\n\r\nIf the network does not provide confidentiality or integrity protection for control plane and user plane packets on the non-SBI interfaces, then an AITM attack is possible. \r\n\r\nNote that the Non-Access Stratum (NAS) packets sent on the N2 interface from the UE to the core function AMF are already integrity/confidentiality protected. However, unlike radio communications, operator RAN to core communications are not always employing the confidentiality or integrity protection mandated by 3GPP standards.", "meta": { "architecture-segment": "Control Plane, User Plane", "bluf": "An adversary with access to Non-Service Based Interfaces (Non-SBI) network nodes (including routers/switches/load balancers) may position themselves in order to support follow-on behaviors such as [Network Sniffing](/techniques/FGT1040) or [Transmitted Data Manipulation](/techniques/FGT1565.002).", "criticalassets": [ { "Description": "UE user plane data integrity and confidentiality", "Name": "UE user plane data" }, { "Description": "UE signaling data integrity and confidentiality", "Name": "UE signaling data" } ], "detections": [ { "detects": "Check configuration changes in all switches/routers. Configuration audits by OSS/BSS", "fgdsid": "DS0015", "name": "Application Log" }, { "detects": "Inspect network traffic content and watch for unauthorized changes as the packets move through the routers/middle boxes", "fgdsid": "DS0029", "name": "Network Traffic" } ], "external_id": "FGT1557.503", "kill_chain": [ "fight:Collection", "fight:Credential-Access" ], "mitigations": [ { "fgmid": "FGM5024", "mitigates": "Use integrity (IPSec) on all non-SBI interfaces", "name": "Integrity protection of data communication" }, { "fgmid": "M1041", "mitigates": "Use encryption (IPSec) on all non-SBI interfaces", "name": "Encrypt Sensitive Information" } ], "object-type": "technique", "platforms": "5G", "postconditions": [ { "Description": "Both UE signaling and normal data communication with network will be impacted.", "Name": "Both CP and UP data are eavesdropped or modified" } ], "preconditions": [ { "Description": "Malware or wrong configuration in switches/routers between RAN and core, between gNBs, in gNB itself, in SMF or UPF.", "Name": "Compromised or misconfigured switches/routers or gNB" } ], "procedureexamples": [ { "Description": "Integrity or confidentiality protection can be disabled on N2 interface for Control Plane (CP), N3 interface for User Plane (UP) and Xn, F1 and E1 interfaces for CP and UP. Clauses 9.2, 9.3 and 9.4 of [2]", "Name": "Compromised or misconfigured switches or routers between RAN and core and between gNBs" }, { "Description": "Network does not provide protection on N2, N3, Xn, F1 and E1 interfaces, see clause D.2.2 of [1]", "Name": "Adversary configures the non-SBI interfaces to not use IPSec." }, { "Description": "Compromised or misconfigured Session Management Function (SMF) or User Plane Function (UPF) can cause data manipulation on N4 interface between them, which in turn can cause DoS attack by diverting user traffic away from the intended recipient. It can also cause charging errors. If weak encryption algorithm is used on the N4 interface, adversary can eavesdrop on sensitive subscriber data. Clause L.2.3 of [1]", "Name": "N4 Interface is compromised" } ], "refs": [ "[1] 3GPP TR 33.926 “Security Assurance Specification (SCAS threats and critical assets in 3GPP network product classes”. - https://www.3gpp.org/DynaReport/33926.htm", "[2] 3GPP TS 33.501 “Security architecture and procedures for 5G System”. - https://www.3gpp.org/DynaReport/33501.htm", "https://fight.mitre.org/data%20sources/DS0015", "https://fight.mitre.org/data%20sources/DS0029", "https://fight.mitre.org/mitigations/FGM5024", "https://fight.mitre.org/mitigations/M1041", "https://fight.mitre.org/techniques/FGT1557.503" ], "status": "This is a theoretical behavior in context of 5G systems.", "subtechnique-of": "FGT1557", "typecode": "fight_subtechnique_to_attack_technique" }, "related": [ { "dest-uuid": "cccb021c-dd96-5d72-904f-c55ad24598de", "type": "mitigated-by" }, { "dest-uuid": "71801a06-41bd-5336-a539-e8bea9d647f7", "type": "mitigated-by" }, { "dest-uuid": "3c23d0f7-d55c-5891-90b9-c744e976f0ef", "type": "detected-by" }, { "dest-uuid": "becdcf31-3d2a-53bb-8251-51e9da4a0df6", "type": "detected-by" }, { "dest-uuid": "5ecccab0-9d6d-504c-92c4-408091a3c114", "type": "subtechnique-of" } ], "uuid": "050010f3-0741-517b-a44b-e5c0384cd652", "value": "Non-SBI" }, { "description": "Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making.\n\nManipulation may be possible over a network connection or between system processes where there is an opportunity deploy a tool that will intercept and change information.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1565/002)", "meta": { "access-required": "user, N/A, N/A", "addendums": [ "#### Addendum Name: Fronthaul User Plane Data\r\n##### Architecture Segments: O-RAN\r\n Adversary manipulates User Plane data on Fronthaul interface between O-DU and O-RU to re-direct the data to a wrong destination or get discarded by the recipient due to incorrect message parameters.\r\n\r\nORAN Alliance has defined the open fronthaul interface which connects one O-DU to one or more O-RUs inside the gNB. The fronthaul interface makes it possible to distribute the physical layer functionalities between RU and DU, and to control RU operations from DU. ORAN Alliance has selected a specific configuration (split 7.2x) for splitting the physical layer among those proposed by 3GPP. The lower part of the physical layer (low PHY) resides in RU and performs Orthogonal Frequency Division Multiplexing (OFDM) phase compensation, inverse FFT and Cyclic Prefix (CP) insertion for frequency-to-time conversion in downlink, and FFT and CP removal in uplink. The physical layer in DU (high PHY) performs scrambling, modulation, layer mapping, and resource element mapping. Fronthaul consists of four types of interfaces: Control or C plane is used to carry control plane messages, User or U plane is used to carry user plane data, Synchronization or S plane is used to carry timing information and Management or M plane is used to carry management data.\r\n\r\nO-RAN fronthaul interface needs to implement strict performance requirements which includes very high throughput and very low latency. See clause 4.4 of [2]. Some security features may not be implemented by MNOs to meet those requirements and to reduce processing delay. Hence, AiTM attack on open fronthaul interface is possible which results in manipulation of U plane data. The adversary may manipulate RLC and MAC layers of the user plane data to cause DoS attack and/or session redirection attack (e.g. DNS redirection) on legitimate subscribers. Confidentiality and integrity protection requirements are not specified by ORAN alliance for control, user and synchronization (CUS) planes, and those are mandatory for M plane. See clause 6.1 of [2] and clause 5.4 of [3].\r\n\r\nNote: The user plane data in PDCP and above layers remains integrity protected on Fronthaul U plane and this data manipulation attack will not impact any of those data unless PDCP security is also broken by the adversary.\r\n\r\n", "#### Addendum Name: Layer 2 Redirection of DNS Requests\r\n##### Architecture Segments: Control Plane, User Plane, Roaming\r\n An adversary can manipulate encrypted traffic to achieve redirection of DNS requests sent by the victim UE to the network over the radio interface.\r\n\r\nUsing a fake gNB and fake UE device, the adversary can modify DNS requests the UE sends over the air, even though they are encrypted, if the adversary knows the correct DNS address and there is no integrity protection on user plane data[1]. User plane integrity protections prevent this attack on typical 5G RAN links, however these protections are optional. Alternatively, an adversary may have bid-down the UE as a precondition to achieve the effect.\r\n \r\n", "#### Addendum Name: Network Interfaces\r\n##### Architecture Segments: Control Plane, User Plane, Roaming\r\n Adversary with access to a non-Service Based Interface (non-SBI) node or an SBI Network Function (NF), or a function on the roaming/interconnect interfaces, may manipulate or spoof user plane and control plane traffic on that interface without integrity protection, towards a DOS or other attacks on the UE or a NF.\r\n\r\nThe following Network interfaces are in the scope of this document.\r\n\r\n1. “Non-SBI” (non-Service Based Interface) network interfaces are within 5G core (e.g. N4) and RAN (e.g. Xn, F1, E1), and between the RAN and the 5G Core (e.g. N2, N3 interfaces). \r\n\r\n2. SBI network interfaces are between core NFs within an operator network; they use REST APIs.\r\n\r\n3. Roaming and interconnect interfaces, including IPX, are between network operators (between SEPPs (N32), between UPFs (N9), or interworking functions like between AMF and MME (N26)).\r\n\r\nUnlike radio communications, within operator RAN and from RAN to core communications do not always employ integrity protection as per standards. If the gNB does not provide integrity protection for control plane (CP) packets sent on the N2/Xn-C/F1-C/E1 interfaces or does not provide user plane (UP) integrity protection for user plane packets sent on the N3/Xn-U/F1-U interfaces, or UPF does not provide integrity protection for user plane packets sent on the N9 interface, then data manipulation (alteration of messages, insertion/spoofing of messages, or replay of legitimate signaling messages) is possible. This may result in DOS. \r\n\r\nThe adversary with access to the SBI links, for example, with control over a middlebox (not including the Service Communication Proxy or SCP), may manipulate or inject spoofed signaling messages if TLS integrity is not enabled or is using a weak algorithm.\r\n \r\nIf an IPX disables JWS signature or uses a weak algorithm for JWS signature, an AiTM may manipulate data over the N32 interface while a UE is roaming.\r\n\r\nSimilarly, if the EPC interworking interface N26 for non-roaming is not integrity protected, all subscriber signaling data may be manipulated by adversary. Refer clause 4.3.1 of [3].\r\n\r\n", "#### Addendum Name: Radio Interface\r\n##### Architecture Segments: RAN\r\n Adversary with access to radio interface manipulates user and control plane traffic received on that interface without integrity protection, for example to redirect traffic, or obtain location information of the UE.\r\n\r\nIf the gNB does not provide integrity for control plane or user plane packets on radio interfaces, then data manipulation (alteration of data frame content, insertion/spoofing of messages, or replay of old messages) is possible. \r\n\r\n" ], "architecture-segment": "Control Plane, User Plane, Roaming", "bluf": "Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making.\n\nManipulation may be possible over a network connection or between system processes where there is an opportunity deploy a tool that will intercept and change information.", "criticalassets": [ { "Description": "Legitimate subscribers can be denied access or existing subscriber sessions can be terminated or directed to malicious server.", "Name": "Subscriber network access" }, { "Description": "Whoever controls the DNS Servers controls how and what end users connect to over the network, making DNS Servers a type of critical infrastructure.", "Name": "DNS Servers" }, { "Description": "Any of the subscriber user plane data sourced or destined to the UE", "Name": "UE data" }, { "Description": "Any of the signaling traffic sourced or destined to the UE", "Name": "UE signaling" }, { "Description": "Any of the subscriber data sent by or towards the UE", "Name": "UE user plane data" }, { "Description": "Any of the signaling traffic sent by or towards the UE", "Name": "UE signaling" } ], "detections": [ { "detects": "Monitor if security configurations in O-RU and O-DU are downgraded to weak or no security levels.", "fgdsid": "FGDS5022", "name": "Monitor security configurations" }, { "detects": "Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP)", "fgdsid": "DS0029", "name": "Network Traffic" }, { "detects": "Inspect network traffic and watch for unauthorized changes as the packets move through the interfaces.", "fgdsid": "DS0029", "name": "Network Traffic" }, { "detects": "Legitimate UEs notify their service provider about DoS attack and abnormal session terminations.", "fgdsid": "FGDS5011", "name": "Subscriber notify provider" }, { "detects": "Radio traffic content can be examined to detect unauthorized modification. Inspect radio traffic and watch for unauthorized changes as the packets move through the interfaces.", "fgdsid": "DS0029", "name": "Network Traffic" } ], "external_id": "FGT1565.002", "kill_chain": [ "fight:Impact", "fight:Collection" ], "mitigations": [ { "fgmid": "FGM5024", "mitigates": "Ensure fronthaul user plane data is protected with integrity protection. This has performance impact on devices which implement integrity protection.", "name": "Integrity protection of data communication" }, { "fgmid": "FGM5024", "mitigates": "Use strong data integrity protection algorithms", "name": "Integrity protection of data communication" }, { "fgmid": "M1020", "mitigates": "Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.", "name": "SSL/TLS Inspection" }, { "fgmid": "FGM5024", "mitigates": "Use integrity (IPSec) on all non-SBI interfaces, TLS 1.3 on all SBI interfaces including roaming interfaces (e.g. N32).", "name": "Integrity protection of data communication" }, { "fgmid": "FGM5024", "mitigates": "Use integrity on radio interface for both control plane and user plane", "name": "Integrity protection of data communication" } ], "object-type": "technique", "platforms": "RAN, 5G, 5G network, 5G radio", "postconditions": [ { "Description": "Legitimate subscribers are denied access or existing sessions can be terminated.", "Name": "DoS Attack" }, { "Description": "Subscriber sessions are redirected to a malicious server.", "Name": "Session redirection" }, { "Description": "Adversary has redirected the end user to their own DNS system and can now conduct adversary-in-the-middle attacks.", "Name": "DNS control" }, { "Description": "Both UE signaling and user plane data communication with network will be impacted. This can cause DoS attack for legitimate subscribers.", "Name": "UE data manipulation" }, { "Description": "Both UE registration and other data communication with network will be impacted.", "Name": "Both Control Plane (CP) and User Plane (UP) data are modified by AitM attack" } ], "preconditions": [ { "Description": "Adversary must have physical access to open fronthaul network to collect data and then manipulate and replay the data.", "Name": "Adversary has access to open fronthaul network." }, { "Description": "Adversary must have deployed a fake gNB and a fake UE which modify the payload and then replays the message towards the gNB.", "Name": "Adversary in the Middle" }, { "Description": "See technique Weaken Integrity: Network Interfaces.", "Name": "Weakened or disabled integrity protection" }, { "Description": "gNB is compromised or incorrectly configured to disable integrity protection on control and user plane interfaces.", "Name": "Malware or incorrect configuration in gNB." } ], "procedureexamples": [ { "Description": "Adversary launches AiTM attack on open fronthaul U plane data traffic by using a simple sniffer and replay device. The fronthaul U plane data usually does not have integrity protection due to stringent performance requirements. Hence a data manipulation attack is possible by a simple device. DoS attack can be done by manipulating RLC header with bogus data and those messages will get discarded by the recipient. Session redirection attack can be launched by changing the destination MAC address in the MAC header which will re-direct the packets to an adversary-controlled server.\n\nThis attack can only manipulate user plane data below PDCP layer. Any user plane data in PDCP and above layers are not compromised by this attack. See clause 5.4.1.2, T-UPLANE-01 of [1], clause 6.1 of [2] and clause 5.4 of [3].", "Name": "Manipulate U plane data on open fronthaul interface." }, { "Description": "In this active attack named aLTEr, adversary exploits the fact that LTE user data is encrypted in counter mode (AES-CTR) but not integrity protected, which allows an adversary to modify the message payload. This is applicable in 5G when the user data integrity algorithm is set to NULL.", "Name": "Adversary employs the aLTEr procedure" }, { "Description": "If gNB is compromised or misconfigured, CP and UP data can be manipulated by adversary on N2, N3, F1, E1 and Xn interfaces. Clause D.2.2 of [1], 5.3.3 of [2]\n\nIf AMF or SMF is compromised or misconfigured, CP data can be manipulated by adversary on N2 and N4 interfaces. Clauses 5.5.2 & 9.9 of [2]\n\nIf UPF is compromised or misconfigured, UP data can be manipulated by adversary on N3 interface. Clause D.2.2 of [1], 9.3 of [2]", "Name": "Data manipulation on the non-SBI" }, { "Description": "If NF is compromised or misconfigured, CP data can be manipulated on SBI interface. Clause 13.1 of [2] (DoS attack) \n\nIf SCP is compromised or misconfigured, CP data can be manipulated on SBI. Clause 5.9.2.4 of [2] (DoS attack)\n\nAn access token may be manipulated to gain unauthorized access to another NF. See technique Unauthorized access to Network Exposure Function (NEF) via token fraud. \n\nA rogue or misconfigured AMF can obtain the temporary UE ID (5G-GUTI or 5G-S-TMSI) during UE registration and service request and later use the ID to spoof signaling messages to retrieve sensitive subscriber information. Clauses 4.2.2.2.2 & 4.2.3.2 of [4]. (Unauthorized access)\n\nNote: This attack is possible in both non-roaming and roaming scenarios.", "Name": "Data manipulation on the SBI" }, { "Description": "If SEPP or IPX component is compromised or misconfigured, CP data can be manipulated by adversary on N32 interface. Clauses 9.9, 13.1, 13.2 of [2]\n\nIf UPF is compromised or misconfigured, UP data can be manipulated by adversary on N9 interface. Clause 9.9 of [2]\n\nIf AMF or MME is compromised or misconfigured, CP data can be manipulated by adversary on N26 interface. Clause K.2.1 of [1], 8.4 of [2]", "Name": "Data manipulation on roaming/interconnect" }, { "Description": "[3] describes an attack on 4G but applicable to 5G where radio interface integrity is not applied, whereby an adversary changes the DNS request sent by the victim UE over the radio interface so as to redirect to its own DNS server. See technique DNS Manipulation.", "Name": "Altering DNS requests not integrity protected over the radio interface." }, { "Description": "Adversary replays NAS messages to check whether a UE is in the area. See technique Locate UE: NAS exploit", "Name": "Replay NAS messages to get UE location" }, { "Description": "RRC messages can be manipulated by AiTM to cause authentication of legitimate subscribers to fail. Also, AiTM can manipulate RRC or UP messages of an existing data session which can cause disruption or termination of session.", "Name": "DoS attack by data manipulation" } ], "refs": [ "[1] 3GPP TR 33.926 “Security Assurance Specification (SCAS threats and critical assets in 3GPP network product classes”. - https://www.3gpp.org/DynaReport/33926.htm", "[1] 3GPP TR33.926 “Security Assurance Specification (SCAS threats and critical assets in 3GPP network product classes.” - https://www.3gpp.org/DynaReport/33926.htm", "[1] D. Rupprecht, K. Kohls, T. Holtz, and C. Popper, “Breaking LTE on Layer Two” https://alter-attack.net - https://www.gsma.com/security/wp-content/uploads/2023/10/0008-breaking_lte_on_layer_two.pdf", "[1] O-RAN Threat Model 6.00 version - https://orandownloadsweb.azurewebsites.net/specifications", "[2] 3GPP TS 33.501 “Security architecture and procedures for 5G System”. - https://www.3gpp.org/DynaReport/33501.htm", "[2] 3GPP TS33.501 “Security architecture and procedures for 5G System.” - https://www.3gpp.org/DynaReport/33501.htm", "[2] O-RAN WG4 Control, User, and Synchronization Plane Specification 12.00 version - https://orandownloadsweb.azurewebsites.net/specifications", "[3] 3GPP TS 23.501 “System architecture for the 5G System (5GS ” - https://www.3gpp.org/DynaReport/23501.htm", "[3] D. Rupprecht, K. Kohls, T. Holtz, and C. Popper, “Breaking LTE on Layer two”, in Proc. IEEE Symposium on Security and Privacy (SP , 2019, pp. 1-16. - https://alter-attack.net/media/breaking_lte_on_layer_two.pdf", "[3] O-RAN WG4 Management Plane Specification 12.00 version - https://orandownloadsweb.azurewebsites.net/specifications", "[4] 3GPP TS 23.502 “Procedures for the 5G System (5GS ” - https://www.3gpp.org/DynaReport/23502.htm", "https://attack.mitre.org/techniques/T1565/002", "https://fight.mitre.org/data%20sources/DS0029", "https://fight.mitre.org/data%20sources/FGDS5011", "https://fight.mitre.org/data%20sources/FGDS5022", "https://fight.mitre.org/mitigations/FGM5024", "https://fight.mitre.org/mitigations/M1020", "https://fight.mitre.org/techniques/FGT1565.002" ], "status": "This is an observed behavior in Enterprise networks, and is theoretical in context of 5G systems.", "subtechnique-of": "FGT1565", "typecode": "attack_subtechnique_addendum" }, "related": [ { "dest-uuid": "d0613359-5781-4fd2-b5be-c269270be1f6", "type": "related-to" }, { "dest-uuid": "cccb021c-dd96-5d72-904f-c55ad24598de", "type": "mitigated-by" }, { "dest-uuid": "cccb021c-dd96-5d72-904f-c55ad24598de", "type": "mitigated-by" }, { "dest-uuid": "31f00f97-157f-529c-96aa-e94a74f3a271", "type": "mitigated-by" }, { "dest-uuid": "cccb021c-dd96-5d72-904f-c55ad24598de", "type": "mitigated-by" }, { "dest-uuid": "cccb021c-dd96-5d72-904f-c55ad24598de", "type": "mitigated-by" }, { "dest-uuid": "10ca0edd-033d-5bb2-a4f7-27fc5f5ca2f8", "type": "detected-by" }, { "dest-uuid": "becdcf31-3d2a-53bb-8251-51e9da4a0df6", "type": "detected-by" }, { "dest-uuid": "becdcf31-3d2a-53bb-8251-51e9da4a0df6", "type": "detected-by" }, { "dest-uuid": "d753b96b-6097-546e-bfc0-e64c588eec13", "type": "detected-by" }, { "dest-uuid": "becdcf31-3d2a-53bb-8251-51e9da4a0df6", "type": "detected-by" }, { "dest-uuid": "0fb994bc-3a42-5ce9-8605-ce5d4454034e", "type": "subtechnique-of" } ], "uuid": "86a7c7b0-39ac-5e29-9fbd-063f70fcc7fc", "value": "Transmitted Data Manipulation" }, { "description": "An adversary may obtain the UE location using radio access or core network.\r\n\r\nAdversary may employ various means to obtain UE location (coarse, fine) using radio access or core network. The UE consists of Mobile Equipment (ME), that is, the device, and the Universal Subscriber Identity Module (USIM) card.", "meta": { "architecture-segment": "RAN, Control Plane", "bluf": "An adversary may obtain the UE location using radio access or core network ", "criticalassets": [ { "Description": "UE/User geographical location, coarse or fine-grained", "Name": "UE location" } ], "detections": [], "external_id": "FGT5012", "kill_chain": [ "fight:Discovery", "fight:Collection" ], "mitigations": [], "object-type": "technique", "platforms": "5G Network", "procedureexamples": [ { "Description": "Adversary may use the radio access network to determine that a particular UE is in the area, or where exactly the UE is located", "Name": "Use radio access to locate UE" }, { "Description": "Adversary may use the core network signaling to trigger the procedure of locating a particular UE via RAN", "Name": "Use core network signaling to locate UE" } ], "refs": [ "[1] European Union Agency for Cybersecurity (ENISA : “ENISA Threat Landscape for 5G Networks” Report, December 2020. - https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks", "[2] S.P. Rao, S. Holtmanns, T. Aura: “Threat modeling framework for mobile communication systems”, May 2020 - https://arxiv.org/abs/2005.05110v1", "[3] S. Tomasin, Stefano & Centenaro, Marco & Seco-Granados, Gonzalo & Roth, Stefan & Sezgin, Aydin. (2021 . Location-Privacy Leakage and Integrated Solutions for 5G Cellular Networks and Beyond. Sensors. 21. 5176. 10.3390/s21155176. - https://www.researchgate.net/publication/353641837_Location-Privacy_Leakage_and_Integrated_Solutions_for_5G_Cellular_Networks_and_Beyond", "https://fight.mitre.org/techniques/FGT5012" ], "status": "Observed in earlier 3GPP generations and expected in 5G.", "typecode": "fight_technique" }, "uuid": "f940f548-256a-5559-83bc-7fea99d051bf", "value": "Locate UE" }, { "description": "An adversary may use a legitimate access token for a shared Network Function (NF) to get location info of a user of a different slice.\r\n\r\nAn adversary controlling a slice or a NF in a slice obtains an access token for a shared 5G core NF (e.g., AMF) and uses it to get location info for an SUPI of a user belonging to a different slice but still served by same NF.", "meta": { "access-required": "User/Admin of slice", "architecture-segment": "Network Slice, Control Plane", "bluf": "An adversary uses a legitimate access token for a shared Network Function (NF) to get location info of a user of a different slice. ", "criticalassets": [ { "Description": "UE/Subscriber geographical location, coarse or fine-grained", "Name": "UE location" } ], "detections": [ { "detects": "Regularly audit applications and interface messaging logs. Check logs of requests/responses at the shared NF. E.g., each entry should contain SUPI, NF consumer that requested it, slice IDs of both.", "fgdsid": "DS0015", "name": "Application Log" } ], "external_id": "FGT5012.005", "kill_chain": [ "fight:Discovery", "fight:Collection" ], "mitigations": [ { "fgmid": "FGM5012", "mitigates": "Cross check requested SUPI is served by (belongs to) the slice ID (NSSAI) of the consumer NF (and presented in the authorization Token). That is, this attack could be mitigated if the shared network function (NF service producer) checks the SUPI in a service request and the requesting NF service consumer are being served by the same slice. (3GPP SA3 is investigating if 3GPP specifications allow for such check)", "name": "Slice ID check" } ], "object-type": "technique", "platforms": "5G core", "postconditions": [ { "Description": "Target slice information is leaked, slice confidentiality is breached due to sharing the NF between slices.", "Name": "UE’s location is tracked by rogue NF" } ], "preconditions": [ { "Description": "Two slices share one common NF that is able to get UE location info. Adversary has control of one slice or at least a NF in that slice -- where said NF is allowed to talk to the AMF.\n\nThe following core NFs can legitimately ask for or obtain directly the location of a UE (some granularity): AMF, UDM, NEF, NWDAF, GMLC, LMF. The following core NFs can only get limited/coarse location: SMF, UPF, PCF.", "Name": "Access shared NF in a different slice" } ], "procedureexamples": [ { "Description": "Malicious NF of a compromised slice gets access token for a shared AMF, but then asks AMF for the location of a UE in the target slice. The AMF checks that the authorization (OAuth) token is ok, which it is, but does not check that the UE ID is served by target slice, while the requester NF is from compromised slice. Section 3.1.5 of [1].", "Name": "Malicious NF belonging to compromised Network Slice gets an access token for the target AMF, which serves both target slice and compromised slice." } ], "refs": [ "[1] AdaptiveMobile Security, \"A Slice in Time: Slicing Security in 5G Core Networks\", 17032021-v1.00, March 2021. - https://info.adaptivemobile.com/network-slicing-security", "https://fight.mitre.org/data%20sources/DS0015", "https://fight.mitre.org/mitigations/FGM5012", "https://fight.mitre.org/techniques/FGT5012.005" ], "status": "This is a theoretical behavior in context of 5G systems.", "subtechnique-of": "FGT5012", "typecode": "fight_subtechnique" }, "related": [ { "dest-uuid": "464d43cf-45ad-5f06-9619-b6648a37d239", "type": "mitigated-by" }, { "dest-uuid": "3c23d0f7-d55c-5891-90b9-c744e976f0ef", "type": "detected-by" }, { "dest-uuid": "f940f548-256a-5559-83bc-7fea99d051bf", "type": "subtechnique-of" } ], "uuid": "05e1f2ce-b171-541f-9dea-0356fa9eeb3b", "value": "Shared Network Function in slice" }, { "description": "An adversary in the 5G core who compromised a proxy or middlebox may position themselves between Network Functions (NFs) that are communicating via the Service Based Interfaces (SBI), in order to support follow-on behaviors such as [Network Sniffing](/techniques/FGT1040) or [Transmitted Data Manipulation](/techniques/FGT1565.002).\r\n\r\nSBI network interfaces are between core NFs within an operator network. An adversary may compromise a proxy on the SBI, such as the Service Communication Proxy (SCP), API proxy, or a load-balancer. Then an adversary may also exploit improper TLS configuration (including weaker cipher, profile) of the SBI connections, which may arise for example due to the use of TLS profiles forbidden in 3GPP TS 33.310 for NF mutual authentication and NF transport layer protection.", "meta": { "architecture-segment": "Control Plane", "bluf": "An adversary in the 5G core who has compromised a proxy or middlebox may position themselves between Network Functions (NFs) that are communicating via the Service Based Interfaces (SBI), in order to support follow-on behaviors such as [Network Sniffing](/techniques/FGT1040) or [Transmitted Data Manipulation](/techniques/FGT1565.002).", "criticalassets": [ { "Description": "There are many procedures that can be impacted if an adversary gets in the middle of a TLS connection between two network functions on the SBI.", "Name": "5G Core network services, including service discovery" }, { "Description": "Core functions handle UE signaling for the provisioning and configuration of services.", "Name": "Control plane (provisioning and configuration) data for UEs" } ], "detections": [], "external_id": "FGT1557.504", "kill_chain": [ "fight:Collection", "fight:Credential-Access" ], "mitigations": [ { "fgmid": "FGM5024", "mitigates": "Use TLS 1.3 or TLS 1.2 integrity protection with only strong cipher suites.", "name": "Integrity protection of data communication" }, { "fgmid": "FGM5095", "mitigates": "TLS certificate thorough checking. Ensure that all certificates received over a connection are valid for the current server endpoint, and abort the handshake if they are not. In some usages, it may be simplest to refuse any change of certificates during renegotiation.", "name": "TLS certificate check" }, { "fgmid": "M1041", "mitigates": "Use TLS 1.3 or TLS 1.2 encryption with only strong cipher suites.", "name": "Encrypt Sensitive Information" }, { "fgmid": "M1047", "mitigates": "Audit NF configuration for interfaces, e.g. if TLS is disabled or what version of TLS is being used.", "name": "Audit" } ], "object-type": "technique", "platforms": "5G Network", "procedureexamples": [ { "Description": "If a TLS client connects to a malicious server and presents a client credential, the server can then impersonate the client at any other server that accepts the same credential. Concretely, the malicious server performs an adversary-in-the-middle attack on three successive handshakes between the honest client and server, and succeeds in impersonating the client on the third handshake. See [5], clause 4.2.2.2 of [2].", "Name": "Triple Handshake" }, { "Description": "An adversary in control of SCP can eavesdrop or alter signaling data between any two core NFs.", "Name": "SCP as AITM" } ], "refs": [ "[1] European Union Agency for Cybersecurity (ENISA : “ENISA Threat Landscape for 5G Networks” Report, December 2020. - https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks", "[2] 3rd Generation Partnership Project (3GPP TS 33.117, “Catalogue of general security assurance requirements (Release 17 ”, v17.0.0, June 2021. - https://www.3gpp.org/DynaReport/33117.htm", "[3] 3GPP TS 33.310 “Network Domain Security (NDS ; Authentication Framework (AF ” - https://www.3gpp.org/DynaReport/33310.htm", "[4] G. Koien, \"On Threats to the 5G Service Based Architecture\", 2021. - https://www.researchgate.net/journal/Wireless-Personal-Communications-1572-834X/publication/349455036_On_Threats_to_the_5G_Service_Based_Architecture/links/6030a03a4585158939b7bcae/On-Threats-to-the-5G-Service-Based-Architecture.pdf", "[5] 3SHAKE: “Triple Handshakes Considered Harmful: Breaking and Fixing Authentication over TLS” - https://mitls.org/pages/attacks/3SHAKE", "https://fight.mitre.org/mitigations/FGM5024", "https://fight.mitre.org/mitigations/FGM5095", "https://fight.mitre.org/mitigations/M1041", "https://fight.mitre.org/mitigations/M1047", "https://fight.mitre.org/techniques/FGT1557.504" ], "status": "This is a theoretical behavior", "subtechnique-of": "FGT1557", "typecode": "fight_subtechnique_to_attack_technique" }, "related": [ { "dest-uuid": "cccb021c-dd96-5d72-904f-c55ad24598de", "type": "mitigated-by" }, { "dest-uuid": "a0a6a559-19a1-55fc-8718-a15728e46c34", "type": "mitigated-by" }, { "dest-uuid": "71801a06-41bd-5336-a539-e8bea9d647f7", "type": "mitigated-by" }, { "dest-uuid": "a30b7d01-b740-5538-b28d-d87befd5fd29", "type": "mitigated-by" }, { "dest-uuid": "5ecccab0-9d6d-504c-92c4-408091a3c114", "type": "subtechnique-of" } ], "uuid": "694a6379-8c2a-5a60-8239-4004509d2069", "value": "Service Based Interface" }, { "description": "An adversary controlling a gNB or control plane or user plane Network Function (NF) may manipulate signaling to result in DOS for one or more UEs. \r\n\r\nAdversary may use a false base station to deny service to a User Equipment (UE) by issuing registration reject messages or other such messages to deny radio access, or posing as a legitimate base station, but not relaying traffic to or from the intended recipient. Adversary may compromise a core NF and thus manipulate signaling for the UE registration or session management procedures, in order to deny service to that UE.", "meta": { "architecture-segment": "Control Plane, User Plane, RAN", "bluf": "An adversary controlling a gNB or control plane or user plane Network Function (NF) may manipulate signaling to result in DOS on one or more UEs", "criticalassets": [ { "Description": "Communications is denied to legitimate UEs", "Name": "Network services" } ], "detections": [ { "detects": "Subscriber notifies provider of no or degraded service", "fgdsid": "FGDS5011", "name": "Subscriber notify provider" } ], "external_id": "FGT1499.503", "kill_chain": [ "fight:Impact" ], "mitigations": [ { "fgmid": "FGM5023", "mitigates": "Periodically re-authenticate NFs in the network to assess whether they have been compromised. Remote attestation may also be employed", "name": "Periodic Authentication & Authorization of NFs" }, { "fgmid": "M1030", "mitigates": "Implement industry standard core and edge network function security protection", "name": "Network Segmentation" } ], "object-type": "technique", "platforms": "5G", "preconditions": [ { "Description": "Adversary needs access to a fake or compromised gNB or a compromised NF.", "Name": "Compromise gNB or NF" } ], "procedureexamples": [ { "Description": "Adversary with a fake UE can send a De-registration request to the victim UE's gNB with the victim’s 5G-GUTI. Or, adversary with a fake gNB can send Deregistration request to the victim UE.", "Name": "DOS via gNB control" }, { "Description": "Adversary with fake UE can try to register as the victim UE, and when the victim UE tries to RRC connect again, it will be rejected. See [2]", "Name": "DOS via impersonating UE" }, { "Description": "Adversary controlling Access and Mobility Management Function (AMF) can cause authentication to fail or deny SMS service by deactivating SMS for a given SUPI [1]. Control of AMF (with or without its Security Anchor Function (SEAF) functionality) can give an adversary the ability to manipulate the AKA procedure (e.g. change parameters exchanged) between the AMF and any other UE, so that (at the simplest) the UE fails authentication and cannot get services. \nAlternatively, rogue or misconfigured AMF modifies the registration accept message for legitimate subscribers to deny access to some or all services that are configured in their profile.", "Name": "DOS via AMF control" }, { "Description": "Adversary controlling Session Management Function (SMF) can release an existing PDU session or not create a new one; or send a N4 Session Release request to User Plane Function (UPF) currently serving the UE.", "Name": "DOS via SMF control" }, { "Description": "Adversary controlling UPF can send a report of PDU session inactivity, which results in de-activating the UE session. Or alter secondary authentication between DN AAA and SMF so it fails", "Name": "DOS via UPF control" }, { "Description": "Adversary controlling Authentication Server Function (AUSF) can produce incorrect AKA parameters or change data out of UDM.", "Name": "DOS via AUSF control" }, { "Description": "Adversary controlling Unified Data Management (UDM) can fail the SUPI de-concealing operation, so that the UE key will be different and Non-Access Stratum (NAS) Security Mode Command (SMC) will fail (e.g., responding to SUCI de-concealment with an incorrect SUPI). See clause E.2.2.1 of [3].", "Name": "DOS via UDM control" }, { "Description": "Adversary controlling Authentication Credential Repository and Processing Function (ARPF) can either (a) Alter the root key (K) or provide wrong root key for the UE; or (b) Generate wrong authentication vector (AV) during UE authentication procedure using EAP-AKA’ or 5G AKA.\nBoth will result in authentication failure for the UE. Section 6.1.3 of [4]", "Name": "DOS via ARPF control" }, { "Description": "Adversary controlling the Unified Data Repository (UDR) may give UDM incorrect security parameters, or remove UE authentication status.", "Name": "DOS via UDR control" }, { "Description": "Adversary controlling Policy and Charging Function (PCF) may return a very restrictive policy for that UE.", "Name": "DOS via PCF control" }, { "Description": "Adversary controlling the Network Slicing Selection Function (NSSF) and/or the Network Slicing Selection Authentication and Authorization Function (NSSAAF) may deny UE access to a slice by mishandling NSSAI (saying it's unavailable) or altering authentication params so that authentication procedure fails.", "Name": "DOS via NSSF and NSSAAF control" }, { "Description": "Adversary controlling Charging Function (CHF) may send a message to SMF to start PDU session release.", "Name": "DOS via CHF control" }, { "Description": "Adversary controlling SMS Function (SMSF) may achieve DOS only for SMS for a given UE; i.e. the device does not receive or send text messages.", "Name": "DOS via SMSF control" }, { "Description": "Adversary controlling 5G-Equipment Identity Register (5G EIR) can mark UE as stolen.", "Name": "DOS via 5G EIR control" }, { "Description": "Adversary controlling home network Security Edge Protection Proxy (SEPP) or visited SEPP can alter or discard registration request/response message and/or other signaling messages to deny access for a UE.", "Name": "DOS via Home or visited network SEPP" } ], "refs": [ "[1] European Union Agency for Cybersecurity (ENISA : “ENISA Threat Landscape for 5G Networks” Report, December 2020. - https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks", "[2] Hu, X. et al: “A Systematic Analysis Method for 5G Non-Access Stratum Signalling Security”, August 2019 - https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=8817957", "[3] 3rd Generation Partnership Project (3GPP TR 33.926: “Security Assurance Specification (SCAS threats and critical assets in 3GPP network product classes”, Technical Report, v17.3.0, December. 2021. - https://www.3gpp.org/DynaReport/33926.htm", "[4] 3rd Generation Partnership Project (3GPP TS 33.501: “Security architecture and procedures for 5G System”, Technical Specification, v17.6.0, June 2022 - https://www.3gpp.org/DynaReport/33501.htm", "https://fight.mitre.org/data%20sources/FGDS5011", "https://fight.mitre.org/mitigations/FGM5023", "https://fight.mitre.org/mitigations/M1030", "https://fight.mitre.org/techniques/FGT1499.503" ], "status": "This is a theoretical behavior", "subtechnique-of": "FGT1499", "typecode": "fight_subtechnique_to_attack_technique" }, "related": [ { "dest-uuid": "315f5d98-1aa8-5d25-9d57-4b6a0ea9958a", "type": "mitigated-by" }, { "dest-uuid": "9c376223-8d89-5179-8a56-51de20697bd2", "type": "mitigated-by" }, { "dest-uuid": "d753b96b-6097-546e-bfc0-e64c588eec13", "type": "detected-by" }, { "dest-uuid": "73d8dd2f-14f5-5774-8b7a-ca9712f63b91", "type": "subtechnique-of" } ], "uuid": "b7d97abb-011a-5c34-b1e6-fb52dad3c728", "value": "DOS a UE via gNB or NF signaling" }, { "description": "Adversary controlling a control plane network function (NF) may manipulate signaling to retrieve UE subscription information.\r\n\r\nThe AMF, SMF, NEF, SMSF and the UDM itself can use legitimate signaling to retrieve the subscription data of a given UE, assuming its SUPI is known. The subscription data is stored in the UDM or UDR. \r\n\r\nThe UE data in the UDM is referred to as the “Session Data Management Subscription data”, and it includes access and mobility subscription data, SMS subscription data, slice information (the UE’s NSSAIs), \"supported features\", serving PLMN ID. This threat consists of a compromised NF to ask the UDM for the data for a given SUPI or GPSI.", "meta": { "access-required": "admin", "architecture-segment": "Control Plane", "bluf": "An adversary controlling a control plane network function may manipulate signaling to retrieve UE subscription information", "criticalassets": [ { "Description": "Subscriber data can be permanent (not updateable) or updateable (like the current serving PLMN, AMF etc)", "Name": "UDM and subscriber/UE data" } ], "detections": [ { "detects": "Monitor logs", "fgdsid": "DS0015", "name": "Application Log" } ], "external_id": "FGT5020", "kill_chain": [ "fight:Collection" ], "mitigations": [ { "fgmid": "FGM5033", "mitigates": "Standard 5G enterprise/core network security functionality\nE.g. Zero trust principles for OA&M.", "name": "Zero Trust" } ], "object-type": "technique", "platforms": "5G Core Network", "preconditions": [ { "Description": "Adversary must know the SUPI or GPSI of victim UE", "Name": "SUPI or GPSI" } ], "procedureexamples": [ { "Description": "An AMF can extract subscription data (including NSSAIs) for any given UE SUPI by asking the UDM (uses Nudm_SDM_Get service (SDM=SubscriberDataManagement)). The UDM does not check that that AMF is the one serving the UE, i.e. the AMF does not need to register itself first as serving the UE, via the Nudm_UECM_Registration Request. Table 5.2.3.1-1 of [1]", "Name": "AMF retrieves subscription data from UDM." }, { "Description": "A rogue AMF in visited PLMN can retrieve the UE’s sensitive information during 5GS to EPC roaming. AMF calls Nsmf_PDUSession_ContextRequest API to v/hSMF. SMF sends the UE SM context in response which can reveal the following UE information: SUPI, S-NSSAI, DNN, UE IP address etc. Clause 4.11.1.2.1 & Table 5.2.8.2.10-1 of [1]", "Name": "AMF in visited PLMN retrieves UE information during 5GS to EPC roaming." }, { "Description": "The SMF can send to UDM a Nudm-sdm message and retrieve “Session mgmt subscription data”, i.e. DNN configuration for all network slices.", "Name": "SMF retrieves subscription data from UDM" }, { "Description": "The UDM can legitimately get UE subscription data from UDR.", "Name": "UDM can look up any UE (in UDR if one is employed)." }, { "Description": "The SMSF can get the UE subscription data via Nudm_sdm API.", "Name": "SMSF retrieves UE subscription data from UDM" }, { "Description": "The NEF can get the UE subscription data via Nudm_sdm API.", "Name": "NEF retrieves some of the UE subscription data from UDM." } ], "refs": [ "[1] 3rd Generation Partnership Project (3GPP 23.502 “Procedures for the 5G System (5GS ”, March 2022. - https://www.3gpp.org/DynaReport/23502.htm", "https://fight.mitre.org/data%20sources/DS0015", "https://fight.mitre.org/mitigations/FGM5033", "https://fight.mitre.org/techniques/FGT5020" ], "status": "This is a theoretical behavior in context of 5G systems.", "typecode": "fight_technique" }, "related": [ { "dest-uuid": "7d0e6026-b9d9-5aa3-84d5-b6e689615605", "type": "mitigated-by" }, { "dest-uuid": "3c23d0f7-d55c-5891-90b9-c744e976f0ef", "type": "detected-by" } ], "uuid": "27021503-2167-5be1-bb17-1c83a0f4dcc6", "value": "Retrieve UE subscription data" }, { "description": "An adversary controlling a control plane network function (NF) may manipulate signaling or parameters to achieve charging/billing fraud where victim is UE or operator itself. \r\n\r\nThere are multiple procedures to support this adversarial behavior, and they depend on the NF that is compromised.", "meta": { "architecture-segment": "Control Plane", "bluf": "An adversary controlling a control plane network function may manipulate signaling or parameters to achieve charging/billing fraud where victim is UE or operator itself", "criticalassets": [ { "Description": "Communications is denied", "Name": "UE call/data records accuracy" } ], "detections": [ { "detects": "Management system (OSS/BSS) checks uniqueness of charging ID for all new PDU sessions in non-roaming scenario and existing PDU sessions in handover and roaming scenario", "fgdsid": "FGDS5003", "name": "Charging anomaly" } ], "external_id": "FGT5023", "kill_chain": [ "fight:Fraud" ], "mitigations": [ { "fgmid": "FGM5023", "mitigates": "Periodic authentication / authorization of NF consumer e.g. SMF/PCF/CHF/NEF/AF by NRF will help detect rogue NFs.", "name": "Periodic Authentication & Authorization of NFs" }, { "fgmid": "FGM5094", "mitigates": "Rigorous checks of unique mapping of charging ID to PDU session (applicable to the SMF case). Management system (OSS/BSS) can generate alert for possible intervention.", "name": "Allocate new 5G identifiers judiciously" } ], "object-type": "technique", "platforms": "5G", "procedureexamples": [ { "Description": "An adversary may control the SMF and assign the same SMF Charging Identifier to a device data flow as that of an existing victim device, to cause charging errors. Clause 5.1.4 & annex A.1 of [3].\n\nThe SMF can also pause charging for a given UE (even though not warranted), clause 4.4.4 of [4].\nThe SMF can also misreport 5G data used by a given UE.", "Name": "SMF control" }, { "Description": "An adversary with control over the PCF can change policy so that UE is allowed to consume a service it was not subscribed to - but it will still be traceable to that UE. Clause 4.3.2 of [5].", "Name": "PCF control" }, { "Description": "An adversary with control over the CHF can ignore when PCF tells it that the spending limit for this subscriber has been reached or can ignore the SMS records from the SMSF (SMSF uses POST to put in data), or can ignore the 5G data the SMF reports ([3])", "Name": "CHF control" }, { "Description": "Adversary on AF can attack a weak NEF. Or, the NEF can be compromised and conduct this attack without even an AF. \nAn AF can ask the NEF to change the “chargeable party” Clause 4.4.8 of [6], clause 4.4.4 of [7].\n\nThis is meant to support the AF being the chargeable party, but it’s imaginable how the AF can put a different AF as chargeable: it has to send the AF identifier, UE IP address, Sponsor ID, ASP ID, etc. even AppID.", "Name": "NEF control or Application Function (AF) control exploiting weak NEF" } ], "refs": [ "[1] 3rd Generation Partnership Project (3GPP TR 33.926: “Security Assurance Specification (SCAS threats and critical assets in 3GPP network product classes”, Technical Report, v17.3.0, December. 2021 - https://www.3gpp.org/DynaReport/33926.htm", "[2] European Union Agency for Cybersecurity (ENISA : “ENISA Threat Landscape for 5G Networks” Report, December 2020. - https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks", "[3] 3GPP TS 32.255 “Telecommunication management; Charging management; 5G data connectivity domain charging; Stage 2” - https://www.3gpp.org/DynaReport/32255.htm", "[4] 3GPP TS 23.502 “Procedures for the 5G System (5GS ” - https://www.3gpp.org/DynaReport/23502.htm", "[5] 3GPP TS 23.503 “Policy and charging control framework for the 5G System (5GS ; Stage 2” - https://www.3gpp.org/DynaReport/23503.htm", "[6] 3GPP TS 29.522 “5G System; Network Exposure Function Northbound APIs; Stage 3” - https://www.3gpp.org/DynaReport/29522.htm", "[7] 3GPP TS 29.122 “T8 reference point for Northbound APIs” - https://www.3gpp.org/DynaReport/29122.htm", "https://fight.mitre.org/data%20sources/FGDS5003", "https://fight.mitre.org/mitigations/FGM5023", "https://fight.mitre.org/mitigations/FGM5094", "https://fight.mitre.org/techniques/FGT5023" ], "status": "This is a theoretical behavior", "typecode": "fight_technique" }, "related": [ { "dest-uuid": "315f5d98-1aa8-5d25-9d57-4b6a0ea9958a", "type": "mitigated-by" }, { "dest-uuid": "ea7e5e52-dd1d-5756-8311-fe6705bdb083", "type": "mitigated-by" }, { "dest-uuid": "1725d4c2-fee4-55e5-a49b-12fce10c0a1c", "type": "detected-by" } ], "uuid": "afb4b3e2-3b27-558f-8b93-cc7d52847880", "value": "Charging fraud via NF control" }, { "description": "An adversary may get access to several SIM credentials either by physical access to SIM card inventory or by injecting malware on SIM vendor server. \r\n\r\nUnauthorized actors use various means to intercept/steal SIM data in transit from SIM card vendors towards the HSS or the UDR/UDM in the operator's network and by gaining physical access to the SIM card inventory in order to obtain customer credentials.", "meta": { "access-required": "physical or malware insertion", "architecture-segment": "UE", "bluf": "An adversary may get access to several SIM credentials either by physical access to SIM card inventory or by injecting malware on SIM vendor server. ", "criticalassets": [ { "Description": "Adversary is after getting the keys to decrypt cellular communications for those sets of SIMs whose credentials it captured.", "Name": "Privacy of subscriber data" } ], "detections": [], "external_id": "FGT1195.501", "kill_chain": [ "fight:Credential-Access", "fight:Initial-Access" ], "mitigations": [ { "fgmid": "FGM5024", "mitigates": "Protect the files where SIM data is stored by integrity protection.", "name": "Integrity protection of data communication" }, { "fgmid": "M1017", "mitigates": "Personnel security: Train personnel in SIM card OEMs to be wary of social engineering and other attempts of unauthorized parties to gain access to any relevant resource, and to report suspicious activities.", "name": "User Training" }, { "fgmid": "M1022", "mitigates": "Restrict access to files exchanged between SIM vendor and MNO.", "name": "Restrict File and Directory Permissions" }, { "fgmid": "M1030", "mitigates": "Physical and cyber security of IT systems, servers.", "name": "Network Segmentation" }, { "fgmid": "M1041", "mitigates": "Protect the files where SIM data is stored by encryption.", "name": "Encrypt Sensitive Information" } ], "object-type": "technique", "platforms": "5G", "postconditions": [ { "Description": "Subscriber’s sensitive signaling and user plane data are exposed to the adversary.", "Name": "Subscriber data leak" } ], "preconditions": [ { "Description": "Adversary needs to either implant malware in SIM vendor’s server or have physical access to the SIM card inventory.", "Name": "Implant malware or physical access" } ], "procedureexamples": [ { "Description": "An adversary may implant malware on a SIM vendor server or gain physical access to their SIM cards and thus obtain SIM credentials.", "Name": "Infiltrate SIM vendor’s network." } ], "refs": [ "[1] GSMA FS.28 “Security Guidelines for Exchange of UICC Credentials”, Version 1.0, November 2020. - https://www.gsma.com/security/resources/fs-28-security-guidelines-for-exchange-of-uicc-credentials/", "[2] Gemalto article on SIM credential threat: “GEMALTO PRESENTS THE FINDINGS OF ITS INVESTIGATIONS INTO THE ALLEGED HACKING OF SIM CARD ENCRYPTION KEYS BY BRITAIN'S GOVERNMENT COMMUNICATIONS HEADQUARTERS (GCHQ AND THE U.S. NATIONAL SECURITY AGENCY (NSA ”. - https://www.thalesgroup.com/en/markets/digital-identity-and-security/press-release/gemalto-presents-the-findings-of-its-investigations-into-the-alleged-hacking-of-sim-card-encryption-keys", "[3] BBC article: “US and UK accused of hacking Sim card firm to steal codes“. - https://www.bbc.com/news/technology-31545050", "[4] Securitytoday.com article: “U.S. and Britain Work Together to Pull off SIM Card Heist”. - https://securitytoday.com/articles/2015/02/20/us-and-britain-work-together-to-pull-off-sim-card-heist.aspx?admgarea=ht.government", "https://fight.mitre.org/mitigations/FGM5024", "https://fight.mitre.org/mitigations/M1017", "https://fight.mitre.org/mitigations/M1022", "https://fight.mitre.org/mitigations/M1030", "https://fight.mitre.org/mitigations/M1041", "https://fight.mitre.org/techniques/FGT1195.501" ], "status": "Observed in earlier 3GPP generations and expected in 5G.", "subtechnique-of": "FGT1195", "typecode": "fight_subtechnique_to_attack_technique" }, "related": [ { "dest-uuid": "cccb021c-dd96-5d72-904f-c55ad24598de", "type": "mitigated-by" }, { "dest-uuid": "aa26e841-b71e-59d1-840b-15d8fec5e032", "type": "mitigated-by" }, { "dest-uuid": "98e2c930-af98-58ec-9c07-acea1cf2b6a2", "type": "mitigated-by" }, { "dest-uuid": "9c376223-8d89-5179-8a56-51de20697bd2", "type": "mitigated-by" }, { "dest-uuid": "71801a06-41bd-5336-a539-e8bea9d647f7", "type": "mitigated-by" }, { "dest-uuid": "6d098b34-48eb-5f31-88ac-0a1f8028541c", "type": "subtechnique-of" } ], "uuid": "c2153691-d8a1-5d60-a5dd-456337ca872a", "value": "SIM Credential Theft" }, { "description": "An adversary may compromise the operator's SMS Center (SMSC) to collect SMS messages to/from the UEs. \r\n\r\nThe SMSC is a server in 3G, 4G, and 5G networks, and it communicates in 5G with the SMS Function (SMSF) and IMS function IP-SM-GW, using MAP protocol.\r\n\r\nAn adversary can eavesdrop the SMS data to/from certain subscribers (identified by IMSI or MSISDN), by compromising the operator’s SMSC. Similar techniques can be applied to other operator functions such as IP-SM-GW or STF, SMSF, towards the same goal.", "meta": { "architecture-segment": "User Plane", "bluf": "An adversary may compromise the operator's SMS Center (SMSC) to collect SMS messages to/from the UEs.", "criticalassets": [ { "Description": "User data from SMS", "Name": "User data" } ], "detections": [], "external_id": "FGT5001", "kill_chain": [ "fight:Collection" ], "mitigations": [ { "fgmid": "M1049", "mitigates": "Check telecom servers for malware or use endpoint security solution. Implement the latest patches in Linux systems and use strong anti-virus software to detect malware.", "name": "Anti-virus & Anti-malware" } ], "object-type": "technique", "platforms": "5G Network", "preconditions": [ { "Description": "Adversary must first develop the malware to achieve the procedures herein.", "Name": "Malware developed" } ], "procedureexamples": [ { "Description": "A data miner program may be loaded by an installation script. The script targets and saves SMS messages (the contents, the IMSI and the source and destination phone number). This is highly targeted to given IMSI numbers (e.g., proponents of movements against the Chinese gov’t). (note: Call Data Records (CDRs) were also targeted for certain IMSIs, the info therein is called metadata, i.e. time, duration, phone numbers). [1], [2].", "Name": "Malware loaded into a Linux running SMSC server" } ], "refs": [ "[1] Dynamic Ciso.com “New Malware Discovered by FireEye APT41, Infects SMS Servers Within Telecoms”, Nov 1, 2019, retrieved March 4, 2022. - https://dynamicciso.com/new-malware-discovered-by-fireeye-apt41infects-sms-servers-within-telecoms", "[2] Leong, Raymond, Perez, Dan & Dean, Tyler, “MESSAGETAP: Who’s Reading Your Text Messages” FireEye. 31 Oct 2019. - https://www.mandiant.com/resources/messagetap-who-is-reading-your-text-messages", "https://fight.mitre.org/mitigations/M1049", "https://fight.mitre.org/techniques/FGT5001" ], "status": "Observed in earlier 3GPP generations and expected in 5G.", "typecode": "fight_technique" }, "related": [ { "dest-uuid": "b30b0bba-d220-5835-9ab8-5e0308f55979", "type": "mitigated-by" } ], "uuid": "13af63d4-19a4-5b48-939e-a65054abb690", "value": "Network-side SMS collection" }, { "description": "Adversary may compromise the 5G Charging Function (CHF) in order to steal sensitive subscriber call related data/CDRs.\r\n\r\nAdversary may compromise 5G CHF by either cloning a legitimate CHF or by implanting malware inside a legitimate 5G CHF in order to steal subscriber’s call and SMS related metadata. The information may be used to enable follow-on privacy attacks such as tracking internet usage and call/SMS activities of certain subscribers.\r\n\r\nIn earlier generations of 3GPP networks, CDRs are generated on switches, and then moved to billing servers. In 5G, Converged Charging System (CCS) is responsible for generating CDRs for subscribers based on their data usage. CHF is part of the CCS. CHF communicates to other core NFs via Service Based Interface (SBI). It receives data usage information from core NFs such as SMF. The CDRs are processed by charging data processing functions external to the 5G network – that is, by the Offline Charging System (OFCS) for postpaid customers and by the Online Charging System (OCS) for prepaid customers.", "meta": { "architecture-segment": "Control Plane", "bluf": "Adversary may compromise the 5G Charging Function (CHF) in order to steal sensitive subscriber call related data/CDRs.", "criticalassets": [ { "Description": "Confidentiality of sensitive subscriber data in the form of (calls/data/SMS).", "Name": "Subscriber data" } ], "detections": [ { "detects": "Log and raise alarms for any suspicious deployment activities in core: Update image, cloning an existing NF etc.", "fgdsid": "FGDS5012", "name": "SIEM" } ], "external_id": "FGT5017", "kill_chain": [ "fight:Collection", "fight:Discovery" ], "mitigations": [ { "fgmid": "FGM5089", "mitigates": "Verify image hash of every core NF by periodic checks", "name": "Verify image in deployment" } ], "object-type": "technique", "platforms": "5G", "postconditions": [ { "Description": "Exposure of subscriber sensitive information such as call/data/text metadata.", "Name": "Leakage of subscriber data" } ], "preconditions": [ { "Description": "Adversary either clones a legitimate CHF or implants malware in a legitimate CHF.", "Name": "Adversary compromises a legitimate CHF" } ], "procedureexamples": [ { "Description": "Adversary may use a compromised CHF to collect CDR’s belonging to a target subscriber, or a group of subscribers based on their SUPI or GPSI (phone number). The collected CDRs may be used to track internet usage and call/SMS activities of target subscriber(s). [3]", "Name": "Compromised CHF steals CDRs" } ], "refs": [ "[1] 3GPP TS 32.291 “Charging management; 5G system, charging service; Stage 3” - https://www.3gpp.org/DynaReport/32291.htm", "https://fight.mitre.org/data%20sources/FGDS5012", "https://fight.mitre.org/mitigations/FGM5089", "https://fight.mitre.org/techniques/FGT5017" ], "status": "This is a theoretical behavior in context of 5G systems.", "typecode": "fight_technique" }, "related": [ { "dest-uuid": "f5161722-ba76-5111-b4e1-5be22d958b75", "type": "mitigated-by" }, { "dest-uuid": "7a823dc9-a6c0-5d4f-95ca-b13ba57696df", "type": "detected-by" } ], "uuid": "51c9dce1-3901-5469-8840-ea8bc24e1703", "value": "Charging Data Record (CDR) collection" }, { "description": "An adversary may geolocate a UE using modified Non-Access Stratum (NAS) signaling. \r\n\r\nNAS is signaling that is exchanged for registration and authentication between the UE and the Access and Mobility Function (AMF), via the gNB as a pass-through. Adversary uses a fake gNB to intercept, modify and/or replay NAS messages to probe for UE presence in a that cell, which leads to coarse location. The victim UE tried to connect to a nearby gNB, and adversary then lured UEs to connect to it (e.g., by increasing the transmit power of the fake gNB).", "meta": { "access-required": "physical/gNB", "architecture-segment": "RAN, Control Plane", "bluf": "An adversary may geolocate a UE by modifying Non-Access Stratum (NAS) signaling.", "criticalassets": [ { "Description": "UE/Subscriber geographical location, coarse or fine-grained.", "Name": "UE location" } ], "detections": [ { "detects": "Operator standard means to detect presence of fake gNBs. gNB radio signals (sent to all UEs to enable them to select gNB and connect) are received and reported by UEs to the operator, who can then run cross checks with the signals that the UEs should have received if all gNBs nearby were legitimate. Clause 6.24 of [2].", "fgdsid": "FGDS5002", "name": "UE signal measurements" } ], "external_id": "FGT5012.006", "kill_chain": [ "fight:Discovery", "fight:Collection" ], "mitigations": [], "object-type": "technique", "platforms": "5G Network", "preconditions": [ { "Description": "Adversary must install a fake gNB that it can control what messages it sends to UEs.", "Name": "Control of fake gNB in the area where the victim UE may be located." }, { "Description": "Adversary must acquire a fake UE to achieve the NAS SMC attack.", "Name": "Control of fake UE in the NAS SMC attack." } ], "procedureexamples": [ { "Description": "Adversary eavesdrops one NAS message from the legitimate network (the Auth_Req (R, AUTN), or the NAS Security Mode Command (SMC)), then replays that NAS message whenever it wants to check whether the victim UE is nearby, since the type of error (or response, in the case of SMC) received from the responder indicates whether it's the victim UE or not. Thus, adversary can probe for UE’s presence in a that cell, which leads to coarse location data. See [1].", "Name": "Replay of NAS message" } ], "refs": [ "[1] X. Hu et.al. “A Systematic Analysis Method for 5G Non-Access Stratum Signalling Security”, IEEE Access, August 2019. - https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=8817957", "[2] 3rd Generation Partnership Project (3GPP TR 33.809: “Study on 5G security enhancements against False Base Stations (FBS ”, Technical Report, v0.18.0, February 2022. - https://www.3gpp.org/DynaReport/33809.htm", "https://fight.mitre.org/data%20sources/FGDS5002", "https://fight.mitre.org/techniques/FGT5012.006" ], "status": "Observed in earlier 3GPP generations and expected in 5G.", "subtechnique-of": "FGT5012", "typecode": "fight_subtechnique" }, "related": [ { "dest-uuid": "fa9ee8fb-7f25-554c-9682-0e50e774812d", "type": "detected-by" }, { "dest-uuid": "f940f548-256a-5559-83bc-7fea99d051bf", "type": "subtechnique-of" } ], "uuid": "e1e65d1c-788e-587c-b4ba-6cf7a05cd067", "value": "NAS Exploit" }, { "description": "An adversary may compromise a component of gNodeB to affect radio network configuration.\r\n\r\nThe 3GPP standards assume that RAN functions are securely deployed, properly implemented, and do not contain components with malicious intent. If that assumption fails, malicious activity can take place.\r\n \r\nThe gNB is the termination point for encryption and integrity protection, if user plane traffic is sent in clear, it can potentially be exposed to an adversary controlling the gNodeB. \r\n\r\nO-RAN Architecture puts network intelligence and management capability in Service Management and Orchestration (SMO) framework, with Near-Real-Time Radio Intelligent Controller (Near-RT RIC) and Non-Real-Time RIC (Non-RT RIC) that can change the network behavior. It further allows xApps and rApps with standard interfaces to agents (if configured) outside the controlled network that can also read data and send configuration changes. A compromise of any of these components can potentially cause unintended changes to the network and expose user information.\r\n\r\n\r\nUnauthorized access to and manipulation of the gNB component can be carried out by a supply chain attack or as a result of malicious updates using operator’s management and deployment tools. Adversaries may also gain access by physically connecting to the device through an unsecured USB, serial, or COM port on the base station (or device hosting virtual CU/DU/RU/RIC), or by remotely logging in using SSH or Telnet if strong access control is not implemented.\r\n\r\nIn distributed deployment architectures, APIs present additional threat vectors that can be exploited by attackers. In shared RAN scenarios, the use of service configuration and management tools by multiple parties may increase the risk vectors.\r\n\r\n\r\n3GPP does not dictate deployment models, so it is possible that improper security hardening and separation of networks between RAN VNF and Core VNF in the same Cloud or MEC may further allow lateral movements of adversary if a gNodeB component is compromised.", "meta": { "access-required": "User/NPE/Administrative access", "architecture-segment": "RAN, O-RAN", "bluf": "An adversary may compromise a component of gNodeB to affect radio network configuration", "criticalassets": [ { "Description": "Configuration and data related to gNodeB", "Name": "RAN Service Management and Orchestration" }, { "Description": "RIC and Configuration and data related to gNodeB", "Name": "ORAN RIC" }, { "Description": "xApp and Configuration and data related to gNodeB, Realtime optimization data", "Name": "xApps" }, { "Description": "rApp and Configuration and data related to gNodeB, non-Realtime optimization data", "Name": "rApps" } ], "detections": [], "external_id": "FGT5032", "kill_chain": [ "fight:Execution" ], "mitigations": [], "object-type": "technique", "platforms": "O-RAN", "refs": [ "https://fight.mitre.org/techniques/FGT5032" ], "status": "This is a theoretical behavior in context of 5G systems.", "typecode": "fight_technique" }, "uuid": "663f3425-dd8c-58aa-82d0-07389cf49175", "value": "gNodeB Component Manipulation" }, { "description": "An adversary may compromise a RAN Intelligent Controller (RIC) to affect radio network configuration.\r\nO-RAN architecture includes the RAN Intelligence Controllers (RICs), which consists of the Non-Real-Time RAN Intelligent Controller (Non-RT RIC) and the Near-Real-Time RAN Intelligent Controller (Near-RT RIC), to optimize radio resource management of gNB components. The Non-RT RIC is embedded in the Service and Management Orchestration function (SMO) framework and hosts rApps to provide policy-based guidance, machine learning model management and enrichment information to the Near-RT RIC function for the purpose of RAN optimization. The Near-RT RIC is a logical function that hosts xApps and enables near real-time control and optimization of the functions and resources of gNB components O-CU-CP, O-CU-UP and O-DU, steered via the policies and enrichment data provided from the Non-RT RIC.\r\nO-RAN RIC functions integrate and interact with xApps and rApps, which can bring information and instructions to the RIC from outside of the O-RAN architecture. A compromise of the RIC components (by any means) can potentially lead to unauthorized changes in O-CU or O-DU via E2 Interface.", "meta": { "access-required": "User/NPE/Administrative access", "architecture-segment": "RAN, O-RAN", "bluf": "An adversary may compromise a RAN Intelligent Controller (RIC) to affect radio network configuration.", "criticalassets": [ { "Description": "Configuration and date related to gNodeB", "Name": "RAN Service Management and Orchestration" }, { "Description": "RIC and Configuration and data related to gNodeB", "Name": "O-RAN RIC" } ], "detections": [], "external_id": "FGT5032.001", "kill_chain": [ "fight:Execution" ], "mitigations": [], "object-type": "technique", "platforms": "O-RAN", "refs": [ "[1] O-RAN.WG3.RICARCH-R003-v04.00 - https://orandownloadsweb.azurewebsites.net/specifications", "[2] O-RAN.WG2.Non-RT-RIC-ARCH-R003-v03.00 - https://orandownloadsweb.azurewebsites.net/specifications", "[3] O-RAN.WG2.Non-RT-RIC-ARCH-TR-v01.01 - https://orandownloadsweb.azurewebsites.net/specifications", "[4] O-RAN.WG11.Threat-Model.O-R003-v06.00 - https://orandownloadsweb.azurewebsites.net/specifications", "[5] Federal Office of information Security, Study 5G RAN Risk Analysis - https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/5G/5GRAN-Risk-Analysis.pdf?__blob=publicationFile&v=5", "https://fight.mitre.org/techniques/FGT5032.001" ], "status": "This is a theoretical behavior in context of 5G systems.", "subtechnique-of": "FGT5032", "typecode": "fight_subtechnique" }, "related": [ { "dest-uuid": "663f3425-dd8c-58aa-82d0-07389cf49175", "type": "subtechnique-of" } ], "uuid": "e7004e6c-b3cf-560a-8ec4-ccde661e34ba", "value": "RAN Intelligent Controller (RIC)" }, { "description": "An adversary may compromise an xApp to affect the radio network configuration.\r\n\r\nThe O-RAN architecture includes the RAN Intelligence Controllers (RIC), which consists of the Non-Real-Time RAN Intelligent Controller (Non-RT RIC) and the Near-Real-Time RAN Intelligent Controller (Near-RT RIC), to optimize radio resource management of gNB components. The Non-RT RIC is embedded in the Service Management and Orchestration (SMO) framework and hosts rApps to provide policy-based guidance, machine learning model management and enrichment information to the Near-RT RIC function for the purpose of RAN optimization. \r\n\r\nThe Near-RT RIC is a logical function that hosts xApps and enables near-real-time control and optimization of the functions and resources of gNB components [O-RAN Central Unit-Control Plane (O-CU-CP), O-RAN Central Unit-User Plane (O-CU-UP) and O-RAN Distributed Unit (O-DU)], steered via the policies and enrichment data provided from the Non-RT RIC. \r\n\r\nThe O-RAN platform can perform both non-real-time optimization and near-real-time optimization of O-RAN elements through the Non-RT RIC and Near-RT RIC. Non-real-time optimization may be used for higher-level optimization and is facilitated by the Non-RT RIC. Use cases such as policy-based guidance and AI/ML are examples of those appropriate for non real-time-optimization. Near-real-time optimization enables certain capabilities and is facilitated by the Near-RT RIC. Use cases such as radio resource management and Quality of Service (QoS) optimization are examples of those appropriate for near-real-time optimization. \r\n\r\nxApps are applications designed to run on the Near-RT RIC to provide the desired RAN functionality. xApps are independent of the Near-RT RIC and may be provided by any third party. \r\n\r\nxApps on the Near-RT RIC can collect near-real-time information from gNB components (O-CU-CP, O-CU-UP and O-DU) and influence behavior of those components, thereby impacting 5G base station performance and delivery of services to a group of UEs or a single UE.\r\n\r\nxApps may be compromised during the delivery to the service provider, either through the external supply chain from vendor to the service provider or through the internal CI/CD pipeline. Malicious code may be inserted in the xApp application package that could compromise the application. Adversary may also obtain xApp credentials or compromise a 3rd party infrastructure the application is hosted on.\r\n\r\nA compromise of an xApp (or through xApp Agent) can potentially lead to unauthorized changes in O-CU or O-DU via E2 Interface.", "meta": { "access-required": "Privileged Access", "architecture-segment": "RAN, O-RAN", "bluf": "An adversary may compromise an xApp to affect the radio network configuration. ", "criticalassets": [ { "Description": "UE data includes UE’s coarse location, temporary identifier and correlation of UE temporary identifier to other service-related data e.g., DNN, NSSAI etc. See clause 6.2.1 of [2].", "Name": " UE data" }, { "Description": "Sensitive network data such as QoS policies of a slice", "Name": "Sensitive network data" }, { "Description": "Configuration data such as configuration regarding radio resource management (RRM), QoS, and spectrum allocation", "Name": "RAN configuration data" } ], "detections": [ { "detects": "Monitor xApp lifecycle management events from logs regarding onboarding, authentication/authorization of xApps to Near-RT RIC. Audit logs and telemetry data for unauthorized activity.", "fgdsid": "DS0015", "name": "Application Log" }, { "detects": "Monitor and alert on changes to xApp and cloud configuration files during runtime", "fgdsid": "DS0022", "name": "File" }, { "detects": "Perform real-time audits and post-processing of logs. Detect which parts of the O-RAN are accessed by xApps.", "fgdsid": "DS0025", "name": "Cloud Service" }, { "detects": "Verify xApp image hash", "fgdsid": "FGDS5015", "name": "Image verification" } ], "external_id": "FGT5032.002", "kill_chain": [ "fight:Execution" ], "mitigations": [ { "fgmid": "M1033", "mitigates": "Use only trusted supply chain, rigorous scanning of software images. Limit Software Installations especially from 3rd party sources.", "name": "Limit Software Installation" }, { "fgmid": "M1035", "mitigates": "Limit access to xApp instance", "name": "Limit Access to Resource Over Network" }, { "fgmid": "M1043", "mitigates": "Use capabilities to prevent successful credential access by adversaries", "name": "Credential Access Protection" }, { "fgmid": "M1045", "mitigates": "Verify digital signature of xApp", "name": "Code Signing" }, { "fgmid": "M1025", "mitigates": "Enforce least privilege access for cloud components", "name": "Privileged Process Integrity" } ], "object-type": "technique", "platforms": "O-RAN", "postconditions": [ { "Description": "Adversary affects the radio network configuration, accesses configuration data, and perform other unauthorized activities", "Name": "Affected Network Radio Configuration" }, { "Description": "Adversary degrades network operation or in the worst case, causes network outage", "Name": "Network operations impacted" }, { "Description": "UE and subscriber’s sensitive data is revealed to the adversary", "Name": "Sensitive UE data exposed to adversary" } ], "preconditions": [ { "Description": "Adversary has access to xApp (e.g., application package, credentials)", "Name": "Adversary access to xApp" } ], "procedureexamples": [ { "Description": "Adversary compromising external supply chain or internal CI/CD pipeline to implement backdoor into xApp", "Name": "xApp access via backdoor" }, { "Description": "Adversary obtains xApp credentials through various means and compromises the xApp", "Name": "xApp access via stolen credentials" }, { "Description": "Adversary may compromise the infrastructure the O-RAN platform is deployed on and gain access to xApp", "Name": "xApp access via compromised 3rd party hosting infrastructure provider" } ], "refs": [ "[1] O-RAN Security Threat Model 6.00 version - https://orandownloadsweb.azurewebsites.net/specifications", "[2] O-RAN WG3 Near-RT RIC Architecture 4.00 Version - https://orandownloadsweb.azurewebsites.net/specifications", "[3] Federal Office of information Security, Study 5G RAN Risk Analysis - https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/5G/5GRAN-Risk-Analysis.pdf?__blob=publicationFile&v=5", "https://fight.mitre.org/data%20sources/DS0015", "https://fight.mitre.org/data%20sources/DS0022", "https://fight.mitre.org/data%20sources/DS0025", "https://fight.mitre.org/data%20sources/FGDS5015", "https://fight.mitre.org/mitigations/M1025", "https://fight.mitre.org/mitigations/M1033", "https://fight.mitre.org/mitigations/M1035", "https://fight.mitre.org/mitigations/M1043", "https://fight.mitre.org/mitigations/M1045", "https://fight.mitre.org/techniques/FGT5032.002" ], "status": "This is a theoretical behavior in context of 5G systems.", "subtechnique-of": "FGT5032", "typecode": "fight_subtechnique" }, "related": [ { "dest-uuid": "d77cd76e-6cf8-5345-ba70-cd17b9215573", "type": "mitigated-by" }, { "dest-uuid": "79119bb4-e146-5c99-ab3f-7ed4ed1e975a", "type": "mitigated-by" }, { "dest-uuid": "4d882eab-1588-508e-b3fc-f7221cad2db8", "type": "mitigated-by" }, { "dest-uuid": "ef3488c0-caca-5662-afbf-c906cbadb660", "type": "mitigated-by" }, { "dest-uuid": "b191eeac-862e-55c6-95f3-62e3257cdaf6", "type": "mitigated-by" }, { "dest-uuid": "3c23d0f7-d55c-5891-90b9-c744e976f0ef", "type": "detected-by" }, { "dest-uuid": "6151c447-21b5-5530-8760-375ac25fb3e8", "type": "detected-by" }, { "dest-uuid": "dc2f1c60-eb57-5350-bb83-fc41d4ec3255", "type": "detected-by" }, { "dest-uuid": "9325a5c1-d001-53cc-b556-749181f60f6a", "type": "detected-by" }, { "dest-uuid": "663f3425-dd8c-58aa-82d0-07389cf49175", "type": "subtechnique-of" } ], "uuid": "a7c41c90-2b84-5690-a75f-d59147880219", "value": "xApp" }, { "description": "An adversary may compromise an rApp to affect the radio network configuration.\r\n\r\nO-RAN architecture includes the RAN Intelligence Controllers (RICs), which consists of the Non-Real-Time RAN Intelligent Controller (Non-RT RIC) and the Near-Real-Time RAN Intelligent Controller (Near-RT RIC), to optimize radio resource management of gNB components. The Non-RT RIC is embedded in the Service Management and Orchestration (SMO) framework and hosts rApps to provide policy-based guidance, machine learning model management and enrichment information to the Near-RT RIC function for the purpose of RAN optimization. \r\n\r\nrApps are applications that use the functionalities in the Non-RT RIC Framework to provide value-added services related to RAN operation and optimization.  rApps are deployed on the Non-RT RIC. rApps can provide better efficiency and optimization of the RAN and can access or produce various services and data, enabling achievements of use case objectives.\r\n\r\nrApps may be compromised during the delivery to the service provider, either through the external supply chain from vendor to the service provider or through the internal CI/CD pipeline. Malicious code may be inserted in the rApp application package that could compromise the application. Adversary may also obtain rApp credentials or compromise a 3rd party infrastructure the application is hosted on.\r\n\r\nA compromise of an rApp (or through rApp Agent) can potentially lead to unauthorized changes in O-CU or O-DU via A1 interface.", "meta": { "access-required": "Privileged Access", "architecture-segment": "RAN, O-RAN", "bluf": "An adversary may compromise an rApp to affect the radio network configuration.", "criticalassets": [ { "Description": "UE data includes UE’s coarse location, temporary identifier and correlation of UE temporary identifier to other service-related data e.g., DNN, NSSAI etc. See clause 6.2.1 of [2].", "Name": " UE data" }, { "Description": "Sensitive network data such as QoS policies of a slice", "Name": "Sensitive network data" }, { "Description": "Configuration data such as configuration regarding radio resource management (RRM), QoS, and spectrum allocation", "Name": "RAN configuration data" } ], "detections": [ { "detects": "Monitor rApp lifecycle management events from logs regarding onboarding, authentication/authorization of rApps. Audit logs and telemetry data for unauthorized activity.", "fgdsid": "DS0015", "name": "Application Log" }, { "detects": "Monitor and alert on changes to rApp and cloud configuration files during runtime", "fgdsid": "DS0022", "name": "File" }, { "detects": "Perform real-time audits and post-processing of logs. Detect which parts of the O-RAN are accessed by rApps.", "fgdsid": "DS0025", "name": "Cloud Service" }, { "detects": "Verify rApp image hash", "fgdsid": "FGDS5015", "name": "Image verification" } ], "external_id": "FGT5032.003", "kill_chain": [ "fight:Execution" ], "mitigations": [ { "fgmid": "M1033", "mitigates": "Use only trusted supply chain, rigorous scanning of software images. Limit Software Installations especially from 3rd party sources.", "name": "Limit Software Installation" }, { "fgmid": "M1035", "mitigates": "Limit access to rApp instance", "name": "Limit Access to Resource Over Network" }, { "fgmid": "M1043", "mitigates": "Use capabilities to prevent successful rApp credential access by adversaries.", "name": "Credential Access Protection" }, { "fgmid": "M1045", "mitigates": "Verify digital signature of rApp", "name": "Code Signing" }, { "fgmid": "M1025", "mitigates": "Enforce least privilege access for cloud components", "name": "Privileged Process Integrity" } ], "object-type": "technique", "platforms": "O-RAN", "postconditions": [ { "Description": "Adversary affects the radio network configuration, accesses configuration data, and performs other unauthorized activities", "Name": "Affected Network Radio Configuration" }, { "Description": "Adversary degrades network operation or in the worst case, causes network outage", "Name": "Network operations impacted" }, { "Description": "UE and subscriber’s sensitive data are revealed to adversary", "Name": "Sensitive UE data exposed to adversary" } ], "preconditions": [ { "Description": "Adversary has access to rApp (e.g., application package, credential)", "Name": "Adversary access to rApp" } ], "procedureexamples": [ { "Description": "Adversary compromising external supply chain or internal CI/CD pipeline to implement backdoor into rApp", "Name": "rApp access via backdoor" }, { "Description": "Adversary obtains rApp credentials through various means and compromises the rApp", "Name": "rApp access via stolen credentials" }, { "Description": "Adversary may compromise the infrastructure the O-RAN platform is deployed on and gain access to rApp", "Name": "rApp access via compromised 3rd party hosting infrastructure provider" } ], "refs": [ "[1] O-RAN WG11 Threat Model O-R003-v06.00 - https://orandownloadsweb.azurewebsites.net/specifications", "[2] O-RAN WG2 Non-RT RIC Architecture 3.00 version - https://orandownloadsweb.azurewebsites.net/specifications", "[3] O-RAN WG2 Non-RT RIC Technical Report 1.01 version - https://orandownloadsweb.azurewebsites.net/specifications", "[4] Federal Office of information Security, Study 5G RAN Risk Analysis - https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/5G/5GRAN-Risk-Analysis.pdf?__blob=publicationFile&v=5", "https://fight.mitre.org/data%20sources/DS0015", "https://fight.mitre.org/data%20sources/DS0022", "https://fight.mitre.org/data%20sources/DS0025", "https://fight.mitre.org/data%20sources/FGDS5015", "https://fight.mitre.org/mitigations/M1025", "https://fight.mitre.org/mitigations/M1033", "https://fight.mitre.org/mitigations/M1035", "https://fight.mitre.org/mitigations/M1043", "https://fight.mitre.org/mitigations/M1045", "https://fight.mitre.org/techniques/FGT5032.003" ], "status": "This is a theoretical behavior in context of 5G systems.", "subtechnique-of": "FGT5032", "typecode": "fight_subtechnique" }, "related": [ { "dest-uuid": "d77cd76e-6cf8-5345-ba70-cd17b9215573", "type": "mitigated-by" }, { "dest-uuid": "79119bb4-e146-5c99-ab3f-7ed4ed1e975a", "type": "mitigated-by" }, { "dest-uuid": "4d882eab-1588-508e-b3fc-f7221cad2db8", "type": "mitigated-by" }, { "dest-uuid": "ef3488c0-caca-5662-afbf-c906cbadb660", "type": "mitigated-by" }, { "dest-uuid": "b191eeac-862e-55c6-95f3-62e3257cdaf6", "type": "mitigated-by" }, { "dest-uuid": "3c23d0f7-d55c-5891-90b9-c744e976f0ef", "type": "detected-by" }, { "dest-uuid": "6151c447-21b5-5530-8760-375ac25fb3e8", "type": "detected-by" }, { "dest-uuid": "dc2f1c60-eb57-5350-bb83-fc41d4ec3255", "type": "detected-by" }, { "dest-uuid": "9325a5c1-d001-53cc-b556-749181f60f6a", "type": "detected-by" }, { "dest-uuid": "663f3425-dd8c-58aa-82d0-07389cf49175", "type": "subtechnique-of" } ], "uuid": "821bf2ff-d027-502a-966b-353d414a4b01", "value": "rApp" }, { "description": "An adversary in control of an Application Function (AF) or a rogue Network Function (NF) can make an API call to obtain the Subscriber Permanent Identifier (SUPI) or other sensitive UE information.\r\nBesides control of a NF, the adversary needs knowledge of the UE’s phone number or Generic Public Subscription Identifier (GPSI), which are easier to discover compared to the SUPI, which is a tightly held UE identifier. There is a legitimate API to the operator’s Network Exposure Function (NEF) to return a UE SUPI given a UE GPSI. \r\nAfter acquiring the SUPI, an adversary can use it in other follow-on behaviors against that UE, such as obtain location information or slice subscription data.", "meta": { "access-required": "N/A", "architecture-segment": "Control Plane", "bluf": "An adversary in control of an Application Function (AF) or a rogue Network Function (NF) can make an API call to obtain the Subscriber Permanent Identifier (SUPI) or other sensitive UE information.", "criticalassets": [ { "Description": "If SUPI is stolen, many other subsequent attacks are possible such as subscriber identity spoofing and location tracking.", "Name": "UE permanent identity (SUPI)" } ], "detections": [ { "detects": "Logging of AF inquiries for UEs that they don’t serve. Post process the logs to detect fraudulent API calls by rogue AF or NF.", "fgdsid": "DS0015", "name": "Application Log" } ], "external_id": "FGT5019.003", "kill_chain": [ "fight:Discovery", "fight:Collection" ], "mitigations": [ { "fgmid": "FGM5019", "mitigates": "NEF should check that UE in question is subscribed to services of the AF. This way, unauthorized access by external rogue AFs can be avoided.", "name": "Authorize external API calls" } ], "object-type": "technique", "platforms": "5G Network", "postconditions": [ { "Description": "If SUPI is obtained, many other subsequent attacks are possible such as subscriber identity spoofing and location tracking.", "Name": "SUPI is available to the adversary" } ], "preconditions": [ { "Description": "Adversary has knowledge of UE phone number/GPSI and has control over an AF or NEF or AMF.", "Name": "UE phone number and control of AF/NF" } ], "procedureexamples": [ { "Description": "The NEF stores the UE data – including SUPI-- in UDR and responds to API requests from various AFs. An adversary in control of an (external) AF uses legitimate SBA API to retrieve subscriber identifier of victim UE (SUPI) from their phone number. \n\nThe API that the AF calls is Nnef_ApplyPolicy_Create API, it is sent to NEF with UE's GPSI/phone number. NEF retrieves the SUPI from UDM by using Nudm_SDM_Get API. See clause 4.15.6.8 of [1].\n\nAlternatively, Rogue NEF retrieves SUPI from GPSI/phone number using Nudm_SDM_Get API towards the UDM, See clause 4.13.2.2 of [1].", "Name": "Retrieve UE SUPI via API" }, { "Description": "The AMF can obtain some sensitive information about a UE it serves (or claims to serve). An example for roaming scenarios is that a rogue AMF in visited PLMN retrieves UE’s sensitive information from the home PLMN by calling an API when UE roams from 5GS to EPC.\n\nAMF asks the SMF for UE Session Management context, and thus can obtain the following sensitive information: Permanent identifier (SUPI), the names of the slices the UE is subscribed to (S-NSSAIs), the name of the data network the UE is connected to, and the IP address of the UE. (The AMF API call to SMF is Nsmf_PDUSession_ContextRequest API, see clause 4.11.1.2.1 & Table 5.2.8.2.10-1 of [1])\n\nThe same attack can happen in non-roaming scenario by a compromised AMF.", "Name": "Retrieve UE’s sensitive information via rogue NF" } ], "refs": [ "[1] 3rd Generation Partnership Project (3GPP TS 23.502, “Procedures for the 5G System (5GS ; Stage 2 (Release 17 ”, v17.4.0, March 2022. - https://www.3gpp.org/DynaReport/23502.htm", "https://fight.mitre.org/data%20sources/DS0015", "https://fight.mitre.org/mitigations/FGM5019", "https://fight.mitre.org/techniques/FGT5019.003" ], "status": "This is a theoretical behavior in context of 5G systems.", "subtechnique-of": "FGT5019", "typecode": "fight_subtechnique" }, "related": [ { "dest-uuid": "8b7ba061-2465-5f09-a034-431bd7ca577c", "type": "mitigated-by" }, { "dest-uuid": "3c23d0f7-d55c-5891-90b9-c744e976f0ef", "type": "detected-by" }, { "dest-uuid": "0eaef533-4472-5d77-a665-3a40de657c70", "type": "subtechnique-of" } ], "uuid": "c91889e3-0989-54bc-9344-6d5c0841ff94", "value": "Obtain subscriber identifier via NF" }, { "description": "Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1572)", "meta": { "access-required": "user", "addendums": [ "#### Addendum Name: _DNS_Encapsulation_\r\n##### Architecture Segments: User Plane, Control Plane\r\n An adversary can piggyback user data within DNS requests, so that the DNS server retrieves the user data for further processing. \r\n\r\nDNS encapsulation involves adversaries transmitting data by encapsulating it within hostname queries in the DNS lookup process. Specifically, the targeted data is inserted into the names section of a DNS lookup request. The target DNS server, operated by the adversary, records the query and extracts the encoded information. This data is then reconstructed according to the intended sequence derived from the named fields. This method allows for covert data movement, exploiting the DNS protocol as a channel for unauthorized data transmission.\r\n\r\n" ], "architecture-segment": "User Plane, Control Plane", "bluf": "Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems.", "criticalassets": [ { "Description": "Whoever controls the DNS servers controls how and what end users connect to over the network, making DNS servers a type of critical infrastructure.", "Name": "DNS Servers" } ], "detections": [ { "detects": "Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP)", "fgdsid": "DS0029", "name": "Network Traffic" } ], "external_id": "FGT1572", "kill_chain": [ "fight:Command-and-Control", "fight:Exfiltration", "fight:Initial-Access" ], "mitigations": [ { "fgmid": "FGM5024", "mitigates": "Use strong data integrity protection algorithms within 5G network such as airlink, backhaul and core network.", "name": "Integrity protection of data communication" }, { "fgmid": "M1031", "mitigates": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool and will likely be different across various malware families and versions. Adversaries will likely change tool command and control signatures over time or construct protocols in such a way to avoid detection by common defensive tools. \nScan all external traffic header fields to detect any suspicious protocol or port number use.", "name": "Network Intrusion Prevention" }, { "fgmid": "M1037", "mitigates": "Filter network traffic to discard untrusted or known bad domains and resources.", "name": "Filter Network Traffic" } ], "object-type": "technique", "platforms": "5G", "postconditions": [ { "Description": "Attacker will be able to route traffic through DNS channels to connect to internet free of charge.", "Name": "Billing Fraud" }, { "Description": "Attacker can route command and control traffic through DNS to control botnets or other entities.", "Name": "Command and Control Network" }, { "Description": "Attacker has a route to exfiltrate stolen data disguised as DNS packets.", "Name": "Exfiltration Route" } ], "preconditions": [ { "Description": "There must not be an endpoint detection and response capability to validate whether host/network function/UE is communicating with a malicious DNS server or a valid one.", "Name": "Unauthenticated DNS Services" } ], "procedureexamples": [ { "Description": "Operators do not strictly enforce free DNS service via the standard five-tuple flow ID (src IP, dest IP, src port, dest port, protocol). Instead, they use only the destination port (or plus protocol ID), thus exposing a vulnerability. Adversary may setup fake DNS server to process the received data from victim network function/host/UE. [2]", "Name": "Free DNS loophole" } ], "refs": [ "[1] “Bhadhra Framework”: S.P. Rao, S. Holtmanns, T. Aura, “Threat modeling framework for mobile communication systems” - https://arxiv.org/pdf/2005.05110.pdf", "[2] Peng, C., Li, C., Tu, G., Lu, S., & Zhang, L. (2012 . Mobile data charging: new attacks and countermeasures. Proceedings of the 2012 ACM conference on Computer and communications security. - https://dl.acm.org/doi/pdf/10.1145/2382196.2382220", "[3] Merve Sahin, Aurelien Francillon, Payas Gupta, and Mustaque Ahamad. 2017. \n“Sok: Fraud in telephony networks”. In 2017 IEEE European Symposium on Security\nand Privacy (EuroS&P . IEEE, p235–250 - https://ieeexplore.ieee.org/document/7961983", "[4] Kui Xu, Patrick Butler, Sudip Saha, Danfeng (Daphni Yao in DNS CC Journal, “DNS for Massive-Scale Command and Control” - https://people.cs.vt.edu/~danfeng/papers/DNS-CC-JOURNAL.pdf", "https://attack.mitre.org/techniques/T1572", "https://fight.mitre.org/data%20sources/DS0029", "https://fight.mitre.org/mitigations/FGM5024", "https://fight.mitre.org/mitigations/M1031", "https://fight.mitre.org/mitigations/M1037", "https://fight.mitre.org/techniques/FGT1572" ], "status": "This is an observed behavior in Enterprise networks, and is theoretical in context of 5G systems.", "typecode": "attack_technique_addendum" }, "related": [ { "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", "type": "related-to" }, { "dest-uuid": "cccb021c-dd96-5d72-904f-c55ad24598de", "type": "mitigated-by" }, { "dest-uuid": "519ee587-bcda-5021-997d-9fc257c4720a", "type": "mitigated-by" }, { "dest-uuid": "ed391833-59f3-5049-9017-66427a8d8a17", "type": "mitigated-by" }, { "dest-uuid": "becdcf31-3d2a-53bb-8251-51e9da4a0df6", "type": "detected-by" } ], "uuid": "d1feaf56-ae8c-5726-b17b-0149ce7a91f7", "value": "Protocol Tunneling" }, { "description": "An adversary may purchase, rent, or download software to stand up a false base station (gNB or gNB emulator) or WiFi access point in order to pave the way to other follow-on behaviors against UEs such as adversary in the middle, denial of service, data interception or manipulation.\r\n\r\nDue to the radio spectrum bands used in 5G, 5G cellular base stations are expected to have smaller footprint and so are often smaller in size and mounted on street poles and other vulnerable locations. Thus they can be compromised more easily. A false cellular base station radio component can be mounted in a given favorable location and be connected to a system of the adversary (instead of a regular operator’s network).", "meta": { "architecture-segment": "RAN", "bluf": "An adversary may purchase, rent, or download software to stand up a fake base station (gNB or gNB emulator) or WiFi access point in order to pave the way to other follow-on behaviors against UEs such as adversary in the middle, denial of service, data interception or manipulation.", "detections": [ { "detects": "UE measurements of received power levels from all base stations nearby, and their identifiers. Clause 6.24 of [2].", "fgdsid": "FGDS5002", "name": "UE signal measurements" } ], "external_id": "FGT1583.501", "kill_chain": [ "fight:Resource-Development" ], "mitigations": [ { "fgmid": "M1056", "mitigates": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of the mobile network operator.", "name": "Pre-compromise" } ], "object-type": "technique", "platforms": "5G radio", "refs": [ "[1] European Union Agency for Cybersecurity (ENISA : “ENISA Threat Landscape for 5G Networks” Report, December 2020. - https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks", "[2] 3rd Generation Partnership Project (3GPP TR 33.809: “Study on 5G security enhancements against False Base Stations (FBS ”, Technical Report, v0.18.0, February 2022. - https://www.3gpp.org/DynaReport/33809.htm", "[3] Cablelabs article “False Base Station or IMSI Catcher: What You Need to Know” - https://www.cablelabs.com/blog/false-base-station-or-imsi-catcher-what-you-need-to-know", "[4] Open source O-RAN 5G CU/DU solution from Software Radio Systems (SRS - https://github.com/srsran/srsRAN_Project", "[5] Open Air Interface project source code - https://gitlab.eurecom.fr/oai/openairinterface5g/", "https://fight.mitre.org/data%20sources/FGDS5002", "https://fight.mitre.org/mitigations/M1056", "https://fight.mitre.org/techniques/FGT1583.501" ], "status": "Observed in earlier 3GPP generations and expected in 5G.", "subtechnique-of": "FGT1583", "typecode": "fight_subtechnique_to_attack_technique" }, "related": [ { "dest-uuid": "7d8b78b4-09f2-516d-b81e-1b3dc8336d08", "type": "mitigated-by" }, { "dest-uuid": "fa9ee8fb-7f25-554c-9682-0e50e774812d", "type": "detected-by" }, { "dest-uuid": "0d34588f-990e-5b8a-800a-f5ab55389ddc", "type": "subtechnique-of" } ], "uuid": "98509c8f-fa9a-5306-90fe-eb2d2050f2b9", "value": "False Base Station or Access Point" }, { "description": "An adversary may compromise a network device’s integrity capability or configuration in order to exploit the non-integrity protected data communication.\r\n\r\nIntegrity can be used to protect transmitted data traffic against unauthorized changes. Algorithms for user data and signaling communication take a plaintext or encrypted message and compute, using a symmetric secret key, a keyed MIC (message integrity check) or MAC (Message Authentication Code). A recipient in possession of that symmetric integrity key can verify that the message was not modified in transit. \r\n\r\nAn adversary may alter network signaling or compromise an NF, proxy or gNB that controls the choice of integrity algorithm, so as to enable the weak or no integrity algorithm, thus allowing for manipulation or spoofing of user data or signaling (over the radio interface or within the core network, e.g. Non-SBI, or SBI, or roaming interfaces).", "meta": { "architecture-segment": "RAN, User Plane, Control Plane", "bluf": "An adversary may compromise a network device's integrity capability or configuration in order to exploit the non-integrity protected data communication", "criticalassets": [ { "Description": "Subscriber signaling and user plane data", "Name": "Subscriber data" } ], "detections": [ { "detects": "Data sent over the network or radio interface can be analyzed to check for the integrity algorithm.", "fgdsid": "DS0029", "name": "Network Traffic" } ], "external_id": "FGT5009", "kill_chain": [ "fight:Defense-Evasion" ], "mitigations": [ { "fgmid": "M1047", "mitigates": "Monitor periodically if integrity protection algorithm is enabled", "name": "Audit" } ], "object-type": "technique", "platforms": "5G", "postconditions": [ { "Description": "Subscriber data session does not get setup (DoS attack) or gets interrupted, spoofed or redirected during an active session.", "Name": "Subscriber data session impact" } ], "preconditions": [ { "Description": "Adversary gets hold of an end point such as gNB to manipulate signaling", "Name": "Adversary controlling end point" } ], "procedureexamples": [ { "Description": "An adversary may manipulate gNB signaling to enable NULL integrity over the radio interface (Uu)", "Name": "Weaken integrity over radio interface" }, { "Description": "An adversary may change network configuration so that IPSec is not enabled between gNB and UPF (N3) or between gNB and AMF (N2).", "Name": "Weaken integrity within the RAN to core connections" }, { "Description": "An adversary may change network configuration so that IPSec is not enabled between two gNBs (Xn).", "Name": "Weaken integrity within RAN" }, { "Description": "An adversary may disable TLS between two NFs or between one or more NFs and the Service Communication Proxy (SCP) if deployed by MNO.", "Name": "Weaken integrity within SBI" }, { "Description": "An adversary may disable or weaken integrity protection of the communications between SEPPs (N32 which uses JWS for example) or between visited PLMN UPF and home PLMN UPF (N9).\n\nAn adversary may weaken integrity protection on N26 interface between MME and AMF.", "Name": "Weaken integrity on the roaming/interconnect" } ], "refs": [ "[1] European Union Agency for Cybersecurity (ENISA : “ENISA Threat Landscape for 5G Networks” Report, December 2020. - https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks", "https://fight.mitre.org/data%20sources/DS0029", "https://fight.mitre.org/mitigations/M1047", "https://fight.mitre.org/techniques/FGT5009" ], "status": "This is a theoretical behavior", "typecode": "fight_technique" }, "related": [ { "dest-uuid": "a30b7d01-b740-5538-b28d-d87befd5fd29", "type": "mitigated-by" }, { "dest-uuid": "becdcf31-3d2a-53bb-8251-51e9da4a0df6", "type": "detected-by" } ], "uuid": "4d8acf53-2350-5390-af4d-7ba1f5f9dc13", "value": "Weaken Integrity" }, { "description": "Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1190)", "meta": { "access-required": "N/A", "addendums": [ "#### Addendum Name: Exploit Public-Facing Network Function\r\n##### Architecture Segments: Control Plane, User Plane\r\n An adversary may exploit weaknesses in Application Programming (API) interfaces on Network Functions (NF) that are exposed to the public Internet, which exposes those functions to compromise of the NF, or disclosure of information. \r\n\r\nSome 5G functions such as the Network Exposure Function (NEF) have APIs that are public facing and are subject to potential exploit by adversaries similarly to public facing websites and services. The adversary could exploit a previously identified weakness in the API to gain initial access to the operator’s environment. The adversary may also obtain credentials through other techniques that allow the adversary to obtain unauthorized information from the exposed network function. See Exploit Semi-public Facing Application [FGT5029](/techniques/FGT5029) for API exposure to interworking networks.\r\n\r\nAn example of this is represented through access control of application functions (AF) by NEF is done at the API level which is not protected at a granular enough level, i.e., it is not done at Information Element (IE) level. An adversary may use a 3rd party AF to make requests for a service, e.g. location of a UE, beyond their authorization level since IE’s are not explicitly required to be checked. \r\n\r\n" ], "architecture-segment": "Control Plane, User Plane", "bluf": "Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.", "criticalassets": [ { "Description": "The Network Exposure Function has the N33 interface exposed to an Application Function (AF) on the Internet (3rd party)", "Name": "NEF" } ], "detections": [], "external_id": "FGT1190", "kill_chain": [ "fight:Impact", "fight:Initial-Access", "fight:Collection" ], "mitigations": [ { "fgmid": "M1016", "mitigates": "Vulnerability scanning of public APIs", "name": "Vulnerability Scanning" }, { "fgmid": "M1050", "mitigates": "Use Web Application Firewall (WAF) to minimize potential exploit of vulnerabilities", "name": "Exploit Protection" } ], "object-type": "technique", "platforms": "5G", "preconditions": [ { "Description": "Adversary may need to identify vulnerabilities in the API to obtain initial-access, unauthorized information, or perform a denial of service", "Name": "API vulnerability" }, { "Description": "Adversary may need to obtain credentials to collect unauthorized information", "Name": "API credentials" } ], "procedureexamples": [ { "Description": "Adversary uses an insecure API to take over the edge NF, then can use legitimate signaling to obtain sensitive UE or network data.", "Name": "Sensitive data exposure" }, { "Description": "Adversary may bypass standard AF API access control mechanism by using crafted IEs to access sensitive data such as location of a UE through NEF.", "Name": "Exploit vulnerable API" } ], "refs": [ "[1] European Union Agency for Cybersecurity (ENISA : “ENISA Threat Landscape for 5G Networks” Report, December 2020. - https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks", "[2] R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield, “Towards dynamic threat modelling in 5G core networks based on MITRE ATT&CK”, October 2021 - https://arxiv.org/abs/2108.11206", "[3] TOP 7 REST API Security Threats, blog January 2019 - https://blog.restcase.com/top-7-rest-api-security-threats/", "[4] 3GPP TS 29.522: “Network Exposure Function Northbound APIs; Stage 3” - https://www.3gpp.org/DynaReport/29522.htm", "[5] “System architecture for the 5G System (5GS ,”TS 23.501, 3GPP, Sec. 4.2.3 - https://www.3gpp.org/DynaReport/23501.htm", "https://attack.mitre.org/techniques/T1190", "https://fight.mitre.org/mitigations/M1016", "https://fight.mitre.org/mitigations/M1050", "https://fight.mitre.org/techniques/FGT1190" ], "status": "This is an observed behavior in Enterprise networks, and is theoretical in context of 5G systems.", "typecode": "attack_technique_addendum" }, "related": [ { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "type": "related-to" }, { "dest-uuid": "182337e0-b8d6-55da-9e9b-141029f9eb9b", "type": "mitigated-by" }, { "dest-uuid": "3338eab7-16f1-5ba8-8e82-5faf0ed9b31a", "type": "mitigated-by" } ], "uuid": "3ba77568-0469-540a-bce9-8cde815d5d86", "value": "Exploit Public-Facing Application" }, { "description": "Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users.\n\nOn Android versions prior to 7, apps can abuse Device Administrator access to reset the device lock passcode, preventing the user from unlocking the device.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1642)", "meta": { "architecture-segment": "5G", "bluf": "Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users.\n\nOn Android versions prior to 7, apps can abuse Device Administrator access to reset the device lock passcode, preventing the user from unlocking the device.", "detections": [], "external_id": "FGT1642", "kill_chain": [ "fight:Impact" ], "mitigations": [], "object-type": "technique", "platforms": "5G", "refs": [ "https://attack.mitre.org/techniques/T1642", "https://fight.mitre.org/techniques/FGT1642" ], "status": "This is an observed behavior in Enterprise networks.", "typecode": "attack_technique_with_fight_subs" }, "related": [ { "dest-uuid": "eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", "type": "related-to" } ], "uuid": "58e62481-da83-5ee9-9286-69822d1c153e", "value": "Endpoint Denial of Service" }, { "description": "Adversaries may buy and/or steal capabilities that can be used during targeting.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1588)", "meta": { "access-required": "N/A, N/A", "addendums": [ "#### Addendum Name: Silent paging tool\r\n##### Architecture Segments: RAN\r\n An adversary may buy or steal a silent SMS tool in order to send SMSes to nearby phones in a target area.\r\n\r\nA silent SMS is described in the specification GSM 03.40 as a Short Message of type 0, which indicates that the UE must acknowledge receipt of the short message but may discard its contents.\r\n\r\nA simple mobile phone running a program to send silent SMSes is such an SMS tool. What is needed is cellular connectivity, and the phone number of the victim. \r\n\r\n", "#### Addendum Name: IMSI Catcher\r\n##### Architecture Segments: RAN\r\n An adversary may buy or steal an International Mobile Subscriber Identity (IMSI) catcher to capture IMSI data from nearby UEs in a target area.\r\n\r\nIMSI catchers are very similar to fake base stations but may not have full capabilities of the base station. IMSI Catcher terms has been traditionally associated with UE identity discovery or location identification. Adversary may buy an IMSI Catcher from legitimate vendors selling products.\r\n\r\n" ], "architecture-segment": "RAN", "bluf": "Adversaries may buy and/or steal capabilities that can be used during targeting.", "detections": [], "external_id": "FGT1588", "kill_chain": [ "fight:Resource-Development" ], "mitigations": [ { "fgmid": "M1056", "mitigates": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of the mobile network operator.", "name": "Pre-compromise" } ], "object-type": "technique", "platforms": "RAN, RAN", "refs": [ "[1] Adrian Dabrowski, Nicola Pianta, Thomas Klepp, Martin Mulazzani, and Edgar Weippl. “IMSI-catch me if you can: IMSI-catcher-catchers”. Proceedings of the 30th annual computer security applications Conference, pages 246–255, 2014. - https://its-wiki.no/images/f/fb/Dabrowski_ISMI_Catch_me_Catchers.pdf", "[1] SMS Deliverer, “PING/Silent SMS”. - https://www.smsdeliverer.com/onlinehelp/interface/pingsms/", "[2] Information Security Newspaper, “How to hack and track anybody’s phone location via silent SMS messages”. - https://www.securitynewspaper.com/2023/06/20/how-to-hack-track-anybodys-phone-location-via-silent-sms-messages/", "[2] Ravishankar Borgaonkar, Altaf Shaik, “5G IMSI Catchers Mirage”, Blackhat USA Conference 2021. - https://blackhat.com/us-21/briefings/schedule/#g-imsi-catchers-mirage-23538", "[3] “HOW COPS CAN SECRETLY TRACK YOUR PHONE”, The Intercept, online article, July 31, 2021. Accessed 6/22/2022. - https://theintercept.com/2020/07/31/protests-surveillance-stingrays-dirtboxes-phone-tracking/", "[4] A Knight, Brier & Thorn, “Hacking GSM: Building a Rogue Base Station to Hack Cellular Devices,” Online Article. Accessed 6/22/2022. - https://www.brierandthorn.com/post/hacking-gsm-building-a-rogue-base-station-to-hack-cellular-devices", "https://attack.mitre.org/techniques/T1588", "https://fight.mitre.org/mitigations/M1056", "https://fight.mitre.org/techniques/FGT1588" ], "status": "This is an observed behavior in Enterprise networks, and is theoretical in context of 5G systems.", "typecode": "attack_technique_addendum" }, "related": [ { "dest-uuid": "ce0687a0-e692-4b77-964a-0784a8e54ff1", "type": "related-to" }, { "dest-uuid": "7d8b78b4-09f2-516d-b81e-1b3dc8336d08", "type": "mitigated-by" } ], "uuid": "2e25feaa-6036-5833-ae25-2c5687ef3041", "value": "Obtain Capabilities" }, { "description": "An adversary can purchase, rent, or download software to acquire a programmable User Equipment (UE) device, in order to pave the way to other follow-on behaviors against the Radio-Access Network (RAN) such as denial of service.\r\n\r\nFake UEs are used in many adversarial behaviors against the mobile network.", "meta": { "architecture-segment": "UE", "bluf": "An adversary can purchase, rent, or download software to acquire a programmable User Equipment (UE) device, in order to pave the way to other follow-on behaviors against the Radio-Access Network (ran) such as denial of service", "detections": [], "external_id": "FGT1583.502", "kill_chain": [ "fight:Resource-Development" ], "mitigations": [], "object-type": "technique", "platforms": "5G radio", "procedureexamples": [ { "Description": "Adversary uses Software-Defined-Radio (SDR) running OAI-5G (“OpenAirInterface”) modified software", "Name": "Fake UE build" }, { "Description": "In [1], it is mentioned that the adversary must “forge a malicious UE”, which is then used to replay messages form the malicious (adversary controlled) gNB to the legitimate gNB", "Name": "Fake UE acquisition" } ], "refs": [ "[1] Hu, X. et al: “A Systematic Analysis Method for 5G Non-Access Stratum Signalling Security”, August 2019 - https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=8817957", "[2] Ericsson: “Detecting false base stations in mobile networks” - https://www.ericsson.com/en/blog/2018/6/detecting-false-base-stations-in-mobile-networks", "https://fight.mitre.org/techniques/FGT1583.502" ], "status": "This is a theoretical behavior", "subtechnique-of": "FGT1583", "typecode": "fight_subtechnique_to_attack_technique" }, "related": [ { "dest-uuid": "0d34588f-990e-5b8a-800a-f5ab55389ddc", "type": "subtechnique-of" } ], "uuid": "6cdb08b8-d8f0-565c-a310-24b5733b338f", "value": "Programable UE devices" }, { "description": "An adversary may obtain software to configure a false base station (gNB or gNB emulator) or WiFi access point in order to enable other Radio Access Network (RAN) follow-on behaviors against UEs such as adversary in the middle or denial of service.\r\n\r\nAn adversary enables the programmability of a false base station, for example its broadcast configuration is adjustable so that it can broadcast the local PLMN Identifier, a particular cell ID, etc. In addition, the transmit power of the base station \r\nis adjustable so that it will be higher than the legitimate base stations nearby, so as to succeed in luring UEs to connect to it.", "meta": { "architecture-segment": "RAN", "bluf": "An adversary may obtain software to configure a fake base station (gNB or gNB emulator) or WiFi access point in order to enable other Radio Access Network (ran) follow-on behaviors against UEs such as adversary in the middle or denial of service.", "detections": [ { "detects": "UE measurements of received power levels from all base stations nearby, and their identifiers. Refer to clause 6.24 of [2].", "fgdsid": "FGDS5002", "name": "UE signal measurements" } ], "external_id": "FGT1608.501", "kill_chain": [ "fight:Resource-Development" ], "mitigations": [], "object-type": "technique", "platforms": "5G radio", "procedureexamples": [ { "Description": "Adversary obtains software capability such as: modified custom code, scripts, configuration parameters.", "Name": "Obtain capability for configuration of gNB, gNB emulator, or WiFi access point." }, { "Description": "Adversary installs an illegitimate complete gNB and configures the power so as to appear strongest to a given UE in a particular location, see [2].", "Name": "Configure false gNB to appear strongest" } ], "refs": [ "[1] European Union Agency for Cybersecurity (ENISA : “ENISA Threat Landscape for 5G Networks” Report, December 2020. - https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-for-5g-networks", "[2] 3rd Generation Partnership Project (3GPP TR 33.809: “Study on 5G security enhancements against False Base Stations (FBS ”, Technical Report, v0.18.0, February 2022. - https://www.3gpp.org/DynaReport/33809.htm", "https://fight.mitre.org/data%20sources/FGDS5002", "https://fight.mitre.org/techniques/FGT1608.501" ], "status": "This is a theoretical behavior", "subtechnique-of": "FGT1608", "typecode": "fight_subtechnique_to_attack_technique" }, "related": [ { "dest-uuid": "fa9ee8fb-7f25-554c-9682-0e50e774812d", "type": "detected-by" }, { "dest-uuid": "4f4a0c73-63a5-578b-9814-06a211a42afd", "type": "subtechnique-of" } ], "uuid": "68dc47f0-fd8a-5b9e-82c4-f728f425bcc1", "value": "Configurability of Fake Base Station or Access Point" }, { "description": "Adversaries may exhaust common resources of a slice to cause denial of service (service degradation) to all other slices that use the same common resources. \r\n\r\n5G network slices may be built using same NFVI resources or may be sharing a common Core or RAN function. A network slice may have dedicated AMF, SMF and UPF but NEF, NRF, UDM is usually shared for a deployment. Adversary’s slice A may target a slice B by exhausting resources common to slice A and B such as NEF.\r\n\r\nIt is possible for adversary’s slice to oversubscribe a resource (NF or NFVI Resource) to an extent where other slices cannot get their messages and process executed in due time. This result in UEs or some network functions experiencing denial of service within target slices.", "meta": { "access-required": "User/NPE/Administrative access", "architecture-segment": "Network Slice", "bluf": "Adversaries may exhaust common resources of a slice to cause denial of service (service degradation) to all other slices that use the same common resources. ", "criticalassets": [ { "Description": "NFVI network and compute resources", "Name": "NFVI" }, { "Description": "5G Core, RAN and Non-SBI functions, virtual resources supporting VNF", "Name": "VNFs" } ], "detections": [ { "detects": "Monitor systems performance and alert on quota exceptions on hosts, applications and networks", "fgdsid": "DS0013", "name": "Sensor Health" }, { "detects": "Auditing logs for security, authentication and authorization activity, host access, hosts, virtualization orchestrator and managers can reveal behavioral anomalies", "fgdsid": "FGDS5012", "name": "SIEM" }, { "detects": "Automated user and resource policy compliance checks and instrumentation to alert on violation attempts", "fgdsid": "FGDS5023", "name": "Audit policy violation" } ], "external_id": "FGT1498.502", "kill_chain": [ "fight:Impact" ], "mitigations": [ { "fgmid": "FGM5005", "mitigates": "Hardware, network, and point of presence can be separated to provide additional isolation", "name": "Physical and environmental protection" }, { "fgmid": "M1030", "mitigates": "Implementing segmentation policy at granular level, network and compute resources can prevent some co-residency threats when mapped to SLAs, Users, and Resource policies.", "name": "Network Segmentation" }, { "fgmid": "FGM5518", "mitigates": "Create and enforce resource policy; policy can include SLA, quotas, QOS etc.", "name": "Resource Policy enforcement" } ], "object-type": "technique", "platforms": "Slice, CSP", "refs": [ "[1] ETSI NFV SEC026 Isolation and trust domain specification, section 4.2.3, Accessed 6/27/2022 - https://docbox.etsi.org/ISG/NFV/Open/Drafts/SEC026_Isolation_and_trust_domain", "[2] GSMA Official Document NG.126 - Cloud Infrastructure Reference Model_NG.126-v1.0-2, Accessed 6/27/2022 - https://www.gsma.com/newsroom/wp-content/uploads//NG.126-v1.0-2.pdf", "[3] R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield, “Towards dynamic threat modelling in 5G core networks based on MITRE ATT&CK”,  October 2021 - https://arxiv.org/abs/2108.11206", "[4] NGMN: \n5G Security Recommendation Package #2 Network Slicing, Accessed 6/27/2022 - https://www.ngmn.org/publications/5g-security-recommendations-package-2-network-slicing.html", "https://fight.mitre.org/data%20sources/DS0013", "https://fight.mitre.org/data%20sources/FGDS5012", "https://fight.mitre.org/data%20sources/FGDS5023", "https://fight.mitre.org/mitigations/FGM5005", "https://fight.mitre.org/mitigations/FGM5518", "https://fight.mitre.org/mitigations/M1030", "https://fight.mitre.org/techniques/FGT1498.502" ], "status": "This is a theoretical behavior in context of 5G systems.", "subtechnique-of": "FGT1498", "typecode": "fight_subtechnique_to_attack_technique" }, "related": [ { "dest-uuid": "a22ac7a1-fb1e-57f9-988c-8205b22cc619", "type": "mitigated-by" }, { "dest-uuid": "9c376223-8d89-5179-8a56-51de20697bd2", "type": "mitigated-by" }, { "dest-uuid": "862ae052-4fdb-5c58-8b5a-7925b4442500", "type": "mitigated-by" }, { "dest-uuid": "5cbb4ceb-09b7-569d-b397-30ce5f6b99cb", "type": "detected-by" }, { "dest-uuid": "7a823dc9-a6c0-5d4f-95ca-b13ba57696df", "type": "detected-by" }, { "dest-uuid": "98132164-af5d-57b9-9319-5ee110bcc541", "type": "detected-by" }, { "dest-uuid": "8583ca5f-ce71-5341-abda-f2b110994b7a", "type": "subtechnique-of" } ], "uuid": "f2f31e4d-69eb-52f7-b649-f140d4607865", "value": "Shared slice common control network function resource exhaustion" }, { "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1048/003)", "meta": { "access-required": "N/A", "addendums": [ "#### Addendum Name: DNS Queries\r\n##### Architecture Segments: Control Plane, Roaming\r\n Adversaries may steal data by exfiltrating from an MNO by sending it over allowed DNS queries to DNS servers outside the MNO. The data may be sent to an alternate network location from that used for command and control.\r\nAdversaries may opt to obfuscate this data within the constraints of DNS record types. The adversary may also use custom or publicly available encoding/compression algorithms (such as base64) as well as embedding data within protocol headers and fields.\r\n\r\n" ], "architecture-segment": "Control Plane, Roaming", "bluf": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.", "criticalassets": [ { "Description": "The configuration of DNS Resolvers is important to ensure ability to monitor DNS queries for adversary behavior.", "Name": "DNS Resolvers" } ], "detections": [ { "detects": "Collect and analyze DNS lookup logs for unusual patterns and destinations", "fgdsid": "DS0015", "name": "Application Log" }, { "detects": "Analyze network destinations for DNS traffic for unusual destinations and volumes.", "fgdsid": "DS0029", "name": "Network Traffic" } ], "external_id": "FGT1048.003", "kill_chain": [ "fight:Exfiltration" ], "mitigations": [ { "fgmid": "M1037", "mitigates": "Filter public network lookups to limit exfiltration destinations. Potential use of protective DNS services.", "name": "Filter Network Traffic" } ], "object-type": "technique", "platforms": "NF, SEPP", "preconditions": [ { "Description": "Operator environment must permit DNS queries either directly or recursively for domains the operator doesn’t directly control.", "Name": "External DNS Resolution" } ], "refs": [ "[1] “Bhadra framework”: S.P. Rao, S. Holtmanns, T. Aura, “Threat modeling framework for mobile communication systems,” Retrieved April 28, 2022 - https://arxiv.org/pdf/2005.05110.pdf", "https://attack.mitre.org/techniques/T1048/003", "https://fight.mitre.org/data%20sources/DS0015", "https://fight.mitre.org/data%20sources/DS0029", "https://fight.mitre.org/mitigations/M1037", "https://fight.mitre.org/techniques/FGT1048.003" ], "status": "This is an observed behavior in Enterprise networks, and is theoretical in context of 5G systems.", "subtechnique-of": "FGT1048", "typecode": "attack_subtechnique_addendum" }, "related": [ { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "type": "related-to" }, { "dest-uuid": "ed391833-59f3-5049-9017-66427a8d8a17", "type": "mitigated-by" }, { "dest-uuid": "3c23d0f7-d55c-5891-90b9-c744e976f0ef", "type": "detected-by" }, { "dest-uuid": "becdcf31-3d2a-53bb-8251-51e9da4a0df6", "type": "detected-by" }, { "dest-uuid": "c6b2b946-0822-5890-9092-c08dcc7f3487", "type": "subtechnique-of" } ], "uuid": "38a0f42d-caf7-50cc-b32f-7513019a8491", "value": "Exfiltration Over Unencrypted Non-C2 Protocol" }, { "description": "Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1048)", "meta": { "access-required": "NF Service Account credentials", "addendums": [ "#### Addendum Name: Control plane signaling exfiltration\r\n##### Architecture Segments: Control Plane, Roaming\r\n An adversary may use Control Plane signaling between operator-internal Network Functions and externally-facing NFs or proxies to exfiltrate data to external endpoints.\r\n\r\nThe operator network uses edge functions that communicate to external parties: The Network Exposure Function (NEF) communicates with external Application Functions (AF), and the Security Edge Protection Proxy (SEPP) communicates with nodes on the IP Interchange (roaming/interconnect fabric). This channel can be used by an adversary to exfiltrate data originating at a compromised NF inside the operator network and ending up at the external node (AF, IPX node). For example, HTTP/2 optional parameters may be used to communicate between a core NF and an external server via NEF or SEPP.\r\n\r\n" ], "architecture-segment": "Control Plane, Roaming", "bluf": "Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel.", "criticalassets": [ { "Description": "Sensitive information in subscriber signaling data", "Name": "Subscriber signaling data" }, { "Description": "Core NF identifiers (e.g. IP address, FQDN) such as AMF, SMF, UDM etc.", "Name": "Operator resource identifiers" } ], "detections": [ { "detects": "Monitor and analyze traffic patterns and packet inspection over the SBI, especially to/from external functions.", "fgdsid": "DS0029", "name": "Network Traffic" } ], "external_id": "FGT1048", "kill_chain": [ "fight:Exfiltration", "fight:Command-and-Control" ], "mitigations": [ { "fgmid": "M1037", "mitigates": "Filter and inspect network traffic coming out of SEPP and NEF", "name": "Filter Network Traffic" } ], "object-type": "technique", "platforms": "5G Network", "procedureexamples": [ { "Description": "HTTP/2 optional parameters may be used to communicate between a core NF and an external server (AF, IPX node) via NEF or SEPP.", "Name": "HTTP/2 optional parameters" } ], "refs": [ "[1] R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield, “Towards dynamic threat modelling in 5G core networks based on MITRE ATT&CK”, October 2021 - https://arxiv.org/abs/2108.11206", "https://attack.mitre.org/techniques/T1048", "https://fight.mitre.org/data%20sources/DS0029", "https://fight.mitre.org/mitigations/M1037", "https://fight.mitre.org/techniques/FGT1048" ], "status": "This is an observed behavior in Enterprise networks, and is theoretical in context of 5G systems.", "typecode": "attack_technique_addendum" }, "related": [ { "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", "type": "related-to" }, { "dest-uuid": "ed391833-59f3-5049-9017-66427a8d8a17", "type": "mitigated-by" }, { "dest-uuid": "becdcf31-3d2a-53bb-8251-51e9da4a0df6", "type": "detected-by" } ], "uuid": "c6b2b946-0822-5890-9092-c08dcc7f3487", "value": "Exfiltration Over Alternative Protocol" }, { "description": "Adversaries may buy, lease, or rent infrastructure that can be used during targeting.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1583)", "meta": { "addendums": [ "#### Addendum Name: Access to Cloud Infra or MEC\r\n##### Architecture Segments: OA&M, MEC\r\n An adversary may purchase access to cloud infrastructure or Multi-access Edge Computing (MEC) resources that will also be hosting the operator’s infrastructure.\r\n\r\nMobile Network Operators are looking to commercial cloud and MEC providers to deploy 5G Core and RAN functions. Similar resources may also be utilized to offer compute services for time sensitive enterprise/user applications. Adversaries may attempt to target victims by creating co-residency in cloud or MEC resources for bridging network, or lateral movements by using software and configuration vulnerabilities. These are sometimes referred to as colocation attacks.\r\n\r\n\r\n" ], "architecture-segment": "OA&M, MEC", "bluf": "Adversaries may buy, lease, or rent infrastructure that can be used during targeting.", "detections": [], "external_id": "FGT1583", "kill_chain": [ "fight:Resource-Development" ], "mitigations": [ { "fgmid": "FGM5504", "mitigates": "Cloud compute, cloud storage and any serverless activity should be isolated from other tenants", "name": "Resource Isolation in virtualization environment" }, { "fgmid": "FGM5505", "mitigates": "Hardware mediated execution environment", "name": "Hardware mediated execution environment" }, { "fgmid": "M1030", "mitigates": "Network isolation. Deployment architecture should consider physical and virtual isolation from other tenants", "name": "Network Segmentation" }, { "fgmid": "M1041", "mitigates": "Any traffic going from a security zone to another security zone must be protected with encryption. Key based user and resource authentication and authorization should be used", "name": "Encrypt Sensitive Information" } ], "object-type": "technique", "platforms": "5G Network", "procedureexamples": [ { "Description": "[2] is a university research showing how an attacker can locate an entity’s systems in the cloud and work to instantiate profiling and other malicious hosts on the same physical platform.", "Name": "Locate cloud resources of target" } ], "refs": [ "[1] S. Sahoo, S. K. Mishra, B. Sahoo & A. K. Turuk, “Co-resident Attack in Cloud Computing: An Overview”, Encyclopedia of Big Data Technologies, March 2018 - https://link.springer.com/content/pdf/10.1007%2F978-3-319-63962-8_322-1.pdf", "[2] T. Ristenpart, E. Tromer, H. Shacham, S. Savage, “Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds”, In CCS '09: Proceedings of the 16th ACM conference on Computer and communications security, November 2009 Pages 199–212 - https://dl.acm.org/doi/10.1145/1653662.1653687", "https://attack.mitre.org/techniques/T1583", "https://fight.mitre.org/mitigations/FGM5504", "https://fight.mitre.org/mitigations/FGM5505", "https://fight.mitre.org/mitigations/M1030", "https://fight.mitre.org/mitigations/M1041", "https://fight.mitre.org/techniques/FGT1583" ], "status": "This is an observed behavior in Enterprise networks, and is theoretical in context of 5G systems.", "typecode": "attack_technique_addendum" }, "related": [ { "dest-uuid": "0458aab9-ad42-4eac-9e22-706a95bafee2", "type": "related-to" }, { "dest-uuid": "22b865fb-9dda-5314-b8a9-81b5436c44a6", "type": "mitigated-by" }, { "dest-uuid": "f3a29b91-8b44-53ed-8fe3-1c417f3ff8b9", "type": "mitigated-by" }, { "dest-uuid": "9c376223-8d89-5179-8a56-51de20697bd2", "type": "mitigated-by" }, { "dest-uuid": "71801a06-41bd-5336-a539-e8bea9d647f7", "type": "mitigated-by" } ], "uuid": "0d34588f-990e-5b8a-800a-f5ab55389ddc", "value": "Acquire Infrastructure" }, { "description": "An adversary may alter network signaling so as to use weakened or no encryption algorithm on the Non-SBI (Service Based Interface), SBI and Roaming interfaces, thus allowing for eavesdropping of user data or signaling. \r\n\r\nThe following Network interfaces are in the scope of this document.\r\n\r\n1. “Non-SBI” network interfaces are within 5G core network and the Radio Access Network (RAN), and between the RAN and the 5G Core (e.g. N2, N3, N4, Xn). \r\n\r\n2. SBI network interfaces are between core Network Functions (NFs) within an operator network; they use REST APIs.\r\n\r\n3. Roaming and interconnect interfaces, including IPX, are between network operators (between Security Edge Protection Proxies (SEPPs) (N32), or other interworking functions like Access and Mobility Management (AMF/MME) (N26) and between User Plane Functions (UPFs) owned by different network operators (N9)).\r\n\r\nAn adversary with control over gNB, AMF, UPF or SMF may disable IPSec on non-SBI interfaces (Xn, N2, N3, N4). IPSec is expected to be used to protect all non-SBI links, however, unlike radio communications, operator RAN to core communications are not mandated to actually run encryption protection. \r\n\r\nAn adversary with access to the SBI links, with control over one or more core network functions (NFs) or a middlebox (including the Service Communication Proxy (SCP) if deployed), may disable use of TLS or use older TLS version such as v1.1. TLS is required by 3GPP standards to be used to protect all SBI links within the operator core network. \r\n\r\nAn adversary with control over roaming nodes or interfaces- namely SEPP or IPX network-- may disable or cause to use a weak encryption algorithm for TLS or JWE encryption on the N32 interface. An adversary with control over visited network UPF may disable IPSec on the N9 interface or a compromised MME or AMF may disable IPSec on N26 interface.", "meta": { "access-required": "None", "architecture-segment": "Control Plane, User Plane", "bluf": "An adversary may alter network signaling so as to use weakened or no encryption algorithm on the Non-SBI (Service Based Interface), SBI and Roaming interfaces, thus allowing for eavesdropping of user data or signaling.", "criticalassets": [ { "Description": "Any of the subscriber data sourced or destined to the UE", "Name": "UE data" }, { "Description": "Any of the signaling traffic between UE and network", "Name": "UE signaling" } ], "detections": [ { "detects": "Check configuration changes in gNB and all core NFs; Configuration audits by OSS/BSS.", "fgdsid": "DS0015", "name": "Application Log" }, { "detects": "Inspect network traffic and watch for unauthorized changes", "fgdsid": "DS0029", "name": "Network Traffic" } ], "external_id": "FGT1600.502", "kill_chain": [ "fight:Defense-Evasion" ], "mitigations": [ { "fgmid": "M1018", "mitigates": "Network element security safeguards for gNB and all core NFs", "name": "User Account Management" }, { "fgmid": "M1031", "mitigates": "Implement network intrusion prevention methods", "name": "Network Intrusion Prevention" }, { "fgmid": "M1041", "mitigates": "Ensure strong encryption is used in all non-SBI, SBI and roaming/interconnect interfaces. That is, TLS (not version 1.1) should be used in all SBI, N32-c and N32-f ; in addition, PRINS should be used on N32-f when TLS is not used.", "name": "Encrypt Sensitive Information" }, { "fgmid": "M1043", "mitigates": "Implement credential access protection methods", "name": "Credential Access Protection" }, { "fgmid": "M1046", "mitigates": "Network element security safeguards for gNB and all core NFs", "name": "Boot Integrity" }, { "fgmid": "M1051", "mitigates": "Network element security safeguards for gNB and all core NFs", "name": "Update Software" } ], "object-type": "technique", "platforms": "5G", "postconditions": [ { "Description": "Control Plane: All UE signaling data may be revealed if IPSec and TLS are disabled.\n\nUser Plane: Subscriber (user plane) data may be revealed if IPSec is disabled. \n\nUE CP & UP data can be sniffed, see FGT1040 – Network Sniffing", "Name": "UE data unprotected on network interfaces" } ], "preconditions": [ { "Description": "Adversary must have access to the network components to cause the attacks", "Name": "Rogue or misconfigured AMF/MME, SMF, gNB or UPF, or SEPP or any other core NF" } ], "procedureexamples": [ { "Description": "A rogue or misconfigured gNB can disable IPSec encryption or use a weak IPSec encryption algorithm on backhaul interfaces such as N2, N3 and Xn. This can be used to launch other attacks. Clause D.2.2 of [1], clause 5.3.2 of [2].", "Name": "Compromised or misconfigured gNB" }, { "Description": "A rogue or misconfigured AMF can disable IPSec encryption or use a weak IPSec encryption algorithm on N2 and N26 interfaces. This can be used to launch other attacks. Clause K.2.1 of [1], clause 5.5.1 of [2].", "Name": "Compromised or misconfigured AMF" }, { "Description": "A rogue or misconfigured UPF can disable IPSec encryption or use a weak IPSec encryption algorithm on N3, N4 and N9 interfaces. This can be used to launch other attacks. Clause L.2.1 of [1], clauses 9.3 and 9.9 of [2].", "Name": "Compromised or misconfigured UPF" }, { "Description": "A rogue or misconfigured SMF can disable IPSec encryption or use a weak IPSec encryption algorithm on N4 interface. This can be used to launch other attacks. Clause 9.9 of [2]", "Name": "Compromised or misconfigured SMF" }, { "Description": "A rogue or misconfigured NF can disable the TLS encryption or use a weak TLS encryption algorithm to another NF including the SCP. Then it can launch other attacks to gain unauthorized access to network services. Clause 13.1 of [2]\n\nIf SCP is rogue or misconfigured, it can force TLS connections to all NFs to be unencrypted or use weak encryptions for all. Clause 5.9.2.4 of [2].", "Name": "Compromised or misconfigured NF" }, { "Description": "A rogue or misconfigured SEPP can disable TLS encryption or use a weak TLS encryption algorithm on N32-c interface or N32-f interface or both.\n\nA rogue or misconfigured SEPP can disable JWE encryption or use a weak encryption algorithm when the PRINS algorithm is used on N32-f. Then it can launch other attacks. Clauses 9.9, 13.1 and 13.2 of [2].", "Name": "Compromised or misconfigured SEPP or IPX component" }, { "Description": "A rogue or misconfigured AMF/MME can disable IPSec encryption or use a weak IPSec encryption algorithm on N26 interface. Then it can launch other attacks. Clause K.2.1 of [1], 8.4 of [2].", "Name": "Compromised or misconfigured MME/AMF" } ], "refs": [ "[1] 3GPP TR 33.926 “Security Assurance Specification (SCAS threats and critical assets in 3GPP network product classes”. - https://www.3gpp.org/DynaReport/33926.htm", "[2] 3GPP TS 33.501 “Security architecture and procedures for 5G System”. - https://www.3gpp.org/DynaReport/33501.htm", "https://fight.mitre.org/data%20sources/DS0015", "https://fight.mitre.org/data%20sources/DS0029", "https://fight.mitre.org/mitigations/M1018", "https://fight.mitre.org/mitigations/M1031", "https://fight.mitre.org/mitigations/M1041", "https://fight.mitre.org/mitigations/M1043", "https://fight.mitre.org/mitigations/M1046", "https://fight.mitre.org/mitigations/M1051", "https://fight.mitre.org/techniques/FGT1600.502" ], "status": "This is a theoretical behavior in context of 5G systems.", "subtechnique-of": "FGT1600", "typecode": "fight_subtechnique_to_attack_technique" }, "related": [ { "dest-uuid": "686a3700-8ee3-52d3-954f-d2ec4abf14aa", "type": "mitigated-by" }, { "dest-uuid": "519ee587-bcda-5021-997d-9fc257c4720a", "type": "mitigated-by" }, { "dest-uuid": "71801a06-41bd-5336-a539-e8bea9d647f7", "type": "mitigated-by" }, { "dest-uuid": "4d882eab-1588-508e-b3fc-f7221cad2db8", "type": "mitigated-by" }, { "dest-uuid": "3ea67e5f-f46e-5b5d-a987-0008b66fddfc", "type": "mitigated-by" }, { "dest-uuid": "f54f2c17-0cf6-536a-b52e-a886652815d6", "type": "mitigated-by" }, { "dest-uuid": "3c23d0f7-d55c-5891-90b9-c744e976f0ef", "type": "detected-by" }, { "dest-uuid": "becdcf31-3d2a-53bb-8251-51e9da4a0df6", "type": "detected-by" }, { "dest-uuid": "bb3c722d-a179-5bb9-bb66-0298fa30876d", "type": "subtechnique-of" } ], "uuid": "8f866b4a-0347-509a-9f10-78af24f4ae8a", "value": "Network Interfaces" }, { "description": "Adversaries may manipulate service or service delivery mechanisms prior to or while used by a mobile network operator (MNO) for the purpose of data or system compromise.\r\n\r\nThe adversary may use the compromised service as a means to apply additional techniques against interfaces exposed to the service provider such as the NEF. When the service provider hosts or provides core network functions, the adversary may attempt to compromise the 5G core components in the service provider environment, e.g. MEC hosted NFs (clause 5.13 of [1]), or through the service provider environment, attempt compromise of other core NFs not hosted in the MEC. \r\n\r\nWhen service providers are used for providing service to customers, the adversary may be in a position to compromise information about the subscriber. \r\n\r\nThe adversary, as an example, may also compromise software and/or hardware used by the service provider, such as opensource, as a technique to gain initial access or achieve other tactics within the service provider to provide a position for initial access to the MNO’s network. Open source software may be an attractive target for supply chain attacks, as detection, reporting, and patch availability timelines can provide a greater window of opportunity for vulnerabilities to be exploited.", "meta": { "access-required": "N/A", "architecture-segment": "RAN, Virtualization, OA&M", "bluf": "Adversaries may manipulate service or service delivery mechanisms prior to or while used by a mobile network operator (MNO) for the purpose of data or system compromise.", "criticalassets": [ { "Description": "Network Exposure Function is a likely target for adversaries in a MEC environment.", "Name": "NEF" }, { "Description": "Distributed deployment models may require third party transport service", "Name": "Transport network" }, { "Description": "Distributed deployment models may require third party MEC service", "Name": "MEC" }, { "Description": "RAN as a Service or Shared RAN", "Name": "RAN" }, { "Description": "Mobile Virtual Network Operators may complete rely on third party provided services for their subscriber", "Name": "MVNO Core and RAN infrastructure" } ], "detections": [], "external_id": "FGT1195.502", "kill_chain": [ "fight:Initial-Access" ], "mitigations": [ { "fgmid": "M0817", "mitigates": "5G Operators should evaluate suppliers of services for their technical and administrative controls to ensure that it meets minimum standards for assured services. These evaluations may include SW, HD supply chain, personnel and process used for service creation.", "name": "Supply chain management" }, { "fgmid": "FGM5519", "mitigates": "5G operators should integrate performance and change management from their suppliers into their own OA&M tools to have complete visibility into service", "name": "Integrate Performance and Change Management" } ], "object-type": "technique", "platforms": "5G", "procedureexamples": [ { "Description": "Hardware used in service may be compromised in its build and delivery supply chain", "Name": "HW supply chain" }, { "Description": "Software used in service may be compromised in its build and delivery supply chain", "Name": "SW supply chain" }, { "Description": "OA&M tools in service has greater access to network elements, compromise of such tools provide adversary access to network providing the service", "Name": "OA&M tools" }, { "Description": "Service provider management may have nefarious intent for data collection or providing assistance to other nefarious actors", "Name": "Malicious Service provider" } ], "refs": [ "[1] 3GPP TS 23.501 “System architecture for the 5G System (5GS ; Stage 2 (Release 17 ” - https://www.3gpp.org/DynaReport/23501.htm", "[2] 3GPP TS 23.558: “\nArchitecture for enabling Edge Applications” - https://www.3gpp.org/DynaReport/23558.htm", "[3] 3GPP TS 23.548: “5G System Enhancements for Edge Computing; Stage 2” - https://www.3gpp.org/DynaReport/23548.htm", "[4] ETSI, White Paper No. 28, “MEC in 5G networks” - https://www.etsi.org/images/files/ETSIWhitePapers/etsi_wp28_mec_in_5G_FINAL.pdf", "https://fight.mitre.org/mitigations/FGM5519", "https://fight.mitre.org/mitigations/M0817", "https://fight.mitre.org/techniques/FGT1195.502" ], "status": "This is a theoretical behavior in context of 5G systems.", "subtechnique-of": "FGT1195", "typecode": "fight_subtechnique_to_attack_technique" }, "related": [ { "dest-uuid": "7d8ed7d5-df88-584a-93b7-7fa6d691418c", "type": "mitigated-by" }, { "dest-uuid": "008f43dc-d9df-5a55-ad70-8cd9fa35bc9b", "type": "mitigated-by" }, { "dest-uuid": "6d098b34-48eb-5f31-88ac-0a1f8028541c", "type": "subtechnique-of" } ], "uuid": "24e1a9d7-75fb-58e1-b9c9-560a91d17886", "value": "Compromise Service Supply Chain" }, { "description": "An adversary may intercept unencrypted radio transmissions of a UE’s SUCI to identify the IMSI/SUPI of the UE. \r\n\r\nAdversary can retrieve the IMSI/SUPI of UE if SUCI is sent unencrypted over the air. The adversary can launch other attacks on the subscriber with the IMSI/SUPI. \r\n\r\nWhen 5G UE is connected to 4G base station (eNB) in non-stand alone (NSA) mode, adversary uses an airlink signal analyzer to retrieve UE's permanent identity (IMSI/SUPI). All threats present in 4G network including IMSI/SUPI catching can materialize when UE is connected to network via 4G eNB.\r\n\r\nBackground information: The UE’s permanent identity, SUPI (SUbscriber Permanent Identifier), includes a home network identifier and a user-specific identifier, and is never sent unencrypted over the radio interface. Instead, a SUCI (SUbscriber Concealed Identifier) is sent when the UE goes through initial registration to the serving network procedures; this de-concealment operation can only be done by the UE’s home network. However, SUCI can be sent unencrypted over the air by UE in any of the following scenarios: \r\n\r\n1. When UE makes an emergency call and it does not have a 5G-GUTI\r\n \r\n2. If the home PLMN has configured \"NULL” SUCI-protection algorithm to be used\r\n\r\n3. If the home PLMN has not provisioned the public key needed to generate a SUCI \r\nRefer clause 6.12.2 of [1].\r\n\r\nNSA mode uses 4G core, and it uses two types of base stations: 4G & 5G for network access. Depending on the coverage area and network load, MNO chooses whether to connect the UE to the 5G base station (gNB) or to 4G base station (eNB). eNB typically covers a much larger area than gNB.", "meta": { "architecture-segment": "RAN", "bluf": "An adversary may intercept unencrypted radio transmissions of a UE's SUCI to identify the IMSI/SUPI of the UE.", "criticalassets": [ { "Description": "UE’s identity is obtained for subsequent attacks.", "Name": "UE privacy" } ], "detections": [ { "detects": "Monitor gNB and core network logs when:\n\n\nNull scheme is used for SUCI protection\n\n\nHome PLMN does not configure public key for SUCI protection", "fgdsid": "FGDS5017", "name": "Monitor null scheme usage" }, { "detects": "Monitor Provisioning logs for changes in Home network public key configuration, PLMN ID etc.", "fgdsid": "FGDS5018", "name": "Monitor provisioning logs" }, { "detects": "Monitor Operations logs for:\n\n\nUE makes an emergency call\n\n\nIn NSA mode, when 5G UE is ordered to connect to network via eNB", "fgdsid": "FGDS5019", "name": "Monitor operations logs" } ], "external_id": "FGT5019.004", "kill_chain": [ "fight:Discovery", "fight:Collection" ], "mitigations": [ { "fgmid": "M1041", "mitigates": "Always configure home PLMN public key in the UE. Do not use NULL scheme for SUCI encryption both in network configuration and in UE configuration.", "name": "Encrypt Sensitive Information" }, { "fgmid": "FGM5514", "mitigates": "Minimize the number of connections to eNB when using NSA mode, use eNB only when 5G coverage is not available or 5G network is overloaded.", "name": "Minmize eNB connections" } ], "object-type": "technique", "platforms": "5G", "postconditions": [ { "Description": "When UE identity is obtained, it allows attacker to launch other attacks such as geolocation tracking, degradation of service, loss of traffic confidentiality, or physical attack.", "Name": "Target association" } ], "preconditions": [ { "Description": "Adversary requires sufficient signal to capture and decode all airlink messages (with low interference and high SNR).", "Name": "Ability to receive SUCI over the air" }, { "Description": "In NSA mode, 5G UE is directed to connect to eNB due to lack of 5G coverage in the area or network load situations.", "Name": "5G UE is directed to connect to 4G base station in NSA mode" } ], "procedureexamples": [ { "Description": "Adversary reads the SUCI from airlink messages using signal analyzer when it is sent in clear mode and extracts the IMSI/SUPI.\n\nThis is possible in the following scenarios:\n\n\nWhen UE makes an emergency call and it does not have a 5G-GUTI.\n\n\nIf the home PLMN has configured \"NULL” SUCI-protection algorithm to be used.\n\nIf the home PLMN has not provisioned the public key needed to generate a SUCI. \n\n\nUE is moved from a gNB to an eNB in NSA mode.", "Name": "Intercept IMSI/SUPI over the radio interface" } ], "refs": [ "[1] 3GPP TS 33.501 \" Security architecture and procedures for 5G system” - https://www.3gpp.org/DynaReport/33501.htm", "https://fight.mitre.org/data%20sources/FGDS5017", "https://fight.mitre.org/data%20sources/FGDS5018", "https://fight.mitre.org/data%20sources/FGDS5019", "https://fight.mitre.org/mitigations/FGM5514", "https://fight.mitre.org/mitigations/M1041", "https://fight.mitre.org/techniques/FGT5019.004" ], "status": "This is a theoretical behavior", "subtechnique-of": "FGT5019", "typecode": "fight_subtechnique" }, "related": [ { "dest-uuid": "71801a06-41bd-5336-a539-e8bea9d647f7", "type": "mitigated-by" }, { "dest-uuid": "91e3d6a4-6ced-5f66-8c05-65e2f4c6602d", "type": "mitigated-by" }, { "dest-uuid": "83cbc882-1b4a-5dd1-ae14-f49c7bb44eb9", "type": "detected-by" }, { "dest-uuid": "2e2e96ee-57ab-594a-b4b4-ac98bc0255a7", "type": "detected-by" }, { "dest-uuid": "57ca692f-8e22-5cc4-999c-391c2ad149f0", "type": "detected-by" }, { "dest-uuid": "0eaef533-4472-5d77-a665-3a40de657c70", "type": "subtechnique-of" } ], "uuid": "0fb6c06a-2c2e-5d38-85c3-bf0646f73e7d", "value": "Intercept unencrypted SUPI" }, { "description": "Adversary sends specifically crafted messages from an interconnect/interworking partner against roaming interface to gain access to the service function, e.g., SEPP, or to obtain information from the interworking facing service function.\r\nA semi-public application or service is one that is only reachable by an adversary over an interworking network that is typically only exposed to mobile network operators (MNO), internetwork packet exchange providers (IPX), Value Added Services (VAS) providers. An adversary that has previously compromised, through other techniques, another service on the interworking network may be in a position to use this technique against an operator’s interworking facing service interfaces. The adversary does not necessarily need to compromise a roaming partner but needs to be on a network which can reach the target interface.\r\n\r\nThe technique uses specifically formatted signaling messages to cause unexpected behavior that the adversary has previously determined to permit gaining access to the roaming interface system or network functions reachable via SEPP (N32), PCF (N24), HSS+UDM (N10, N8, S6a) or N3IWF interfaces. The specially crafted messages may also permit the collection of information about the targeted operator and its users. The adversary may target the SEPP itself or place specially crafted messages within legitimately authenticated messages that the SEPP passes to NFs that can result in compromise of the NF or information collection. N9 interfaces and non-3GPP interfaces exposed to interworking partners may also be targeted by adversaries. The technique [FGT1190](/techniques/FGT1190) covers internet facing service interfaces.", "meta": { "access-required": "N/A", "architecture-segment": "Roaming", "bluf": "Adversary send specifically crafted messages from an interconnect/interworking partner against roaming interface to gain access to the service function, e.g. SEPP, or cause a denial of service (DoS).", "criticalassets": [ { "Description": "The Security Edge Protection Proxy (SEPP) is the primary target for this technique and represent a key interface point between the operator and other service providers, via N32, for roaming.", "Name": "SEPP" }, { "Description": "The User Plane Function (UPF) in the home provider network exposes the N9 interface to other providers and can be targeted using this technique. If the Home Public Land Mobile Network (HPLMN) UPF is compromised, sensitive data may be sniffed or potentially dropped.", "Name": "UPF" }, { "Description": "The home Policy Control Function (h-PCF) is exposed to the visited PCF (v-PCF) via N24 in a home routed roaming scenario.", "Name": "PCF" }, { "Description": "The HPLMN Unified Data Management (UDM) function is exposed via N10 to the Visited PLMN (VPLMN) Session Management Function + Packet Data Network Gateway Control (SMF+PGW-C) for local breakout roaming architecture. The VPLMN Access and Mobility Management Function (AMF) can also reach the Home Subscriber Server UDM (HSS+UDM) via N8. The VPLMN Mobility Management Entity (MME) can reach the HSS+UDM via S6a as well.", "Name": "HSS+UDM" }, { "Description": "The Non-3GPP Interworking Function (N3IWF) is exposed via the Y2 and NWu.", "Name": "N3IWF" } ], "detections": [ { "detects": "Monitor application logs for evidence of unexpected access requests or potential pattern of errors logged that might indicate attempts to create unexpected behavior", "fgdsid": "DS0015", "name": "Application Log" }, { "detects": "Monitor login session logs for evidence an adversary has created accounts or setup access after compromise of the service via specially formed packets on the service API", "fgdsid": "DS0028", "name": "Logon Session" }, { "detects": "Observe unusual traffic to the SEPP and any evidence of unusual source or destinations from the SEPP that might indicate a source of specially formed packets.", "fgdsid": "DS0029", "name": "Network Traffic" } ], "external_id": "FGT5029", "kill_chain": [ "fight:Initial-Access", "fight:Collection" ], "mitigations": [ { "fgmid": "FGM5010", "mitigates": "Redeploy SEPP regularly to prevent dwell time aka use non-persistence", "name": "Non-Persistent Services" }, { "fgmid": "M1050", "mitigates": "Use of a Web Application Firewall may only allow properly formatted service communication.", "name": "Exploit Protection" }, { "fgmid": "M1051", "mitigates": "Aggressive patching may reduce window of vulnerability if a known vulnerability", "name": "Update Software" } ], "object-type": "technique", "platforms": "SEPP, UPF", "preconditions": [ { "Description": "Adversary must have identified a vulnerability susceptible to the specially crafted message that results in an ability to use additional techniques.", "Name": "Vulnerability Identified" } ], "refs": [ "[1] “5G Security Assurance Specification (SCAS for the Security Edge Protection Proxy (SEPP network product class,“ TS 33.517 ver. 17.0.0, 3rd Generation Partnership Project (3GPP , Sec. 4.2.3.3-4.4, Jun. 2021 - https://www.3gpp.org/DynaReport/33517.htm", "[2] R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield, “Towards dynamic threat modelling in 5G core networks based on MITRE ATT&CK”, October 2021 - https://arxiv.org/abs/2108.11206", "[3] “Security Edge Protection Proxy (SEPP ,” Broadforward, Amersfoort, Netherlands, Accessed: May 17, 2022 - https://www.broadforward.com/security-edge-protection-proxy/", "[4] “Security Assurance Specification (SCAS threats and critical assets in 3GPP network product classes,“ TR 33.926, 3GPP, Sec. 5.3.7.2. - https://www.3gpp.org/DynaReport/33926.htm", "[5] “System architecture for the 5G System (5GS ,”TS 23.501, 3GPP, Sec. 4.2.8.2, 4.3.1, 4.3.2 - https://www.3gpp.org/DynaReport/23501.htm", "https://fight.mitre.org/data%20sources/DS0015", "https://fight.mitre.org/data%20sources/DS0028", "https://fight.mitre.org/data%20sources/DS0029", "https://fight.mitre.org/mitigations/FGM5010", "https://fight.mitre.org/mitigations/M1050", "https://fight.mitre.org/mitigations/M1051", "https://fight.mitre.org/techniques/FGT5029" ], "status": "This is a theoretical behavior in context of 5G systems.", "typecode": "fight_technique" }, "related": [ { "dest-uuid": "79bf7c2f-c083-52b6-b18d-c2eea6dfceb2", "type": "mitigated-by" }, { "dest-uuid": "3338eab7-16f1-5ba8-8e82-5faf0ed9b31a", "type": "mitigated-by" }, { "dest-uuid": "f54f2c17-0cf6-536a-b52e-a886652815d6", "type": "mitigated-by" }, { "dest-uuid": "3c23d0f7-d55c-5891-90b9-c744e976f0ef", "type": "detected-by" }, { "dest-uuid": "859ecf98-b107-5a3a-886e-dfb46999fe09", "type": "detected-by" }, { "dest-uuid": "becdcf31-3d2a-53bb-8251-51e9da4a0df6", "type": "detected-by" } ], "uuid": "bd424f22-d5f4-53ee-b713-08cf49540c40", "value": "Exploit Semi-public Facing Application" }, { "description": "An adversary may send specially crafted data to the UE over-the-air via the radio interface to execute malicious code. An adversary with a position to send data to the UE, such as control of an IMS service or the UPF may send data to the UE that can, using a previously identified vulnerability, cause adversary execution on the UE.\r\n\r\nThe adversary may identify a vulnerability in the radio interface through fuzzing techniques against the baseband and supporting chips used in the UE. Vulnerabilities that could enable an adversary to execute code include heap corruptions and use-after-frees[1]. Additionally, vulnerabilities such as buffer overflow vulnerabilities are often found due to insecure coding practices. Although fuzzing has been demonstrated to be a viable approach to identify vulnerabilities, vulnerabilities may be discovered by adversaries through additional techniques including physical examination/tampering and binary executable analysis.", "meta": { "access-required": "N/A", "architecture-segment": "UE", "bluf": "An adversary may send specially crafted data to the UE over-the-air via the radio interface to execute malicious code.", "detections": [], "external_id": "FGT1203.501", "kill_chain": [ "fight:Execution" ], "mitigations": [], "object-type": "technique", "platforms": "5G", "preconditions": [ { "Description": "Adversary must have identified a vulnerability in the target UE baseband or supporting chips to enable OTA exploitation.", "Name": "Identified vulnerability on baseband or supporting chips" } ], "procedureexamples": [ { "Description": "Proof of Concept demonstration of technique exploiting modem vulnerability from IMS service over an adversary controlled 5G core and base station.", "Name": "Adversary controlled IMS" } ], "refs": [ "[1] M.Grassi & X. Chen, “Over The Air Baseband Exploit: Gaining Remote\nCode Execution on 5G Smartphones,” retrieved May 16, 2023 - https://dl.acm.org/doi/abs/10.1145/3395351.3399360", "https://fight.mitre.org/techniques/FGT1203.501" ], "status": "This a 5G relevant behavior that has been demonstrated in a successful proof of concept", "subtechnique-of": "FGT1203", "typecode": "fight_subtechnique_to_attack_technique" }, "related": [ { "dest-uuid": "5e3ef71b-8af6-575f-88dc-b6823fabf786", "type": "subtechnique-of" } ], "uuid": "8ce24d56-2bc0-5b3c-8b70-5752336fee3c", "value": "Over-the-Air Input" }, { "description": "An adversary may send specially crafted data to the UE's application processor's interface to the baseband API to execute malicious code. The adversary with a position on the UE to communicate to the baseband API can execute malicious code on the baseband processing system.\r\n\r\nThe adversary may identify a vulnerability in the baseband API through fuzzing techniques[1]. Vulnerabilities that could enable an adversary to execute code include memory boundary violations, including buffer overflows that affect the stack and the heap on the baseband. Vulnerabilities such as buffer overflow vulnerabilities are often found due to insecure coding practices. Although fuzzing has been demonstrated to be a viable approach to identify vulnerabilities, vulnerabilities may be discovered by adversaries through additional techniques including physical examination/tampering and binary executable analysis.", "meta": { "access-required": "Privileged", "architecture-segment": "UE", "bluf": "An adversary may send specially crafted data to the UE's application processor's interface to the baseband API to execute malicious code.", "detections": [], "external_id": "FGT1203.502", "kill_chain": [ "fight:Execution" ], "mitigations": [], "object-type": "technique", "platforms": "5G, 4G, 3G", "preconditions": [ { "Description": "Exploitation requires the ability to communicate with the baseband API.", "Name": "Baseband API Access" } ], "refs": [ "[1] Imtiaz Karim, Fabrizio Cicala, Syed Rafiul Hussain, Omar Chowdhury, and Elisa Bertino. 2020. ATFuzzer: Dynamic Analysis Framework of AT Interface for Android Smartphones. Digital Threats 1, 4, Article 23 (December 2020 - https://dl.acm.org/doi/10.1145/3416125", "https://fight.mitre.org/techniques/FGT1203.502" ], "status": "This is a theoretical behavior in context of 5G systems.", "subtechnique-of": "FGT1203", "typecode": "fight_subtechnique_to_attack_technique" }, "related": [ { "dest-uuid": "5e3ef71b-8af6-575f-88dc-b6823fabf786", "type": "subtechnique-of" } ], "uuid": "b1625d6d-dc1e-5bb6-a9b3-9d5a7c474b24", "value": "Baseband API" }, { "description": "Adversaries may develop exploits that can be used during targeting.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1587/004)", "meta": { "access-required": "N/A", "addendums": [ "#### Addendum Name: Baseband Exploits\r\n##### Architecture Segments: UE\r\n An adversary may develop exploits that target the UE to execute malicious code. The adversary may identify a vulnerability in the UE modem and exploit this to execute malicious code. The adversary may need specific knowledge of the modems, e.g.[T1592.001]( https://attack.mitre.org/techniques/T1592/001/), used in specific UEs and exploits might be viable for specific models of UEs or the class of UE utilizing a specific version of firmware, e.g. [T1592.003]( https://attack.mitre.org/techniques/T1592/003/). Vulnerabilities may be discovered in multiple ways and exploiting the vulnerability may require previous use of techniques to obtain an operator RAN position or deploy a false base station, such as in [FGT1583.501]( https://fight.mitre.org/techniques/FGT1583.501), to which the UE would connect. \r\n" ], "architecture-segment": "UE", "bluf": "Adversaries may develop exploits that can be used during targeting.", "detections": [ { "detects": "Use of stack canaries by the firmware author can be used to detect manipulation of stack return addresses,", "fgdsid": "DS0008", "name": "Kernel" } ], "external_id": "FGT1587.004", "kill_chain": [ "fight:Resource-Development" ], "mitigations": [], "object-type": "technique", "platforms": "UE Baseband", "preconditions": [ { "Description": "Adversary may need to deploy their own base station (and possibly core network) in a lab environment for exploit development and testing.", "Name": "Lab test environment" } ], "procedureexamples": [ { "Description": "Researchers[1] analyzed firmware for vulnerabilities and identified stack overflow vulnerability in an XML parser inside the baseband that parses IMS messages.", "Name": "Stack Overflow" } ], "refs": [ "[1] M.Grassi and X. Chen, “Over The Air Baseband Exploit: Gaining Remote\nCode Execution on 5G Smartphones, Retrieved May 16, 2023 - https://keenlab.tencent.com/zh/whitepapers/us-21-Over-The-Air-Baseband-Exploit-Gaining-Remote-Code-Execution-on-5G-Smartphones-wp.pdf", "[2] I.Karim, F.Cicala, et.al.,“ATFuzzer: Dynamic Analysis Framework of AT Interface\nfor Android Smartphones,” Retrieved May 16, 2023 - https://dl.acm.org/doi/pdf/10.1145/3416125", "https://attack.mitre.org/techniques/T1587/004", "https://fight.mitre.org/data%20sources/DS0008", "https://fight.mitre.org/techniques/FGT1587.004" ], "status": "This is an observed behavior in Enterprise networks, and is theoretical in context of 5G systems.", "subtechnique-of": "FGT1587", "typecode": "attack_subtechnique_addendum" }, "related": [ { "dest-uuid": "bbc3cba7-84ae-410d-b18b-16750731dfa2", "type": "related-to" }, { "dest-uuid": "2ba57b64-315a-54e9-a654-7780d104d173", "type": "detected-by" }, { "dest-uuid": "3c50055f-d371-54f1-b729-2109c06914fb", "type": "subtechnique-of" } ], "uuid": "a5795746-77d6-5569-896a-b5a64745b1a0", "value": "Exploits" }, { "description": "An adversary may create an operator network to facilitate applying techniques to a victim UE.\r\n\r\nAn adversary may create a fully functional operator network such as a 5G core and false base station to exploit the user and/or UE. Creation of a false base station may not be sufficient in a 5G network to further the adversary’s objectives due to security improvements from earlier generations. The availability of open 5G core and RAN software and services make this viable for an adversary. The adversary, controlling the 5G network the UE attaches, via additional techniques, such as [FGT1583.501](https://fight.mitre.org/techniques/FGT1583.501/), may redirect the UE or use [FGT1562.501](https://fight.mitre.org/techniques/FGT1562.501) to perform a downgrade attack to weaken end-to-end security. Techniques such as [FGT5009]( https://fight.mitre.org/techniques/FGT5009/) may also be utilized by the adversary to evade defenses.", "meta": { "access-required": "N/A", "architecture-segment": "RAN, Control Plane, User Plane", "bluf": "An adversary may create an operator network to facilitate applying techniques to a victim UE.", "detections": [], "external_id": "FGT1587.501", "kill_chain": [ "fight:Resource-Development" ], "mitigations": [ { "fgmid": "M1056", "mitigates": "The development aspect is not visible to the UE or Operator and is therefore not easily or possible to mitigate.", "name": "Pre-compromise" } ], "object-type": "technique", "platforms": "5G", "refs": [ "[1] M.Grassi and X. Chen, “Over The Air Baseband Exploit: Gaining Remote Code Execution on 5G Smartphones”, Retrieved May 16, 2023. - https://keenlab.tencent.com/zh/whitepapers/us-21-Over-The-Air-Baseband-Exploit-Gaining-Remote-Code-Execution-on-5G-Smartphones-wp.pdf", "https://fight.mitre.org/mitigations/M1056", "https://fight.mitre.org/techniques/FGT1587.501" ], "status": "This a 5G relevant behavior that has been demonstrated in a successful proof of concept", "subtechnique-of": "FGT1587", "typecode": "fight_subtechnique_to_attack_technique" }, "related": [ { "dest-uuid": "7d8b78b4-09f2-516d-b81e-1b3dc8336d08", "type": "mitigated-by" }, { "dest-uuid": "3c50055f-d371-54f1-b729-2109c06914fb", "type": "subtechnique-of" } ], "uuid": "6c6aaa20-ac32-52e3-9849-c97e292cf9e0", "value": "Operator Network" }, { "description": "An adversary obtains use of network or signaling infrastructure in order to apply techniques against 5G networks.\r\n\r\nAn adversary may attempt to legitimately or illegitimately acquire network or signaling, e.g. SS7, infrastructure capabilities that are able to communicate with other operator environments. Unlike [T1650 – Acquire Access](https://attack.mitre.org/techniques/T1650), the adversary is not acquiring access through an underground market and the adversary may be part of a legitimate organization that has obtained access. The adversary, working within the legitimate organization, may then use that legitimately obtained access in unauthorized ways. The adversary may also be acquiring infrastructure access through coercion or subterfuge from a legitimate operator or service provider. The adversary may use this network infrastructure, however obtained, as a position to apply additional follow-on behaviors.", "meta": { "access-required": "N/A", "architecture-segment": "Control Plane", "bluf": "An adversary obtains network access through illicit means in order to install instrumentation.", "detections": [ { "detects": "Logs from firewalls may be useful for detecting adversary activities through signaling or via other network access protocols protected by firewalls.", "fgdsid": "DS0018", "name": "Firewall" } ], "external_id": "FGT1583.508", "kill_chain": [ "fight:Resource-Development" ], "mitigations": [ { "fgmid": "M1037", "mitigates": "Use of firewall capabilities may allow filtering for a number of different paths, protocols, and networks. Firewall capability may permit restrictions on SS7, SMS, IP, Diameter and other protocols.", "name": "Filter Network Traffic" } ], "object-type": "technique", "platforms": "5G", "refs": [ "[1] “NSO offered ‘bags of cash’ for access to U.S. cell networks, whistleblower claims,” Washington Post. Accessed: Apr. 11, 2023.Online]. - https://www.washingtonpost.com/technology/2022/02/01/nso-pegasus-bags-of-cash-fbi/", "[2] “NSO Group's Recent Difficulties Could Shape the Future of the Spyware Industry,” Infosecurity Magazine, Access: Sep. 11, 2011.online] - https://www.infosecurity-magazine.com/news-features/nso-groups-difficulties-spyware/", "https://attack.mitre.org/techniques/T1650", "https://fight.mitre.org/data%20sources/DS0018", "https://fight.mitre.org/mitigations/M1037", "https://fight.mitre.org/techniques/FGT1583.508" ], "status": "This is a theoretical behavior in context of 5G systems.", "subtechnique-of": "FGT1583", "typecode": "fight_subtechnique_to_attack_technique" }, "related": [ { "dest-uuid": "d21bb61f-08ad-4dc1-b001-81ca6cb79954", "type": "related-to" }, { "dest-uuid": "ed391833-59f3-5049-9017-66427a8d8a17", "type": "mitigated-by" }, { "dest-uuid": "1ede7e7c-4b97-5bad-b45f-559cdc364c62", "type": "detected-by" }, { "dest-uuid": "0d34588f-990e-5b8a-800a-f5ab55389ddc", "type": "subtechnique-of" } ], "uuid": "0a3439d9-ff83-51cb-9661-65c311c87723", "value": "Network Access" }, { "description": "An adversary may send crafted GTP-U packets to the UPF/PGW in order to establish an illicit session with a target UE.\r\n\r\nAdversary may send an encapsulated GTP-U packet to UPF/PGW from the internet with destination IP of inner IP the same as UE’s private IP address and source IP of inner IP as its own IP or a server IP on the internet which is controlled by the adversary. UPF/PGW forwards the GTP-U packet to gNB/eNB. gNB/eNB decapsulates the GTP-U header and forwards the inner packet to the victim UE. UE responds to the message. The response message is received either by the adversary or by an adversary controlled malicious server on the internet. Thus, adversary establishes a two-way communication to the victim UE. Once the session is established, adversary can launch further attacks such as inserting malware, execute Remote Procedure Call (RPC) etc.", "meta": { "architecture-segment": "RAN, User Plane, UE", "bluf": "An adversary may send crafted GTP-U packets to the UPF/PGW in order to establish an illicit session with a target UE.", "criticalassets": [ { "Description": "UE’s privacy is violated by the data session established by adversary.", "Name": "UE security is impacted" } ], "detections": [ { "detects": "Monitor incoming packets on N6/SGi interface for any unauthorized data sessions.", "fgdsid": "DS0029", "name": "Network Traffic" }, { "detects": "Examine all IP packets received from the internet at UPF/PGW with encapsulated GTP-U payload.", "fgdsid": "FGDS5016", "name": "Payload checking" } ], "external_id": "FGT1572.501", "kill_chain": [ "fight:Initial-Access" ], "mitigations": [ { "fgmid": "FGM5498", "mitigates": "GTP firewall can be used to prevent GTP-U based frauds. GTP in GTP Identification can be used to prevent GTP reflection attacks. [2]", "name": "Limit incoming signaling and user plane traffic" }, { "fgmid": "M1031", "mitigates": "Network Intrusion Prevention.", "name": "Network Intrusion Prevention" }, { "fgmid": "M1041", "mitigates": "Use IPSec tunnel between gNB and UPF to prevent Adversary on the side (AoTS) attacks.", "name": "Encrypt Sensitive Information" } ], "object-type": "technique", "platforms": "5G", "postconditions": [ { "Description": "UE is subject to further attacks such as malware insertion, RPC execution etc.", "Name": "UE security is compromised" } ], "preconditions": [ { "Description": "Adversary figures out UE’s private IP address by using open-source IP address scanning tools such as Shodan and they also figure out the TEID being used by the network. [See FGT5031 Discover TEID]\n\nNote: For LTE, the adversary needs to know TEIDs of two GTP tunnels: TEIDs on S5 and S1-U interfaces.", "Name": "Adversary has knowledge of UE IP address and TEID" } ], "procedureexamples": [ { "Description": "Adversary may send encapsulated GTP-U packet to UPF/PGW from the internet with destination IP of inner IP the same as UE’s private IP address and source IP of inner IP as its own IP or a server IP on the internet which is controlled by the adversary. UPF/PGW forwards the GTP-U packet to gNB/eNB. gNB/eNB decapsulates the GTP-U header and forwards the inner packet to the victim UE. UE responds to the message. The response message is received either by the adversary or by an adversary controlled malicious server on the internet. Thus, adversary establishes a two-way communication to the victim UE. [1]\n\nAdversary may launch further attacks on victim UE such as inserting malware, execute Remote Procedure Call (RPC) etc.\n\nNote: For LTE, two GTP tunnels are used in the user plane. The first GTP tunnel is between PGW and SGW-U on S5 interface and the second GTP tunnel is between SGW-U and eNB on S1-U interface. Hence, the adversary needs to know the TEID of both GTP tunnels to launch this attack.", "Name": "Two way session is established between victim UE and adversary" } ], "refs": [ "[1] Trend Micro article: “Outside Looking In: How a Packet Reflection Vulnerability Could Allow Attackers to Infiltrate Internal 5G Networks” - https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/plague-private-5g-networks", "[2] A10 Networks article: “GTP FIREWALL IN 4G AND 5G MOBILE NETWORKS STRONG PROTECTION FOR ALL GTP INTERFACES”. - https://www.a10networks.com/wp-content/uploads/A10-SB-19202-EN.pdf", "https://fight.mitre.org/data%20sources/DS0029", "https://fight.mitre.org/data%20sources/FGDS5016", "https://fight.mitre.org/mitigations/FGM5498", "https://fight.mitre.org/mitigations/M1031", "https://fight.mitre.org/mitigations/M1041", "https://fight.mitre.org/techniques/FGT1572.501" ], "status": "This is a theoretical behavior", "subtechnique-of": "FGT1572", "typecode": "fight_subtechnique_to_attack_technique" }, "related": [ { "dest-uuid": "d5c6ff64-176e-5935-9d33-7d7b78fd2b14", "type": "mitigated-by" }, { "dest-uuid": "519ee587-bcda-5021-997d-9fc257c4720a", "type": "mitigated-by" }, { "dest-uuid": "71801a06-41bd-5336-a539-e8bea9d647f7", "type": "mitigated-by" }, { "dest-uuid": "becdcf31-3d2a-53bb-8251-51e9da4a0df6", "type": "detected-by" }, { "dest-uuid": "d1c31410-6e09-5596-a3f4-845be02da979", "type": "detected-by" }, { "dest-uuid": "d1feaf56-ae8c-5726-b17b-0149ce7a91f7", "type": "subtechnique-of" } ], "uuid": "1bb0f047-9620-5b17-9600-67fde122add6", "value": "UE Access via GTP-U" }, { "description": "An adversary may discover a valid GTP-U TEID in order to apply additional techniques.\r\n\r\nThe GPRS Tunneling Protocol - User plane (GTP-U) is a protocol in both 4G and 5G that tunnels user data packets between the radio network (gNB/eNB) and the User Plane Function (UPF) in 5G, Serving Gateway (SGW) in 4G. In 4G, there is another GTP-U tunnel between SGW and Packet Data Network (PDN) Gateway (PGW). The GTP-U protocol header has a Tunnel Endpoint ID (TEID). Each UE is assigned a unique TEID for the GTP-U tunnel and it is used to carry data from multiple QoS flows. In order to apply additional techniques like hijacking the tunnel, the adversary needs to discover a valid TEID.\r\n\r\nAdversary may try to guess the TEID by sending a large number of encapsulated GTP-U packets to the UPF/PGW from the internet with different TEIDs, until a valid one is found. UPF/PGW forwards those packets to the UE through GTP-U tunnels. Following GTP-U tunnels are used: In 5G, N3 GTP-U tunnel between UPF and gNB, in 4G, S1-U GTP-U tunnel between SGW and eNB and S5 GTP-U tunnel between SGW and PGW. When target IP address and TEID match, the adversary may receive a response indicating success. Some core networks show affinity to certain ranges of TEIDs under certain conditions, making brute forcing easier. Once TEID is known, further attacks can be launched to slow down or crash the targeted UE.", "meta": { "architecture-segment": "User Plane", "bluf": "An adversary may discover a valid GTP-U TEID in order to apply additional techniques.", "criticalassets": [ { "Description": "UE’s sensitive data such as its private IP address and GTP-U tunnel id (TEID) are revealed to adversary.", "Name": "UE privacy" } ], "detections": [ { "detects": "Monitor incoming packets on N6 and SGi interfaces for any unauthorized data sessions.", "fgdsid": "DS0029", "name": "Network Traffic" }, { "detects": "Inspect the payloads of all incoming packets to filter encapsulated GTP-U on internet facing interface of UPF and PGW.", "fgdsid": "FGDS5016", "name": "Payload checking" } ], "external_id": "FGT5031", "kill_chain": [ "fight:Discovery" ], "mitigations": [ { "fgmid": "M1031", "mitigates": "Network Intrusion Prevention.", "name": "Network Intrusion Prevention" }, { "fgmid": "M1041", "mitigates": "Use IPSec between gNB and UPF, eNB and SGW, SGW and PGW. Use strong encryption algorithms to prevent eavesdropping on subscriber payload data including their private IP addresses.", "name": "Encrypt Sensitive Information" }, { "fgmid": "FGM5507", "mitigates": "Randomize TEID allocations.", "name": "TEID allocation" }, { "fgmid": "FGM5508", "mitigates": "Refresh TEIDs frequently to make discovery of TEID to UE IP address mapping harder.", "name": "Refresh TEIDs" } ], "object-type": "technique", "platforms": "5G", "preconditions": [ { "Description": "Retrieve the target UE’s private IP address using open-source search engines e.g. shodan.", "Name": "Obtain victim UE’s private IP address" } ], "procedureexamples": [ { "Description": "Adversary sends large number of encapsulated GTP-U packets with different TEIDs to a particular UE whose IP address is known to the adversary. Encapsulated GTP-U packets are sent from the internet to UPF/PGW and UPF/PGW forwards those packets to the UE via gNB/eNB. If response is received for a GTP-U packet, UE’s TEID will be known to the adversary. [1]\n\nFor example, adversary may launch further attacks such as GTP-U tunnel hijack and DoS to the target UE.\n\nIn 5G, the TEID of N3 GTP-U tunnel needs to be discovered by the adversary. In 4G, the adversary needs to discover TEID of S1-U GTP-U tunnel and S5 GTP tunnel.", "Name": "Send large number of GTP-U packets via UPF/PGW/SGW to the target UE" } ], "refs": [ "[1] TrendMicro publication: “A Deep Dive into the Packet Reflection Vulnerability Allowing Attackers to Plague Private 5G Networks - Security News.” - https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/plague-private-5g-networks", "https://fight.mitre.org/data%20sources/DS0029", "https://fight.mitre.org/data%20sources/FGDS5016", "https://fight.mitre.org/mitigations/FGM5507", "https://fight.mitre.org/mitigations/FGM5508", "https://fight.mitre.org/mitigations/M1031", "https://fight.mitre.org/mitigations/M1041", "https://fight.mitre.org/techniques/FGT5031" ], "status": "This a 5G relevant behavior that has been demonstrated in a successful proof of concept", "typecode": "fight_technique" }, "related": [ { "dest-uuid": "519ee587-bcda-5021-997d-9fc257c4720a", "type": "mitigated-by" }, { "dest-uuid": "71801a06-41bd-5336-a539-e8bea9d647f7", "type": "mitigated-by" }, { "dest-uuid": "3ccf3180-9e3b-56e1-b135-aa7815d11d2f", "type": "mitigated-by" }, { "dest-uuid": "77b802ef-08b6-5cfa-bc8e-408493d6d502", "type": "mitigated-by" }, { "dest-uuid": "becdcf31-3d2a-53bb-8251-51e9da4a0df6", "type": "detected-by" }, { "dest-uuid": "d1c31410-6e09-5596-a3f4-845be02da979", "type": "detected-by" } ], "uuid": "a7d496b8-5fa7-5009-afdf-95f2e5ff0b82", "value": "Discover TEID" }, { "description": "An adversary controlled UE may be used to send crafted NAS messages to AMF to crash or slow down the AMF.\r\n\r\nAMF processes registration request messages from UE and it works with other NFs in the core to respond to those messages. By sending crafted NAS messages from UE, an adversary may force 5G core AMF or other Control Plane functions to go into undefined states, and might result in DoS. UEs use NAS connection (via N1 interface) to the core AMF function. A specially crafted message can be used to cause coding or parsing error which can potentially crash the AMF. Existing UEs and new UEs may not be able to get service from the 5G network.", "meta": { "architecture-segment": "Control Plane", "bluf": "An adversary controlled UE may be used to send crafted NAS messages to AMF to crash or slow down the AMF.", "criticalassets": [ { "Description": "5G core network functions can be slowed down or crashed which causes temporary network outage for UEs and gNBs.", "Name": "Core network functions" } ], "detections": [ { "detects": "Examine all header fields of control plane messages received in the uplink direction from UE to the core.\nThis can be done either by logging all messages received by the NF or by using a proxy or firewall at the core network entry point.", "fgdsid": "DS0029", "name": "Network Traffic" }, { "detects": "Test all software patches for each core NF.", "fgdsid": "FGDS5015", "name": "Image verification" } ], "external_id": "FGT1498.503", "kill_chain": [ "fight:Impact" ], "mitigations": [ { "fgmid": "FGM5511", "mitigates": "Check for NAS message with incorrect or very large length, examine all header fields. Improve message parsing mechanism by discarding messages with improper header lengths.", "name": "Verify NAS messages from UE" }, { "fgmid": "FGM5512", "mitigates": "Use high availability feature for all core network functions.", "name": "Use high availability" } ], "object-type": "technique", "platforms": "5G", "postconditions": [ { "Description": "Some 5G core network services will be unavailable causing temporary network outage.", "Name": "Network services unavailable" } ], "preconditions": [ { "Description": "A compromised COTS UE or a UE with open-source code running in an SDR can be used to run malicious application code. This can be used to generate the specially crafted NAS message to be sent towards AMF.", "Name": "Compromise a UE or a purpose built UE" } ], "procedureexamples": [ { "Description": "Adversary controlled UE sends a crafted NAS message towards AMF with the length field increased to a very large value. If AMF does not do proper header parameters check including length check, it can cause buffer overflow in the AMF which can force AMF to go to an undefined state or crash. This will cause Denial of Service for existing and future UEs. [1,2,3]", "Name": "AMF is targeted from UE using malformed NAS message" } ], "refs": [ "[1] Github post: “[NAS] fix the security issue (ZDI-CAN-14043 ” - https://github.com/open5gs/open5gs/commit/00c96a3f0ffd12c4330bee9a3f9596f8e4b86b6f", "[2] CVE-2021-44081: “A buffer overflow vulnerability exists in the AMF of open5gs 2.1.4. When the length of MSIN in Supi exceeds 24 characters, it leads to AMF denial of service.” - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44081", "[3] CVE-2022-43677: “A crafted malformed NGAP message can crash AMF and NGAP decoder”. - https://github.com/free5gc/free5gc/issues/402", "https://fight.mitre.org/data%20sources/DS0029", "https://fight.mitre.org/data%20sources/FGDS5015", "https://fight.mitre.org/mitigations/FGM5511", "https://fight.mitre.org/mitigations/FGM5512", "https://fight.mitre.org/techniques/FGT1498.503" ], "status": "This a 5G relevant behavior that has been demonstrated in a successful proof of concept", "subtechnique-of": "FGT1498", "typecode": "fight_subtechnique_to_attack_technique" }, "related": [ { "dest-uuid": "3ba69d47-68a4-50dc-b186-1f95d00879e0", "type": "mitigated-by" }, { "dest-uuid": "6ec79399-e952-5232-a6f3-9570dd2b328e", "type": "mitigated-by" }, { "dest-uuid": "becdcf31-3d2a-53bb-8251-51e9da4a0df6", "type": "detected-by" }, { "dest-uuid": "9325a5c1-d001-53cc-b556-749181f60f6a", "type": "detected-by" }, { "dest-uuid": "8583ca5f-ce71-5341-abda-f2b110994b7a", "type": "subtechnique-of" } ], "uuid": "8bb2a143-8c23-5de4-8c85-4b8df958ddc3", "value": "UE DoS to AMF" }, { "description": "An adversary-controlled UE may be used to send a GTP-U packet to UPF/PGW with a malicious payload in order to evade UPF/PGW routing controls to establish communications with a core NF.\r\n\r\nThe UPF/PGW is the core network function supporting the user plane. It tunnels user data packets from the radio access networks (gNB/eNB) towards data networks (such as the Internet). Other core network functions (NFs) - such as the Session Management Function (SMF) - support the control plane. In this threat, a user plane packet crosses over to the control plane. \r\n\r\nThe UPF/PGW normally processes GTP-U packets to and from the radio access network (gNB/eNB). A GTP-U packet, after the header is stripped, should contain a regular user data IP packet, with the source IP address of the UE, and the destination an external IP address (Internet). However, in this case, it contains a control packet addressed to a core network function for instance the SMF. The UPF/PGW should then drop this packet, but in some implementations it was found that the UPF/PGW may instead route it as indicated.\r\n\r\nThus, if UPF/PGW does not do proper parameter checks, it may route the packet to an improper destination such as a core network function in the control plane e.g. SMF, it can cause the NF to go to an undefined state and the NF may crash.", "meta": { "architecture-segment": "User Plane", "bluf": "An adversary-controlled UE may be used to send a GTP-U packet to UPF/PGW with a malicious payload in order to evade UPF/PGW routing controls to establish communications with a core NF.", "criticalassets": [ { "Description": "Core NF is illegitimately accessed from the UE via user plane function UPF/PGW.", "Name": "Core network functions accessed from the user plane" } ], "detections": [ { "detects": "Examine all header fields and encapsulated payload of user plane packets received in the uplink direction from UE.", "fgdsid": "DS0029", "name": "Network Traffic" } ], "external_id": "FGT1599.505", "kill_chain": [ "fight:Defense-Evasion" ], "mitigations": [ { "fgmid": "FGM5510", "mitigates": "Do not allow any packets received from UE which has destination address set to a core NF’s IP address.", "name": "Filter packets to core NF sent by UE" } ], "object-type": "technique", "platforms": "5G", "postconditions": [ { "Description": "Core network function is DoS’ed from the user plane.", "Name": "Core network functions impacted" } ], "preconditions": [ { "Description": "A COTS UE or SDR UE can be used to prepare specially crafted GTP-U packets to be sent to towards UPF/PGW.", "Name": "Compromise a UE" } ], "procedureexamples": [ { "Description": "This is a UP to CP cross-over or network boundary bridging attack. A specially crafted GTP-U packet containing a control plane packet is sent by the adversary controlled UE to the UPF/PGW, e.g. a tunneled GTP-U packet can be sent to trick the UPF/PGW. The payload packet contains the NF IP address as the destination IP.\n\n\nWithout proper parameter validation, UPF/PGW may send the GTP-U payload to the destination address in the control plane which can be SMF. The message can cause the SMF to go to an undefined state and it may crash the SMF.", "Name": "Core NF is attacked from UE using tunneled GTP-U packets via UPF/PGW" } ], "refs": [ "https://fight.mitre.org/data%20sources/DS0029", "https://fight.mitre.org/mitigations/FGM5510", "https://fight.mitre.org/techniques/FGT1599.505" ], "status": "This is a theoretical behavior", "subtechnique-of": "FGT1599", "typecode": "fight_subtechnique_to_attack_technique" }, "related": [ { "dest-uuid": "cb938ec5-708c-5292-acaa-41f8d3c33fbb", "type": "mitigated-by" }, { "dest-uuid": "becdcf31-3d2a-53bb-8251-51e9da4a0df6", "type": "detected-by" }, { "dest-uuid": "45468bb6-5eb7-5f36-922a-5ee8f3da68d0", "type": "subtechnique-of" } ], "uuid": "c7b888fb-5cff-5e2f-bb9a-1812b325f935", "value": "GTP-U Abuse" }, { "description": "An adversary may send an unsolicited SS7/Diameter message to the core network of a UE that will cause the core network to provide IMSI/SUPI of the UE.\r\n\r\nAn operator’s network consists of a 5G Core and also auxiliary systems such as the IP Multimedia System (IMS). The IMS is used to provide voice and SMS services; this is accomplished via traditional protocols SS7 and Diameter between the IMS and 5G core functions. This subtechnique covers the abuse of such legitimate signaling to obtain the permanent identifier of a UE. Once the IMSI/SUPI is obtained, adversary may launch further attacks such as retrieving location of the UE, network slice and data network that are being used by the UE etc.\r\n \r\nBackground info:\r\n5G SA core has interfaces to IMS core to support voice and SMS services. Diameter/SS7 attacks. In signaling plane, voice service uses Diameter based Rx interface between PCF and P-CSCF in IMS, Diameter based Sh interface between HSS/UDM and TAS in IMS, Diameter based Cx interface between HSS/UDM and I/S-CSCF. It also uses SIP/SDP based Gm interface between UPF and P-CSCF in the user plane. SMS over NAS service uses SS7 (MAP) based interface and S6c Diameter based interface from UDM to SMSC. It also uses MAP and SGd (Diameter) interfaces from SMSF to SMSC.", "meta": { "access-required": "N/A", "architecture-segment": "Control Plane", "bluf": "An adversary may send an unsolicited SS7/Diameter message to the core network of a UE that will cause the core network to provide IMSI/SUPI of the UE.", "criticalassets": [ { "Description": "Subscriber’s identity is revealed to the adversary.", "Name": "UE’s privacy is compromised" } ], "detections": [ { "detects": "Monitor all communications over Diameter and SS7/MAP based interfaces to/from core network.", "fgdsid": "DS0029", "name": "Network Traffic" } ], "external_id": "FGT5019.005", "kill_chain": [ "fight:Discovery", "fight:Collection" ], "mitigations": [ { "fgmid": "FGM5004", "mitigates": "Use SMS router or firewall", "name": "Correctly configure SMS firewall" }, { "fgmid": "FGM5513", "mitigates": "Use Diameter End-to-end Signaling Security (DESS). Section 6.5.3 of [4].", "name": "Use DESS security" } ], "object-type": "technique", "platforms": "5G Network", "postconditions": [ { "Description": "If IMSI/SUPI is obtained, many other subsequent attacks are possible such as retrieving subscriber location, network slice, data network of the UE.", "Name": "IMSI/SUPI is available to the adversary" } ], "preconditions": [ { "Description": "Adversary collects victim UE’s phone number from subscriber’s physical address using internet based services such as numlooker.com.", "Name": "MSISDN or phone number of victim UE is known to adversary" } ], "procedureexamples": [ { "Description": "Diameter protocol:\nAdversary sets up a fake SMSC and then sends a specially crafted Send Routing Info for Short Message Request (SRR) with victim UE’s MSISDN to HSS/UDM. If SMS router/firewall is not setup or if it is setup incorrectly, HSS/UDM will return the IMSI/SUPI of the UE and the ID of AMF/MME’s ID currently serving the UE in response Send Routing Info for SM Answer (SRA) message.\n\nSS7 protocol:\nAdversary sets up a fake SMSC and then sends a specially crafted MAP SRI_SM Send Routing Info for Short Message Request (SRR) with victim UE’s MSISDN to HSS/UDM. If SMS router/firewall is not setup or if it is setup incorrectly, HSS/UDM will return the IMSI/SUPI of the UE and the ID of AMF/MME’s ID currently serving the UE in response Send Routing Info for SM Answer (SRA) message. [1, 2]", "Name": "UE’s IMSI/SUPI is retrieved using SRR message" }, { "Description": "Diameter protocol: Adversary sets up an application server and sends a specially crafted User Data Request (UDR) message with victim UE’s MSISDN to HSS/UDM. If HSS/UDM is not configured properly, HSS/UDM will return the IMSI/SUPI of the UE in User Data Answer (UDA) response message. [2]", "Name": "UE’s IMSI/SUPI is retrieved using Diameter UDR message" } ], "refs": [ "[1] International Conference on Cyber Conflict 2016: “We know where you are\". - https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7529440", "[2] Positive Technologies article: “Next Generation Networks, Next Level Cyber Security Problems” - https://www.ptsecurity.com/upload/iblock/a8e/diameter_research.pdf", "[3] Broadforward’s SS7/MAP Firewall - https://www.broadforward.com/ss7-firewall-ss7fw/", "[4] GSMA IR.88 “EPS Roaming Guidelines”. - https://www.gsma.com/newsroom/wp-content/uploads/IR.88-v22.0.pdf", "https://fight.mitre.org/data%20sources/DS0029", "https://fight.mitre.org/mitigations/FGM5004", "https://fight.mitre.org/mitigations/FGM5513", "https://fight.mitre.org/techniques/FGT5019.005" ], "status": "Observed in earlier 3GPP generations and expected in 5G.", "subtechnique-of": "FGT5019", "typecode": "fight_subtechnique" }, "related": [ { "dest-uuid": "b6db0fd1-7f3d-5873-bce6-6a2c56b2af9c", "type": "mitigated-by" }, { "dest-uuid": "4b4e1865-22c1-5a4e-a816-5285c94a126b", "type": "mitigated-by" }, { "dest-uuid": "becdcf31-3d2a-53bb-8251-51e9da4a0df6", "type": "detected-by" }, { "dest-uuid": "0eaef533-4472-5d77-a665-3a40de657c70", "type": "subtechnique-of" } ], "uuid": "b703c8f8-28b1-5fb3-8cbd-a1b154fddc68", "value": "Diameter signaling" }, { "description": "Malicious xApps may gain unauthorized access to near-RT RIC and E2 nodes, in order to affect Radio Access Network (RAN) behavior. \r\n\r\nxApps are application software that may be developed by third party vendors. They reside in the Near Real Time (near-RT) RAN Intelligent Controller (RIC) after onboarding is done by ORAN orchestration system. Near-RT RICs control and optimize RAN functions for events ranging from 10 ms to 1 sec. xApps manage Radio Resource Management (RRM) functions of RAN via E2 interface. The following components are controlled by xApps by using APIs: E2 nodes such as O-DU, O-RU, O-CU-CP and O-CU-UP. Near-RT RIC and xApps are managed by non-RT RIC via A1 interface for RAN optimizations and by SMO via O1 interface for lifecycle management.\r\n\r\nDuring onboarding of xApps, malware may be installed by the adversary in xApps which can gain unauthorized access to near-RT RIC by exploiting weak or misconfigured authentication mechanism in near-RT RIC. A malicious xApp image may be crafted by the adversary and then installed in near-RT RIC during onboarding. A legitimate xApp may be cloned in near-RT RIC by an insider adversary.\r\n\r\nOnce installed in near-RT RIC, the rogue xApp may indirectly access E2 nodes via APIs by penetrating traffic separating firewalls within ORAN. The rogue xApp may change behavior of near-RT RIC which will impact RAN functions such as coverage, network slicing, QoS etc.", "meta": { "architecture-segment": "O-RAN, RAN", "bluf": "Malicious xApps may gain unauthorized access to near-RT RIC and E2 nodes, in order to affect Radio Access Network (ran) behavior.", "criticalassets": [ { "Description": "Adversary may impact normal RAN functions.", "Name": "Near-RT RIC function: RAN optimization" }, { "Description": "Adversary may disrupt RAN operations by changing UE’s slice priority and QoS parameters which results in denying new connections or dropping existing connections.", "Name": "RAN configuration data" }, { "Description": "UE data includes UE’s coarse location, temporary identifier and correlation of UE temporary identifier to other service related data e.g. DNN, NSSAI etc. See clause 6.2.1 of [2].", "Name": "UE data" }, { "Description": "Adversary has read/write access to database containing sensitive network data such as QoS policies and slice priority.", "Name": "Sensitive network data" } ], "detections": [ { "detects": "Monitor access token usage by xApps.", "fgdsid": "DS0006", "name": "Web Credential" }, { "detects": "Perform real-time audits and post-processing of logs.\nDetect which parts of the RAN is accessed by each xApp e.g. O-DU, O-CU-CP, O-CU-UP, O-RU etc.", "fgdsid": "DS0010", "name": "Cloud Storage" }, { "detects": "Monitor logs for authentication/authorization of xApps to near-RT RIC and E2 nodes, logs for each transaction done by xApps to E2 nodes. Audit logs and telemetry data for unauthorized activities.", "fgdsid": "DS0025", "name": "Cloud Service" }, { "detects": "Verify and refresh frequently digital signatures used for authenticating xApps by near-RT RIC and E2 nodes.", "fgdsid": "DS0037", "name": "Certificate" }, { "detects": "Verify xApp image hash", "fgdsid": "FGDS5015", "name": "Image verification" }, { "detects": "Monitor all xApps onboarding processes. Use host scanning tools to detect malware insertions.", "fgdsid": "FGDS5021", "name": "Monitor 3rd party application onboarding" } ], "external_id": "FGT5034", "kill_chain": [ "fight:Initial-Access", "fight:Lateral-Movement" ], "mitigations": [ { "fgmid": "FGM5091", "mitigates": "Use strong authentication and authorization for 3rd party xApps during onboarding and use strong mutual authentication between xApps and near-RT RIC and between xApp and E2 nodes.", "name": "Mutual authentication" }, { "fgmid": "M1030", "mitigates": "Restrict SW paths for some network components using standard protocols such as SSL, REST/HTTPS etc.", "name": "Network Segmentation" }, { "fgmid": "M1033", "mitigates": "Use only trusted supply chain, rigorous scanning of software images. Limit Software Installations especially from 3rd party sources.", "name": "Limit Software Installation" }, { "fgmid": "M1043", "mitigates": "Credential Access Protection - Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.", "name": "Credential Access Protection" }, { "fgmid": "M1045", "mitigates": "Verify digital signature of xApp", "name": "Code Signing" }, { "fgmid": "FGM5516", "mitigates": "Make the tokens short lived to prevent replay of token attacks (AiTM).", "name": "Make xApp sessions short lived" } ], "object-type": "technique", "platforms": "O-RAN", "postconditions": [ { "Description": "Adversary degrades network operation or in the worst case causes temporary network outage.", "Name": "Network operations impacted" }, { "Description": "Operator’s network policies are known to the adversary.", "Name": "Sensitive network data exposed to adversary" }, { "Description": "UE and subscriber’s sensitive data is revealed to the adversary.", "Name": "Sensitive UE data exposed to adversary" } ], "preconditions": [ { "Description": "Adversary installs rogue xApp in near-RT RIC via malware during onboarding and it finds out weak authentication mechanism in near-RT RIC to gain entry in the O-RAN systems.\n\nA legitimate xApp may be cloned by adversary to launch further attacks.", "Name": "Adversary has access to near-RT RIC during onboarding or via insider attack" } ], "procedureexamples": [ { "Description": "Adversary may exploit weakly configured authentication mechanism in near-RT RIC and E2 nodes for the xApps and may gain unauthorized access to near-RT RIC and thus affect E2 nodes.\n\nAdversary may access E2 nodes such as O-DU, O-RU, O-CU-CP and O-CU-UP via E2 interface by using E2 related APIs. Clause 5.4.1.4 of [1], clause 7.3 of [2] and [3].", "Name": "Malicious xApp gets access to near-RT RIC and E2 nodes." }, { "Description": "Rogue xApp may change behavior of near-RT RIC by intercepting or modifying A1 messages to/from non-RT RIC or O1 messages to/from SMO. Some examples of attacks are:\n\nDoS attack on network and UEs by changing slice priority and QoS parameters, steal network and UE information and track UE’s location.", "Name": "Rogue xApp changes behavior of ORAN system" }, { "Description": "When a new xApp is deployed, it is authenticated by near-RT RIC. If authentication is successful, near-RT RIC provides an ID to the xApp and it creates a Managed Object Instance (MOI) for the xApp. MOI is used by SMO to manage xApps. \n\nAiTM attack may be launched by adversary by monitoring and replaying a stolen token or MOI of a legitimate xApp. This may change behavior of near-RT RIC and impact RAN functions such as coverage, network slicing and QoS. Clause 9.4.1 of [2].", "Name": "xApps stolen token/MOI" } ], "refs": [ "[1] O-RAN Security Threat Model 6.00 version - https://orandownloadsweb.azurewebsites.net/specifications", "[2] O-RAN WG3 Near-RT RIC Architecture 4.00 version - https://orandownloadsweb.azurewebsites.net/specifications", "[3] Ericsson white paper: “Security considerations of Open RAN”. - https://www.ericsson.com/en/security/security-considerations-of-open-ran", "https://fight.mitre.org/data%20sources/DS0006", "https://fight.mitre.org/data%20sources/DS0010", "https://fight.mitre.org/data%20sources/DS0025", "https://fight.mitre.org/data%20sources/DS0037", "https://fight.mitre.org/data%20sources/FGDS5015", "https://fight.mitre.org/data%20sources/FGDS5021", "https://fight.mitre.org/mitigations/FGM5091", "https://fight.mitre.org/mitigations/FGM5516", "https://fight.mitre.org/mitigations/M1030", "https://fight.mitre.org/mitigations/M1033", "https://fight.mitre.org/mitigations/M1043", "https://fight.mitre.org/mitigations/M1045", "https://fight.mitre.org/techniques/FGT5034" ], "status": "This is a theoretical behavior", "typecode": "fight_technique" }, "related": [ { "dest-uuid": "fcdd534a-5b3d-5d5c-a394-c25bba4c3eda", "type": "mitigated-by" }, { "dest-uuid": "9c376223-8d89-5179-8a56-51de20697bd2", "type": "mitigated-by" }, { "dest-uuid": "d77cd76e-6cf8-5345-ba70-cd17b9215573", "type": "mitigated-by" }, { "dest-uuid": "4d882eab-1588-508e-b3fc-f7221cad2db8", "type": "mitigated-by" }, { "dest-uuid": "ef3488c0-caca-5662-afbf-c906cbadb660", "type": "mitigated-by" }, { "dest-uuid": "c356214c-fc72-5b71-b434-15459f40251f", "type": "mitigated-by" }, { "dest-uuid": "b8d58dd3-11e0-5118-b64e-7ae822cbf2cf", "type": "detected-by" }, { "dest-uuid": "161ce32c-ba13-5a01-b587-4d09ce59bf99", "type": "detected-by" }, { "dest-uuid": "dc2f1c60-eb57-5350-bb83-fc41d4ec3255", "type": "detected-by" }, { "dest-uuid": "49b5f184-6fbb-5082-ac82-eaef61937c12", "type": "detected-by" }, { "dest-uuid": "9325a5c1-d001-53cc-b556-749181f60f6a", "type": "detected-by" }, { "dest-uuid": "29b8c27c-eacf-526c-afbc-09e413e0c7c1", "type": "detected-by" } ], "uuid": "b106e8ff-3bd2-5295-bbce-e8cecf59aa15", "value": "Radio control manipulation via rogue xApps" }, { "description": "Adversary may jam to impact IAB or mIAB (gNB) node's communications to impact the UEs and downstream IAB node’s ability to connect to network.\r\n\r\nIf one or more Integrated Access and Backhaul (IAB) nodes or mobile IAB (mIAB) or gNBs wireless backhaul connection is jammed in tactical or mobile network deployment, the network connectivity will be disrupted. This will cause temporary DoS attack for some users until an alternate connection is available.\r\n\r\nMobile IAB nodes are small cell base stations which are typically deployed on a vehicle placed in strategic areas. For example, mIAB node can be deployed near a stadium for a game event. The backhaul traffic from the mIAB node is carried over the air to the next hop base station. The next hop gNB can be another IAB node or a fixed base station (aka donor IAB) which has a wired connection to the 5G core network.\r\n\r\nAn IAB node may use the same or different RF frequency bands for the backhaul traffic to the upstream IAB node and for providing network access to the UEs connected to itself. If the same frequency band is used for backhaul and access, it is known as in-band deployment and if different frequency bands are used for backhaul and access, it is known as out-of-band deployment. The adversary may choose to jam both frequency bands in case of out-of-band deployment to disrupt both backhaul and access communications.\r\n\r\nThe adversary may impact communications of the target IAB node, the IAB nodes that are downstream from the target IAB node and all UEs that are connected to the target IAB node and all UEs that are connected to downstream IAB nodes. [2]", "meta": { "architecture-segment": "O-RAN, RAN", "bluf": "Adversary may jam to impact IAB or mIAB (gNB) node's communications to impact the UEs and downstream IAB node's ability to connect to network.", "criticalassets": [ { "Description": "5G RAN services are disrupted during jamming attack.", "Name": "Network operations disrupted" } ], "detections": [ { "detects": "Monitor gNB logs for abnormal service outage.", "fgdsid": "FGDS5020", "name": "Monitor unplanned service outage" } ], "external_id": "FGT5024", "kill_chain": [ "fight:Impact" ], "mitigations": [ { "fgmid": "FGM5515", "mitigates": "Move the mIAB node to another location to avoid jamming and establish a new connection to the next hop base station.", "name": "Move mIAB node" } ], "object-type": "technique", "platforms": "5G", "postconditions": [ { "Description": "Legitimate subscribers are not able to connect to 5G network.", "Name": "Network operations are impacted" } ], "preconditions": [ { "Description": "Adversary must be positioned in the same area as the victim IAB node with a wireless sniffer device and a jamming device equipped with sufficient transmit power.", "Name": "Adversary in the same vicinity as victim IAB node" }, { "Description": "Adversary impacts all communications associated to the victim IAB node i.e. both access and backhaul.", "Name": "Adversary jams all communications of the victim IAB node" } ], "procedureexamples": [ { "Description": "Adversary monitors transmissions on the IAB node backhaul and access links with a wireless sniffer device. Then it starts transmitting bogus RF signal with enough transmit power to jam the backhaul and access link communications. This will disrupt connectivity to the network of the victim IAB node, all IAB nodes that are downstream from victim IAB node, all UEs which are connected to the victim IAB node and all UEs which are connected to downstream IAB nodes.", "Name": "IAB or mIAB node is jammed by adversary." } ], "refs": [ "[1] 5G Americas White Paper: “Innovations in 5G Backhaul Technologies; IAB, HFC & FIBER”, June 2020. - https://www.5gamericas.org/wp-content/uploads/2020/06/Innovations-in-5G-Backhaul-Technologies-WP-PDF.pdf", "[2] 3GPP TS 38.401: “NG-RAN; Architecture description”. - https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3219", "https://fight.mitre.org/data%20sources/FGDS5020", "https://fight.mitre.org/mitigations/FGM5515", "https://fight.mitre.org/techniques/FGT5024" ], "status": "This is a theoretical behavior", "typecode": "fight_technique" }, "related": [ { "dest-uuid": "a577fa35-33d5-5de9-863c-c06e92f35bef", "type": "mitigated-by" }, { "dest-uuid": "81069d9a-ad01-507c-851c-c0e3d8b28c03", "type": "detected-by" } ], "uuid": "9ab2ef09-66e5-5f94-9e95-0a46be5d2642", "value": "IAB Denial of Service" }, { "description": "Adversaries may build capabilities that can be used during targeting.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1587)", "meta": { "access-required": "N/A, N/A", "addendums": [ "#### Addendum Name: IMSI Catcher\r\n##### Architecture Segments: RAN, UE\r\n An adversary may build an International Mobile Subscriber Identity (IMSI) catcher to capture IMSI numbers from nearby UEs in a target area.\r\n\r\nIMSI catchers are very similar to fake base stations but may not have full capabilities of the base station. The IMSI Catcher term has been traditionally associated with UE identity discovery or location identification. Adversary may build one with open-source code and generic radio transceivers. Open-source code for software defined radio, or RAN test equipment, or simulators can also be modified to create an IMSI catcher.\r\n\r\n", "#### Addendum Name: Silent paging tool\r\n##### Architecture Segments: RAN, UE\r\n An adversary may build or develop a silent SMS tool in order to send SMSs to nearby phones in a target area.\r\n\r\nA silent SMS is described in the specification GSM 03.40 as a Short Message of type 0, which indicates that the UE must acknowledge receipt of the short message but may discard its contents.\r\n\r\nIt is possible to build/develop an application to send silent SMS messages, which can run on a regular phone (UE) that can register to a local network. That application can be used to send a silent SMS to a target UE using the phone number (MSISDN).\r\n\r\n" ], "architecture-segment": "RAN, UE", "bluf": "Adversaries may build capabilities that can be used during targeting.", "detections": [], "external_id": "FGT1587", "kill_chain": [ "fight:Resource-Development" ], "mitigations": [ { "fgmid": "M1056", "mitigates": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of the mobile network operator.", "name": "Pre-compromise" } ], "object-type": "technique", "platforms": "RAN, RAN", "refs": [ "[1] Adrian Dabrowski, Nicola Pianta, Thomas Klepp, Martin Mulazzani, and Edgar Weippl. “IMSI-catch me if you can: IMSI-catcher-catchers”. In Proceedings of the 30th annual computer security applications Conference, pages 246–255, 2014. - https://its-wiki.no/images/f/fb/Dabrowski_ISMI_Catch_me_Catchers.pdf", "[1] Information Security Newspaper, “How to hack and track anybody’s phone location via silent SMS messages”. - https://www.securitynewspaper.com/2023/06/20/how-to-hack-track-anybodys-phone-location-via-silent-sms-messages/", "[2] Ravishankar Borgaonkar, Altaf Shaik, “5G IMSI Catchers Mirage”, Blackhat USA Conference 2021. - https://blackhat.com/us-21/briefings/schedule/#g-imsi-catchers-mirage-23538", "[2] Silent-sms-ping github repository - https://github.com/MatejKovacic/silent-sms-ping", "[3] “HOW COPS CAN SECRETLY TRACK YOUR PHONE”, The Intercept online article, July 31, 2021. Accessed 6/22/2022. - https://theintercept.com/2020/07/31/protests-surveillance-stingrays-dirtboxes-phone-tracking/", "[4] A Knight, Brier & Thorn, “Hacking GSM: Building a Rogue Base Station to Hack Cellular Devices”, Online Article. Accessed 6/22/2022. - https://www.brierandthorn.com/post/hacking-gsm-building-a-rogue-base-station-to-hack-cellular-devices", "https://attack.mitre.org/techniques/T1587", "https://fight.mitre.org/mitigations/M1056", "https://fight.mitre.org/techniques/FGT1587" ], "status": "This is an observed behavior in Enterprise networks, and is theoretical in context of 5G systems.", "typecode": "attack_technique_addendum" }, "related": [ { "dest-uuid": "edadea33-549c-4ed1-9783-8f5a5853cbdf", "type": "related-to" }, { "dest-uuid": "7d8b78b4-09f2-516d-b81e-1b3dc8336d08", "type": "mitigated-by" } ], "uuid": "3c50055f-d371-54f1-b729-2109c06914fb", "value": "Develop Capabilities" }, { "description": "Adversaries may upload, install, or otherwise set up capabilities that can be used during targeting.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1608)", "meta": { "addendums": [ "#### Addendum Name: Rogue Operator Network\r\n##### Architecture Segments: Control Plane, RAN\r\n An adversary may install or set up a customized core mobile network in a target environment to enable follow-on behaviors.\r\n\r\nAn adversary may install, or otherwise set up a 5G core network capability that can be used during targeting. To support their operations, an adversary will likely obtain this capability (e.g. from open source software), and then proceed to stage it on a server (COTS) under their control. For a complete mobile network set-up, a radio access network (e.g. fake base station) would also be used, connected to this core network.\r\n\r\n\r\n" ], "architecture-segment": "Control Plane, RAN", "bluf": "Adversaries may upload, install, or otherwise set up capabilities that can be used during targeting.", "detections": [], "external_id": "FGT1608", "kill_chain": [ "fight:Resource-Development" ], "mitigations": [], "object-type": "technique", "platforms": "5G Core", "refs": [ "[1] M.Grassi & X. Chen, “Over The Air Baseband Exploit: Gaining Remote Code Execution on 5G Smartphones,” retrieved May 16, 2023 - https://dl.acm.org/doi/abs/10.1145/3395351.3399360", "https://attack.mitre.org/techniques/T1608", "https://fight.mitre.org/techniques/FGT1608" ], "status": "This is an observed behavior in Enterprise networks, and is theoretical in context of 5G systems.", "typecode": "attack_technique_addendum" }, "related": [ { "dest-uuid": "84771bc3-f6a0-403e-b144-01af70e5fda0", "type": "related-to" } ], "uuid": "4f4a0c73-63a5-578b-9814-06a211a42afd", "value": "Stage Capabilities" }, { "description": "An adversary may operationalize a customized mobile network in a target environment to enable other follow-on behaviors against UEs.\r\n\r\nAn adversary enables the programmability of a rogue mobile network, in order to be able to connect a victim UE to a hostile/fake operator network. This is software that can run on a single piece of hardware. To configure it, the configuration files would need to be updated: configure PLMN identifiers, radio frequency spectrum, IP addresses for core components. Configuration for connecting to one or more radio access nodes (e.g. base station) may also be done.\r\n\r\nThis technique is to be used in conjunction with the equivalent technique for fake base station FGT1608.501.", "meta": { "architecture-segment": "Control Plane", "bluf": "An adversary may operationalize a customized mobile network in a target environment to enable other follow-on behaviors against UEs.", "criticalassets": [ { "Description": "UEs that are lured to connect to a fake network may lose functionality. The registration signaling will likely fail in the end.", "Name": "UE functionality" } ], "detections": [], "external_id": "FGT1608.502", "kill_chain": [ "fight:Resource-Development" ], "mitigations": [], "object-type": "technique", "platforms": "5G Core", "procedureexamples": [ { "Description": "Adversary obtains software capability such as: open source software (e.g Open5GS, free5GC) to set up a rogue operator network, with sufficient capability to achieve follow-on behavior.", "Name": "Obtain capability for configuration of a rogue mobile network core" } ], "refs": [ "[1] M.Grassi & X. Chen, “Over The Air Baseband Exploit: Gaining Remote\nCode Execution on 5G Smartphones,” retrieved May 16, 2023 - https://dl.acm.org/doi/abs/10.1145/3395351.3399360", "https://fight.mitre.org/techniques/FGT1608.502" ], "status": "This is a theoretical behavior", "subtechnique-of": "FGT1608", "typecode": "fight_subtechnique_to_attack_technique" }, "related": [ { "dest-uuid": "4f4a0c73-63a5-578b-9814-06a211a42afd", "type": "subtechnique-of" } ], "uuid": "0a9677fd-2bae-55c9-bb13-eb6e356d3271", "value": "Configure Operator Core Network" }, { "description": "Adversary sends a spoofed or silent SMS to trigger paging of UE, to retrieve the subscriber profile identifier. \r\n\r\nA UE has a permanent identifier (IMSI or SUPI), but also a temporary one (“Temporary Mobile Subscriber Identity”) assigned by the network (TMSI, with their version for 4G and 5G). Adversaries can take advantage of cellular networks where the IMSI is used when computing how to page a UE, rather than TMSI, or when the TMSI is used but not changed frequently. This is a choice of the mobile network operator. \r\n\r\n\r\nAn adversary can send silent SMS messages to that target phone number, and watch the paging messages that the base station in that area sends in response (assumes the target UE is in inactive mode and is located in the area of a base station where the adversary has installed a radio interface sniffer). From the sniffed paging messages, and adversary learns the “paging occasion” for that UE. From the paging occasion, several bits (7) of the IMSI can be deduced. The rest of the IMSI (24 bits) can be tried out by brute force by sending many paging messages (e.g. via a fake base station) corresponding to the IMSIs being tried out, and if one gets a response that is valid, it means that the guess is correct. \r\n\r\n\r\nSeveral UEs may end up sharing the same paging occasion. With knowledge of the victim’s phone number, an adversary can cause the victim UE to be paged in a certain fashion (e.g. by sending a given number of silent SMS and watching for a similar number of paging messages), the adversary can determine the paging occasion for that UE. If the UE is not located in that cell area, then no such paging messages will be noticed. An adversary needs to install sniffers in all of the cell areas of interest, i.e. where they desire to determine the presence or absence of a target UE at a given time, and/or to determine the UE identifiers (IMSI or SUPI or TMSI).\r\n\r\n\r\nBackground information: the IMSI in the US is ~49 bits, but the IMSI’s leading 18-bits (i.e., the mobile country code and the mobile network code) can be obtained from the phone number using paid, Internet-based home location register lookup services. The “paging occasion” – the precise time/frequency slot when the paging indication is sent—is calculated in a known way based on a UE identifier- either IMSI or TMSI.", "meta": { "access-required": "N/A", "architecture-segment": "RAN", "bluf": "Adversary sends a spoofed or silent SMS to trigger paging of UE, to retrieve the subscriber profile identifier.", "criticalassets": [ { "Description": "", "Name": "UE identifier" } ], "detections": [ { "detects": "Run at the UE side a tool to detect silent SMS messages (can be OS monitoring app as in [4])", "fgdsid": "FGDS5102", "name": "Silent SMS detector" } ], "external_id": "FGT5019.006", "kill_chain": [ "fight:Collection", "fight:Discovery" ], "mitigations": [ { "fgmid": "FGM5004", "mitigates": "The operator may run a network side SMS firewall that permits legitimate silent SMSs (e.g. from law enforcement) but blocks the ones from suspicious sources", "name": "Correctly configure SMS firewall" }, { "fgmid": "FGM5102", "mitigates": "Run at the UE side a tool to detect and not respond to multiple silent SMS messages received in a short time (can be OS monitoring app as in [2])", "name": "Silent SMS blocker " } ], "object-type": "technique", "platforms": "5G Network", "preconditions": [ { "Description": "Adversary deployed a sniffer in the coverage area where the target UE may be located", "Name": "Radio interface sniffer" } ], "procedureexamples": [ { "Description": "By sending several (about 8) silent SMS messages to a UE, (or make 8 silent calls), and watching the responses on the radio interface- if the UE is present, the paging occasion of the UE can be determined [1].", "Name": "Paging occasion guessing" }, { "Description": "If the operator uses IMSI to page UEs, then if some bits of the IMSI are already guessed (e.g. via a location/paging occasion guessing discovery technique), it is possible to infer the actual IMSI. The adversary sends multiple silent SMS messages corresponding to guessed IMSIs, and watches the radio interface for responses. [1]", "Name": "IMSI-cracking" } ], "refs": [ "[1] S.R. Hussain et.al., “Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information” - https://homepage.divms.uiowa.edu/~comarhaider/publications/LTE-torpedo-NDSS19.pdf", "[2] H. Wen et al., “Thwarting Smartphone SMS Attacks at the\nRadio Interface Layer”. Retrieved Sept 14, 2023. - https://www.ndss-symposium.org/ndss-paper/thwarting-smartphone-sms-attacks-at-the-radio-interface-layer/", "https://fight.mitre.org/data%20sources/FGDS5102", "https://fight.mitre.org/mitigations/FGM5004", "https://fight.mitre.org/mitigations/FGM5102", "https://fight.mitre.org/techniques/FGT5019.006" ], "status": "Observed in earlier 3GPP generations and expected in 5G.", "subtechnique-of": "FGT5019", "typecode": "fight_subtechnique" }, "related": [ { "dest-uuid": "b6db0fd1-7f3d-5873-bce6-6a2c56b2af9c", "type": "mitigated-by" }, { "dest-uuid": "036a0bde-15dd-5661-aaa2-2c03488d9198", "type": "mitigated-by" }, { "dest-uuid": "1e78650b-fab0-508c-b55e-a5c69be5b3df", "type": "detected-by" }, { "dest-uuid": "0eaef533-4472-5d77-a665-3a40de657c70", "type": "subtechnique-of" } ], "uuid": "1f38842c-f33b-559a-b8d1-a122444b3a7e", "value": "Silent SMS" }, { "description": "Adversary sends spoofed or silent paging messages to a UE and deduces the UE's location from the responses of that UE.\r\n\r\nAdversary broadcasts spoofed paging message from a false base station or manipulates a legitimate one using a Software-defined-radio tool; alternatively, the adversary uses a silent SMS message tool to cause the legitimate base station to send a paging message. These paging messages can be heard by all UEs in the area. The paging message broadcast time/frequency is calculated by the base station based on the temporary identifier 5G-GUTI or 4G-GUTI of the target UE, or the IMSI. It is assumed that the adversary can guess the UEs GUTI (see technique FGT5012.006).\r\n\r\nAn adversary sends multiple paging messages and then sniffs the radio interface looking for UEs’ responses to paging messages. Paging is successful if the target UE responds. If such a set of multiple paging responses corresponding to the paging calculated from the one given GUTI is noticed, then it can be concluded that that UE is present in the cell area. This leads to discovery of the coarse location of a UE. As a side benefit, a valid GUTI (or several GUTIs) is also now discovered. \r\n\r\nBackground info: Silent SMS messages is a type of SMS that are used legitimately by mobile operators and governments to track a smartphone subscriber’s geographical location.", "meta": { "architecture-segment": "RAN", "bluf": "Adversary sends spoofed or silent paging messages to a UE and deduces the UE's location from the responses of that UE", "criticalassets": [ { "Description": "UEs rough location is known to the adversary which can be used for further attacks such as bidding down, IMSI cracking and physical attack.", "Name": "UE location" } ], "detections": [ { "detects": "UE measurements of received power levels from all base stations nearby, and their identifiers. Clause 6.24 of [2].", "fgdsid": "FGDS5002", "name": "UE signal measurements" }, { "detects": "Run at the UE side a tool to detect silent SMS messages (can be OS monitoring app as in [4])", "fgdsid": "FGDS5102", "name": "Silent SMS detector" } ], "external_id": "FGT5012.007", "kill_chain": [ "fight:Collection", "fight:Discovery" ], "mitigations": [ { "fgmid": "FGM5004", "mitigates": "The operator may run a network-side SMS firewall that permits legitimate silent SMSs (e.g. from law enforcement) but blocks the ones from suspicious sources", "name": "Correctly configure SMS firewall" }, { "fgmid": "FGM5102", "mitigates": "Run at the UE side a tool to detect and not respond to multiple silent SMS messages received in a short time (can be OS monitoring app as in [4])", "name": "Silent SMS blocker " } ], "object-type": "technique", "platforms": "5G", "postconditions": [ { "Description": "Adversary knows the cellular base station area where the UE is located. Further attacks are possible such as eavesdropping on target UE’s communication to network if UE coarse location is known to adversary.", "Name": "UE coarse location is known to adversary" } ], "preconditions": [ { "Description": "Adversary gets hold of a false base station which is capable of sending fraudulent paging messages.", "Name": "Obtain a false base station to send fake broadcast messages, or a SDR tool to manipulate legitimate signaling on the radio interface" }, { "Description": "Adversary develops or obtains a tool to send silent SMS (e.g. mobile phone with special application running)", "Name": "Obtain a silent SMS tool" } ], "procedureexamples": [ { "Description": "Adversary sends fake paging message with UEs temporary identifier from a false base station. Sigover attack method is used to overshadow the paging message from legitimate base station. If the victim UE is in the area, it responds with a service request message. UE’s presence in the cell area is then known to the adversary [1].", "Name": "Send fake paging message to target UE" }, { "Description": "Adversary sends a series of silent SMS messages or makes a series of silent calls to a target UE, that would cause the base station to send a series of corresponding paging messages. The adversary then monitors the paging channel to watch for these set of multiple paging messages, and thus determines the paging slots (“paging occasion”) assigned to the target UE. In addition, if the target UE responds, adversary concludes the target is in the area of that base station. If not, the target is not there [3]", "Name": "Send silent SMS to target UE" }, { "Description": "Adversary sends multiple silent SMS to the UE, and then watches the paging channel. If multiple instances of the same GUTI is seen, or if a given Paging Frame Index (determined by the IMSI) (PFI) seems to be “busy” then the adversary can conclude that the target UE is in that cell area (coarse location retrieval) [3]", "Name": "Watch for same paging occasion to be used by base station" } ], "refs": [ "[1] Chuan Yu et al, “Improving 4G/5G air interface security: A survey of existing attacks on different LTE layers”, ACM digital library - https://dl.acm.org/doi/abs/10.1016/j.comnet.2021.108532", "[2] 3GPP TR 33.809 “Study on 5G security enhancements against False Base Stations (FBS ”, Technical Report, v0.18.0, February 2022. - https://www.3gpp.org/DynaReport/33809.htm", "[3] S.R. Hussain et.al., “Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information”. Retrieved Sept 11, 2023 - https://homepage.divms.uiowa.edu/~comarhaider/publications/LTE-torpedo-NDSS19.pdf", "[4] H. Wen et al., “Thwarting Smartphone SMS Attacks at the\nRadio Interface Layer”. Retrieved Sept 14, 2023. - https://www.ndss-symposium.org/ndss-paper/thwarting-smartphone-sms-attacks-at-the-radio-interface-layer/", "https://fight.mitre.org/data%20sources/FGDS5002", "https://fight.mitre.org/data%20sources/FGDS5102", "https://fight.mitre.org/mitigations/FGM5004", "https://fight.mitre.org/mitigations/FGM5102", "https://fight.mitre.org/techniques/FGT5012.007" ], "status": "Observed in earlier 3GPP generations and expected in 5G.", "subtechnique-of": "FGT5012", "typecode": "fight_subtechnique" }, "related": [ { "dest-uuid": "b6db0fd1-7f3d-5873-bce6-6a2c56b2af9c", "type": "mitigated-by" }, { "dest-uuid": "036a0bde-15dd-5661-aaa2-2c03488d9198", "type": "mitigated-by" }, { "dest-uuid": "fa9ee8fb-7f25-554c-9682-0e50e774812d", "type": "detected-by" }, { "dest-uuid": "1e78650b-fab0-508c-b55e-a5c69be5b3df", "type": "detected-by" }, { "dest-uuid": "f940f548-256a-5559-83bc-7fea99d051bf", "type": "subtechnique-of" } ], "uuid": "9493634f-2d0d-5f25-9c3e-be342453bd6d", "value": "Silent or spoofed paging" }, { "description": "Adversary may gain unauthorized access to machine learning model or database and alters the data to disrupt service or change the behavior of network elements. \r\n\r\nCurrently ORAN implementation specifies RAN Intelligent Controller (RIC) and associated xApps/rApps as part of the RAN system for machine learning and optimization. Machine learning models may also exist in Service Management and Orchestration (SMO) to optimize network design, deployment and operation. A nefarious change on ML models or data can cause drastic behavior change of O-RAN components including network outage. Altering a machine learning model (System manipulation and compromise of ML data confidentiality and privacy), adversary can change O-RAN behavior.", "meta": { "architecture-segment": "RAN, Virtualization", "bluf": "Adversary may gain unauthorized access to machine learning model or database and alters the data to disrupt service or change the behavior of network elements. ", "criticalassets": [ { "Description": "Configuration and session data for RAN as well as ML applications.", "Name": "Configuration and session data" }, { "Description": "ML models and algorithms itself can be a lucrative asset to acquire in addition to understanding the behavior of the models fo0r an adversary.", "Name": "Algorithm" } ], "detections": [ { "detects": "Application logs can provide information about change, read, update, and delete(CRUD) activity.", "fgdsid": "DS0015", "name": "Application Log" }, { "detects": "Access and authorization logs can reveal abnormal logging activity that precedes action taken on the system", "fgdsid": "DS0028", "name": "Logon Session" } ], "external_id": "FGT5037", "kill_chain": [ "fight:Impact" ], "mitigations": [ { "fgmid": "M1018", "mitigates": "Manage the creation, modification, use, and permissions associated to user accounts.", "name": "User Account Management" }, { "fgmid": "M1026", "mitigates": "Strict access control to infrastructure and application supporting AI/ML operations", "name": "Privileged Account Management" }, { "fgmid": "M1041", "mitigates": "Model and data should be encrypted in the system", "name": "Encrypt Sensitive Information" }, { "fgmid": "M1047", "mitigates": "Monitoring of access logs, sensor data and changes proposed by algorithms and Human experts", "name": "Audit" }, { "fgmid": "M1009", "mitigates": "APIs in the system should use secure access and data transport using TLS 1.3 or latest.", "name": "Encrypt Network Traffic" } ], "object-type": "technique", "platforms": "ORAN, OA&M", "refs": [ "[1] O-RAN Security Threat Modeling and Remediation Analysis 6.0 \nO-RAN.WG11.Threat-Model.O-R003-v06.00, T-ML-02 - https://orandownloadsweb.azurewebsites.net/specifications", "[2] Adversarial Machine Learning: Well-known techniques - https://viso.ai/deep-learning/adversarial-machine-learning/", "[3] OWASP Machine Learning Security Top Ten - https://owasp.org/www-project-machine-learning-security-top-10/docs/ML03_2023-Model_Inversion_Attack.html", "https://fight.mitre.org/data%20sources/DS0015", "https://fight.mitre.org/data%20sources/DS0028", "https://fight.mitre.org/mitigations/M1009", "https://fight.mitre.org/mitigations/M1018", "https://fight.mitre.org/mitigations/M1026", "https://fight.mitre.org/mitigations/M1041", "https://fight.mitre.org/mitigations/M1047", "https://fight.mitre.org/techniques/FGT5037" ], "status": "This is a theoretical behavior", "typecode": "fight_technique" }, "related": [ { "dest-uuid": "686a3700-8ee3-52d3-954f-d2ec4abf14aa", "type": "mitigated-by" }, { "dest-uuid": "177506f3-cd8d-5035-b807-6528e3a75c5f", "type": "mitigated-by" }, { "dest-uuid": "71801a06-41bd-5336-a539-e8bea9d647f7", "type": "mitigated-by" }, { "dest-uuid": "a30b7d01-b740-5538-b28d-d87befd5fd29", "type": "mitigated-by" }, { "dest-uuid": "1399a928-070b-55cf-856a-b2adb9005ccd", "type": "mitigated-by" }, { "dest-uuid": "3c23d0f7-d55c-5891-90b9-c744e976f0ef", "type": "detected-by" }, { "dest-uuid": "859ecf98-b107-5a3a-886e-dfb46999fe09", "type": "detected-by" } ], "uuid": "5bfb7a9c-d38d-530b-abf6-d6b9ac6cf065", "value": "Alter ML Model" }, { "description": "Adversary may use AI/ML training data and prediction poisoning techniques to manipulate the outcomes of a machine learning model for malicious purposes, to disrupt service or change the behavior of network elements. \r\n\r\nIn the context of AI/ML security threats, adversaries can employ various techniques to compromise machine learning models at different stages. During training, they can engage in data poisoning by injecting manipulated data (Data Injection), mislabeling data points (Label Poisoning), or maliciously augmenting data with adversarial samples (Data Augmentation Poisoning). Adversaries can also manipulate the model itself during training, introducing hidden backdoor patterns (Backdoor Attacks) or deducing sensitive information by observing model outputs (Model Inversion Attacks). In the inference phase, they can create adversarial examples to trick the model (Adversarial Examples) or subtly change data distributions over time to cause incorrect predictions (Concept Drift). Additionally, adversaries can engage in data pollution by manipulating live input data (Data Poisoning in Live Systems) or compromise model integrity by stealing and manipulating training data (Data Theft). Lastly, they can attempt to determine training data membership via Membership Inference Attacks by querying the model with tailored inputs. \r\n\r\nThe ORAN implementation outlines the inclusion of a RAN Intelligent Controller (RIC) and its associated xApps/rApps within the RAN system, which are designed for machine learning and optimization purposes. Machine learning models might also be present within the Service Management and Orchestration (SMO) framework to enhance network design, deployment, and operation. However, any malicious alterations made to these ML models, or their associated data could lead to unintended consequences, such as disruptions in the desired operational state of network components, traffic management issues, and potentially even network outages.", "meta": { "architecture-segment": "RAN, Virtualization, O-RAN", "bluf": "Adversary may use AI/ML training data and prediction poisoning techniques to manipulate the outcomes of a machine learning model for malicious purposes, to disrupt service or change the behavior of network elements. ", "criticalassets": [ { "Description": "Configuration and session data for RAN as well as ML applications.", "Name": "Configuration and session data" }, { "Description": "ML models and algorithms itself can be a lucrative asset to acquire in addition to understanding the behavior of the models fo0r an adversary.", "Name": "Algorithm" } ], "detections": [ { "detects": "Application logs can provide information about change, read, update, and delete(CRUD) activity.", "fgdsid": "DS0015", "name": "Application Log" }, { "detects": "Access and authorization logs can reveal abnormal logging activity that precedes action taken on the system", "fgdsid": "DS0028", "name": "Logon Session" } ], "external_id": "FGT5036", "kill_chain": [ "fight:Impact" ], "mitigations": [ { "fgmid": "M1018", "mitigates": "Manage the creation, modification, use, and permissions associated to user accounts.", "name": "User Account Management" }, { "fgmid": "M1026", "mitigates": "Strict access control to infrastructure and application supporting AI/ML operations", "name": "Privileged Account Management" }, { "fgmid": "M1041", "mitigates": "Model and data should be encrypted in the system", "name": "Encrypt Sensitive Information" }, { "fgmid": "M1047", "mitigates": "Monitoring of access logs, sensor data and changes proposed by algorithms and Human experts", "name": "Audit" }, { "fgmid": "M1009", "mitigates": "APIs in the system should use secure access and data transport using TLS 1.3 or latest.", "name": "Encrypt Network Traffic" } ], "object-type": "technique", "platforms": "ORAN, OA&M", "refs": [ "[1] O-RAN Security Threat Modeling and Remediation Analysis 6.0,  \nO-RAN.WG11.Threat-Model.O-R003-v06.00, T-ML-02 - https://orandownloadsweb.azurewebsites.net/specifications", "[2] Adversarial Machine Learning: Well-known techniques - https://viso.ai/deep-learning/adversarial-machine-learning/", "[3] OWASP Machine Learning Security Top Ten - https://owasp.org/www-project-machine-learning-security-top-10/docs/ML03_2023-Model_Inversion_Attack.html", "https://fight.mitre.org/data%20sources/DS0015", "https://fight.mitre.org/data%20sources/DS0028", "https://fight.mitre.org/mitigations/M1009", "https://fight.mitre.org/mitigations/M1018", "https://fight.mitre.org/mitigations/M1026", "https://fight.mitre.org/mitigations/M1041", "https://fight.mitre.org/mitigations/M1047", "https://fight.mitre.org/techniques/FGT5036" ], "status": "This is a theoretical behavior", "typecode": "fight_technique" }, "related": [ { "dest-uuid": "686a3700-8ee3-52d3-954f-d2ec4abf14aa", "type": "mitigated-by" }, { "dest-uuid": "177506f3-cd8d-5035-b807-6528e3a75c5f", "type": "mitigated-by" }, { "dest-uuid": "71801a06-41bd-5336-a539-e8bea9d647f7", "type": "mitigated-by" }, { "dest-uuid": "a30b7d01-b740-5538-b28d-d87befd5fd29", "type": "mitigated-by" }, { "dest-uuid": "1399a928-070b-55cf-856a-b2adb9005ccd", "type": "mitigated-by" }, { "dest-uuid": "3c23d0f7-d55c-5891-90b9-c744e976f0ef", "type": "detected-by" }, { "dest-uuid": "859ecf98-b107-5a3a-886e-dfb46999fe09", "type": "detected-by" } ], "uuid": "f5d98e66-88a1-5187-b3f8-dfb943016b07", "value": "AI/ML training data and prediction poisoning" }, { "description": "Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1195/002)", "meta": { "addendums": [ "#### Addendum Name: Compromise software Supply Chain\r\n##### Architecture Segments: Control Plane, RAN, Virtualization, OA&M, O-RAN\r\n Adversaries may manipulate software products or product delivery mechanisms prior to deployment in an MNO’s production environment for the purpose of data or system compromise.\r\n\r\nSoftware supply chain compromise can occur through various means, such as tampering with the source code of the application, manipulating the software's update and distribution process, or substituting legitimate compiled releases with altered versions.\r\n\r\n5G deployments are expected to embrace diverse deployment models, encompassing vendor-supplied VNF/CNFs, open-source software, dedicated physical appliances from suppliers, and white-label hardware. This diversity introduces multiple potential points of vulnerability before the software is employed in 5G communication services. An adversary could exploit the supply chain of management and monitoring tools, network functions, or infrastructure software, including operating systems, orchestration systems, and element managers. The same software deployment model is used in O-RAN systems, hence all vulnerabilities described in this addendum applies to O-RAN networks as well.\r\n\r\n" ], "architecture-segment": "Control Plane, RAN, Virtualization, OA&M, O-RAN", "bluf": "Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise.", "criticalassets": [ { "Description": "Network functions are prime target to impact 5G communication services", "Name": "CORE, RAN VNFs" }, { "Description": "OSS tools have privileged access and broad reachability and may be used to change configuration of the network by adversary.", "Name": "OSS Tools" }, { "Description": "Security tools have privileged access and broad reachability may be used to evade defenses and allow for lateral movements by the adversary", "Name": "Security tools" }, { "Description": "CI/CD tools may be used for inserting malware or poisoned images as well as change the network elements deployed and their behavior.", "Name": "CI/CD Tools" } ], "detections": [ { "detects": "Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures and attempt to test software and updates prior to deployment while taking note of potential suspicious activity.", "fgdsid": "DS0022", "name": "File" } ], "external_id": "FGT1195.002", "kill_chain": [ "fight:Initial-Access" ], "mitigations": [ { "fgmid": "M1016", "mitigates": "Vulnerability Scanning of software before it is brought into MNO environment as well as regular scans to detect abnormal behavior", "name": "Vulnerability Scanning" }, { "fgmid": "M1045", "mitigates": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "name": "Code Signing" }, { "fgmid": "M1051", "mitigates": "Update Software regularly", "name": "Update Software" }, { "fgmid": "FGM5517", "mitigates": "Enforce policy to use signed Software Bill of Materials (SBOMs) and software.", "name": "Use obfuscation at application layer" }, { "fgmid": "M0817", "mitigates": "Implement a supply chain management program, including policies and procedures to ensure all devices and components originate from a trusted supplier and are tested to verify their integrity. 5G Operators should evaluate suppliers of services for their technical and administrative controls to ensure that it meets minimum standards for assured services. These evaluations may include SW, HD supply chain, personnel and process used for service creation.", "name": "Supply chain management" } ], "object-type": "technique", "platforms": "Infrastructure, 5G, CI/CD, OA&M Tools, VNFs", "refs": [ "[1] ETSI NFV SEC001, “Network Functions Virtualization (NFV ; NFV Security; Problem Statement”, Jan. 2014, section 6.9 - https://www.etsi.org/deliver/etsi_gs/nfv-sec/001_099/001/01.01.01_60/gs_nfv-sec001v010101p.pdf", "[2] The Untold Story of the Boldest Supply-Chain Hack Ever - https://www.wired.com/story/the-untold-story-of-solarwinds-the-boldest-supply-chain-hack-ever/", "https://attack.mitre.org/techniques/T1195/002", "https://fight.mitre.org/data%20sources/DS0022", "https://fight.mitre.org/mitigations/FGM5517", "https://fight.mitre.org/mitigations/M0817", "https://fight.mitre.org/mitigations/M1016", "https://fight.mitre.org/mitigations/M1045", "https://fight.mitre.org/mitigations/M1051", "https://fight.mitre.org/techniques/FGT1195.002" ], "status": "This is an observed behavior in Enterprise networks, and is theoretical in context of 5G systems.", "subtechnique-of": "FGT1195", "typecode": "attack_subtechnique_addendum" }, "related": [ { "dest-uuid": "bd369cd9-abb8-41ce-b5bb-fff23ee86c00", "type": "related-to" }, { "dest-uuid": "182337e0-b8d6-55da-9e9b-141029f9eb9b", "type": "mitigated-by" }, { "dest-uuid": "ef3488c0-caca-5662-afbf-c906cbadb660", "type": "mitigated-by" }, { "dest-uuid": "f54f2c17-0cf6-536a-b52e-a886652815d6", "type": "mitigated-by" }, { "dest-uuid": "aff10ded-e6c1-5ee9-aa82-1eb71c8b2709", "type": "mitigated-by" }, { "dest-uuid": "7d8ed7d5-df88-584a-93b7-7fa6d691418c", "type": "mitigated-by" }, { "dest-uuid": "6151c447-21b5-5530-8760-375ac25fb3e8", "type": "detected-by" }, { "dest-uuid": "6d098b34-48eb-5f31-88ac-0a1f8028541c", "type": "subtechnique-of" } ], "uuid": "98bb572f-6298-5c69-b2ee-13d74dead58f", "value": "Compromise Software Supply Chain" }, { "description": "Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1195/003)", "meta": { "addendums": [ "#### Addendum Name: Compromise Hardware Supply Chain\r\n##### Architecture Segments: Control Plane, RAN, Virtualization, OA&M, O-RAN\r\n Adversaries may manipulate hardware components or products prior to deployment in an MNO’s production environment for the purpose of data or system compromise.\r\n\r\nThrough alterations to hardware or firmware within the supply chain, malicious actors can implant a concealed entry point into consumer networks. This clandestine access can prove challenging to identify, affording the adversary substantial control over the system. Hardware backdoors have the potential to be introduced into a wide array of devices, including servers, workstations, network infrastructure components, and peripherals.\r\n\r\n5G multiplicity of deployment options introduces numerous potential points of vulnerability, all before the hardware even integrates into 5G communication services. Within this complex landscape, adversaries possess the opportunity to exploit various aspects of the supply chain, such as compromising management and monitoring tools, tampering with firmware within components, or clandestinely introducing additional chips into server and network hardware. Furthermore, the prospect of counterfeit hardware infiltrating the legitimate supply chain accentuates the vulnerability landscape. Counterfeit hardware may lack rigorous security considerations and thorough testing, making it a potential Achilles' heel within the supply chain. The same hardware or firmware deployment model is used in O-RAN systems, hence all vulnerabilities described in this addendum applies to O-RAN networks as well.\r\n\r\n" ], "architecture-segment": "Control Plane, RAN, Virtualization, OA&M, O-RAN", "bluf": "Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise.", "criticalassets": [ { "Description": "Network functions are prime target to impact 5G communication services", "Name": "CORE, RAN VNFs" }, { "Description": "OSS tools have privileged access and broad reachability and may be used to change configuration of the network by adversary.", "Name": "OSS Tools" }, { "Description": "Security tools have privileged access and broad reachability may be used to evade defenses and allow for lateral movements by the adversary", "Name": "Security tools" }, { "Description": "CI/CD tools may be used for inserting malware or poisoned images as well as change the network elements deployed and their behavior.", "Name": "CI/CD Tools" } ], "detections": [ { "detects": "Perform physical inspection of hardware to look for potential tampering. Perform integrity checking on pre-OS boot mechanisms that can be manipulated for malicious purposes and compare against known good baseline behavior.\n\nSome manufacturers are now adding seals to their component hardware packaging. This may provide some indication if Hardware was tampered with after leaving the manufacturing facility.", "fgdsid": "DS0013", "name": "Sensor Health" }, { "detects": "Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures and attempt to test software and updates prior to deployment while taking note of potential suspicious activity.", "fgdsid": "DS0022", "name": "File" } ], "external_id": "FGT1195.003", "kill_chain": [ "fight:Initial-Access" ], "mitigations": [ { "fgmid": "M1016", "mitigates": "Vulnerability Scanning of software before it is brought into MNO environment as well as regular scans to detect abnormal behavior", "name": "Vulnerability Scanning" }, { "fgmid": "M1051", "mitigates": "Update Software regularly", "name": "Update Software" } ], "object-type": "technique", "platforms": "Infrastructure, 5G, CI/CD & OA&M Tools, VNFs", "procedureexamples": [ { "Description": "In virtual network functions, the provisioning, configuration, testing, and debugging processes involve software interfaces, often remote, with distinct security implications compared to traditional physical interfaces, emphasizing the need for mitigations and protections in situations where debug and test interfaces in NFV devices are enabled in the field.\n\nETSI NFV SEC001, “Network Functions Virtualization (NFV); NFV Security; Problem Statement”, Jan. 2014, section 6.9", "Name": "Back-Doors via Virtualized Test & Monitoring Functions" } ], "refs": [ "[1] ETSI NFV SEC001, “Network Functions Virtualization (NFV ; NFV Security; Problem Statement”, Jan. 2014, section 6.9 - https://www.etsi.org/deliver/etsi_gs/nfv-sec/001_099/001/01.01.01_60/gs_nfv-sec001v010101p.pdf", "[2] The Untold Story of the Boldest Supply-Chain Hack Ever - https://www.wired.com/story/the-untold-story-of-solarwinds-the-boldest-supply-chain-hack-ever/", "[3] Trusted Platform Module (TPM Summary - https://trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-Summary_04292008.pdf", "https://attack.mitre.org/techniques/T1195/003", "https://fight.mitre.org/data%20sources/DS0013", "https://fight.mitre.org/data%20sources/DS0022", "https://fight.mitre.org/mitigations/M1016", "https://fight.mitre.org/mitigations/M1051", "https://fight.mitre.org/techniques/FGT1195.003" ], "status": "This is an observed behavior in Enterprise networks, and is theoretical in context of 5G systems.", "subtechnique-of": "FGT1195", "typecode": "attack_subtechnique_addendum" }, "related": [ { "dest-uuid": "39131305-9282-45e4-ac3b-591d2d4fc3ef", "type": "related-to" }, { "dest-uuid": "182337e0-b8d6-55da-9e9b-141029f9eb9b", "type": "mitigated-by" }, { "dest-uuid": "f54f2c17-0cf6-536a-b52e-a886652815d6", "type": "mitigated-by" }, { "dest-uuid": "5cbb4ceb-09b7-569d-b397-30ce5f6b99cb", "type": "detected-by" }, { "dest-uuid": "6151c447-21b5-5530-8760-375ac25fb3e8", "type": "detected-by" }, { "dest-uuid": "6d098b34-48eb-5f31-88ac-0a1f8028541c", "type": "subtechnique-of" } ], "uuid": "c412d167-075e-5ecf-84f5-624c4b44b253", "value": "Compromise Hardware Supply Chain" }, { "description": "Adversaries may introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1200)", "meta": { "addendums": [ "#### Addendum Name: Unauthorized device on O-RAN fronthaul infrastructure\r\n##### Architecture Segments: RAN, O-RAN\r\n An adversary may attach a device to an O-RAN fronthaul infrastructure in order to disrupt its traffic.\r\n\r\nIn an O-RAN architecture, the baseband unit (BBU) is divided into two components: the distributed unit (DU) and the centralized unit (CU). The front haul interface plays a crucial role in connecting the DU and the Remote Radio Unit (RU or RRU) within the network, ensuring efficient communication. \r\n\r\nTo transport the CPRI (Common Public Radio Interface) traffic from the RU to the DU, an Ethernet-based bridged network is employed. This involves utilizing various Ethernet protocols such as IEEE 802.3 for general Ethernet connectivity, IEEE 802.1 for bridging and VLAN tagging, and IEEE 802.1CM for time-sensitive networking in industrial automation. The Ethernet-based fronthaul interface establishes a high-capacity and low-latency connection between the DU and the RU, facilitating the efficient transmission of digital baseband data, synchronization signals, control signals, and management information. Usually, RUs and Ethernet Switches are placed near the antenna units, which are unmanned facilities and can be physically breached due to detection and response time delays by personnel. \r\n\r\nUnauthorized devices on this infrastructure can pose significant risks to the O-RAN network. Such devices can be used towards a Denial-of-Service (DoS) attack by sending malicious or bogus messages, disrupting network operations. Additionally, they may attempt to eavesdrop on critical Control (C-Plane), User (U-Plane), Synchronization (S-Plane), or Management (M-Plane) traffic, compromising the confidentiality of the network.\r\n\r\n\r\n" ], "architecture-segment": "RAN, O-RAN", "bluf": "Adversaries may introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access.", "criticalassets": [ { "Description": "RRU, DU, CU may be exposed to front haul design vulnerability or compromise.", "Name": "RAN network elements" }, { "Description": "Control plane and user plane data communication between DU and RRU as well as UE.", "Name": "CP/UP Data" } ], "detections": [ { "detects": "Monitor network traffic between hosts", "fgdsid": "DS0029", "name": "Network Traffic" }, { "detects": "Monitoring ability to detect new ports, devices on the network", "fgdsid": "DS0039", "name": "Asset" } ], "external_id": "FGT1200", "kill_chain": [ "fight:Impact" ], "mitigations": [ { "fgmid": "M1026", "mitigates": "Implement strong access control for all types of interfaces on originating switch and any intermediary devices on the fronthaul.", "name": "Privileged Account Management" }, { "fgmid": "M1030", "mitigates": "Implement network segmentation.", "name": "Network Segmentation" }, { "fgmid": "M1047", "mitigates": "Perform hardware and software installation audits of all O-RAN open fronthaul components.", "name": "Audit" } ], "object-type": "technique", "platforms": "O-RAN", "procedureexamples": [ { "Description": "Addition of unauthorized hardware in the O-RAN fronthaul infrastructure may leak data to the adversary as the fronthaul interfaces normally are not confidentiality and integrity protected. [ATT&CK T1200]", "Name": "Adding hardware to insecure open switch ports" }, { "Description": "A compromised access via remote login or physical access to communication, technician interface can yield to creating span ports and tunneling traffic to network sniffer.", "Name": "Privileged access to a router or switch" } ], "refs": [ "[1] O-RAN WG11 Threat Model 6.00 version, “ORAN Threat Model” - https://orandownloadsweb.azurewebsites.net/specifications", "[2] NTIA Open RAN Security Report May 2023 - https://ntia.gov/sites/default/files/publications/open_ran_security_report_full_report_0.pdf", "https://attack.mitre.org/techniques/T1200", "https://fight.mitre.org/data%20sources/DS0029", "https://fight.mitre.org/data%20sources/DS0039", "https://fight.mitre.org/mitigations/M1026", "https://fight.mitre.org/mitigations/M1030", "https://fight.mitre.org/mitigations/M1047", "https://fight.mitre.org/techniques/FGT1200" ], "status": "This is an observed behavior in Enterprise networks, and is theoretical in context of 5G systems.", "typecode": "attack_technique_addendum" }, "related": [ { "dest-uuid": "d40239b3-05ff-46d8-9bdd-b46d13463ef9", "type": "related-to" }, { "dest-uuid": "177506f3-cd8d-5035-b807-6528e3a75c5f", "type": "mitigated-by" }, { "dest-uuid": "9c376223-8d89-5179-8a56-51de20697bd2", "type": "mitigated-by" }, { "dest-uuid": "a30b7d01-b740-5538-b28d-d87befd5fd29", "type": "mitigated-by" }, { "dest-uuid": "becdcf31-3d2a-53bb-8251-51e9da4a0df6", "type": "detected-by" }, { "dest-uuid": "74329f64-d1b9-5cc2-95a6-f924acadba2b", "type": "detected-by" } ], "uuid": "69f88409-9eb0-522a-be97-8fd230c68ab5", "value": "Hardware Additions" }, { "description": "Adversaries may buy, steal, or download software tools that can be used during targeting.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1588/002)", "meta": { "addendums": [ "#### Addendum Name: Tools\r\n##### Architecture Segments: RAN, O-RAN\r\n An adversary may obtain tooling needed to target victim UEs for attack.\r\n\r\nAdversary needs to obtain tools (HW/SW) to carry out planned attacks against victim UEs. This may include buying stingrays or buying radio cards, laptops and integrating into a working base station. Adversary may need specific tools such as Sim Cloning, network traffic analyzer, certificates, or code needed to be executed on a compromised 5G Network Function to achieve its goals. \r\n\r\nIn some cases, an adversaries may purchase from third party specific software to do development and integration work to provide specific attack capabilities. \r\n\r\n\r\n\r\n\r\n" ], "architecture-segment": "RAN, O-RAN", "bluf": "Adversaries may buy, steal, or download software tools that can be used during targeting.", "criticalassets": [ { "Description": "Radio communication service between UE and base station.", "Name": "RAN Service" }, { "Description": "UE and subscriber identity as well as communication.", "Name": "UE identity, and communication" } ], "detections": [], "external_id": "FGT1588.002", "kill_chain": [ "fight:Resource-Development" ], "mitigations": [ { "fgmid": "M1056", "mitigates": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.", "name": "Pre-compromise" } ], "object-type": "technique", "platforms": "5G", "procedureexamples": [ { "Description": "There are many tools developed to test 5G systems, same tools can be used for adversarial objective on a system.", "Name": "Use of Open-source software & Testing tools" } ], "refs": [ "[1] Open Source tools - https://github.com/ravens/awesome-telco", "[2] Building a Cellphone IMSI Catcher (Stingray - https://www.hackers-arise.com/post/software-defined-radio-part-6-building-a-imsi-catcher-stingray", "https://attack.mitre.org/techniques/T1588/002", "https://fight.mitre.org/mitigations/M1056", "https://fight.mitre.org/techniques/FGT1588.002" ], "status": "This is an observed behavior in Enterprise networks, and is theoretical in context of 5G systems.", "subtechnique-of": "FGT1588", "typecode": "attack_subtechnique_addendum" }, "related": [ { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "related-to" }, { "dest-uuid": "7d8b78b4-09f2-516d-b81e-1b3dc8336d08", "type": "mitigated-by" }, { "dest-uuid": "2e25feaa-6036-5833-ae25-2c5687ef3041", "type": "subtechnique-of" } ], "uuid": "27c6473f-503d-5380-8105-46b493ea9786", "value": "Tool" }, { "description": "An adversary may obtain radio network function needed to attack target victim UEs.\r\n\r\nAdversary provides an alternate radio access network (gNB or open-RAN gNB components such as Distributed Unit (DU) or Centralized Unit (CU)) to target victim UEs without victim (user or UE) discovering that they are not attached to a legitimate MNO network. This can be achieved by the adversary obtaining false base station network functionality and any connections to core network functions required to carry out their mission. Opensource radio and base station software combined with radio cards can be easily obtained to create a base station to launch attacks against network or UE.", "meta": { "architecture-segment": "RAN, O-RAN", "bluf": "An adversary may obtain radio network function needed to attack target victim UEs.", "criticalassets": [ { "Description": "Radio Communication service between UE and basestation.", "Name": "RAN Service" }, { "Description": "UE and Subscriber identity as well as communication, cellular devices and user data.", "Name": "UE identity, and communication" } ], "detections": [], "external_id": "FGT1588.501", "kill_chain": [ "fight:Resource-Development" ], "mitigations": [ { "fgmid": "M1056", "mitigates": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.", "name": "Pre-compromise" } ], "object-type": "technique", "platforms": "5G", "procedureexamples": [ { "Description": "Many software defined source code are available that can be used to build a base station with radio transceiver hardware on Linux and or windows PC. There are also opensource 5G core software available on opensource project websites.", "Name": "Use of opensource SW" }, { "Description": "With the proliferation of private 5G deployments, almost anyone can now purchase software for the RAN components such as gNB, DU, CU.", "Name": "Purchase of Commercial equipment" } ], "refs": [ "[1] Open Source RAN project - https://www.srslte.com", "[2] Over The Air Baseband Exploit: Gaining Remote Code Execution on 5G Smartphones - https://keenlab.tencent.com/zh/whitepapers/us-21-Over-The-Air-Baseband-Exploit-Gaining-Remote-Code-Execution-on-5G-Smartphones-wp.pdf", "[3] Open5GS - https://open5gs.org", "[4] Over The Air Baseband Exploit: Gaining Remote Code Execution on 5G Smartphones - https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Over-The-Air-Baseband-Exploit-Gaining-Remote-Code-Execution-On-5G-Smartphones.pdf", "[5] Open Source tools - https://github.com/ravens/awesome-telco", "[6] Building a Cellphone IMSI Catcher (Stingray - https://www.hackers-arise.com/post/software-defined-radio-part-6-building-a-imsi-catcher-stingray", "[7] 5G NR equipment suppliers - https://www.rfwireless-world.com/Vendors/5G-NR-Network-Equipment-Manufacturers.html", "https://fight.mitre.org/mitigations/M1056", "https://fight.mitre.org/techniques/FGT1588.501" ], "status": "This is a theoretical behavior", "subtechnique-of": "FGT1588", "typecode": "fight_subtechnique_to_attack_technique" }, "related": [ { "dest-uuid": "7d8b78b4-09f2-516d-b81e-1b3dc8336d08", "type": "mitigated-by" }, { "dest-uuid": "2e25feaa-6036-5833-ae25-2c5687ef3041", "type": "subtechnique-of" } ], "uuid": "2c489bc7-ef36-5b43-b353-79c11b82f42a", "value": "Radio Network Functions" }, { "description": "Adversary controlled fake base station transmits crafted broadcast messages to prevent legitimate UEs to connect to network.\r\n\r\nLTE sub-frames are sent by adversary from a false base station which mimics legitimate eNB. It sends fake System Information Block Type 1 (SIB1) messages which are aligned in time-frequency domain with the messages sent by the legitimate eNB, but with stronger transmit power. The adversary does not send synchronization signals (PSS, SSS) for this attack which makes it harder to detect. This is known as sigover attack. [1]\r\n\r\nAdversary may transmit crafted broadcast messages by manipulating cell barring in Master Information Block (MIB) and access barring feature in SIB1 broadcast messages, UE will stop camping on to legitimate network for 300 seconds and it gets a DoS attack. The same attacks are possible in 5G network as MIB and SIB1 messages in 5G are similar to 4G and those are not integrity protected in 5G.", "meta": { "architecture-segment": "RAN", "bluf": "Adversary controlled fake base station transmits crafted broadcast messages to prevent legitimate UEs to connect to network.", "criticalassets": [ { "Description": "Legitimate UEs do not get network access in the area where false base station is deployed.", "Name": "5G network access" } ], "detections": [ { "detects": "UE measurements of received power levels from all base stations nearby, and their identifiers. Clause 6.24 of [3].", "fgdsid": "FGDS5002", "name": "UE signal measurements" } ], "external_id": "FGT1642.501", "kill_chain": [ "fight:Impact" ], "mitigations": [ { "fgmid": "FGM5024", "mitigates": "Use integrity protection for all broadcast messages sent by gNB. This will have performance impact on the network and UE due to additional processing of integrity protection algorithm.", "name": "Integrity protection of data communication" } ], "object-type": "technique", "platforms": "5G", "postconditions": [ { "Description": "No UE in the area where false base station is present can get connection to the network.", "Name": "Network access denied" } ], "preconditions": [ { "Description": "Adversary gets hold of a false base station which is capable of broadcasting fraudulent messages.", "Name": "Obtain a false base station to send fake broadcast messages" }, { "Description": "False base station must be deployed in the area where target UEs are located.", "Name": "Adversary must be in the same vicinity of target UEs" } ], "procedureexamples": [ { "Description": "Adversary broadcasts fake MIB and SIB1 messages with cell barring and access barring features turned on. cellbarred field in the MIB can be set to “barred”, cellReservedForOperatorUse and cellReservedforOtherUse fields can be set to “true” in the SIB1. All UEs in the area which are camped on to the false base station will not connect to legitimate base stations for 300 seconds. [1, 4], clauses 6.2.2 & 6.3.2 of [2].\n\nThe same attack is possible in 5G as MIB and SIB1 messages are sent without integrity protection and the format of the messages are similar to 4G.\n\nNote: This attack is not persistent as the UE’s will try to connect the legitimate network after about 300 seconds.", "Name": "Send cell barring and access barring information to target UEs" } ], "refs": [ "[1] ACM article, : “Improving 4G/5G air interface security: A survey of existing attacks on different LTE layers”. - https://dl.acm.org/doi/abs/10.1016/j.comnet.2021.108532", "[2] 3GPP TS 38.331: “Radio Resource Control (RRC ; Protocol specification” Release 16. - https://www.3gpp.org/DynaReport/38331.htm", "[3] 3GPP TR 33.809: - https://www.3gpp.org/DynaReport/33809.htm", "[4] Ericsson paper, Jingya Li et al: “An Overview of 5G System Accessibility Differentiation and Control”. - https://arxiv.org/ftp/arxiv/papers/2012/2012.05520.pdf", "https://fight.mitre.org/data%20sources/FGDS5002", "https://fight.mitre.org/mitigations/FGM5024", "https://fight.mitre.org/techniques/FGT1642.501" ], "status": "This is a theoretical behavior", "subtechnique-of": "FGT1642", "typecode": "fight_subtechnique_to_attack_technique" }, "related": [ { "dest-uuid": "cccb021c-dd96-5d72-904f-c55ad24598de", "type": "mitigated-by" }, { "dest-uuid": "fa9ee8fb-7f25-554c-9682-0e50e774812d", "type": "detected-by" }, { "dest-uuid": "58e62481-da83-5ee9-9286-69822d1c153e", "type": "subtechnique-of" } ], "uuid": "8d6964fb-fab4-525a-93ce-f5a1d436d8eb", "value": "Transmit Spoofed Broadcast Message" }, { "description": "An adversary may move targeted data and remain undetected during the exfiltration process by using DNS requests. \r\n\r\nAn adversary may be able to move data by simply encoding data as a hostname query and by placing the data in the names section of a DNS lookup. The receiving DNS server, controlled by the adversary, logs the query and decodes the data, reassembles in the planned sequence from the named field. The reply to the query may or may not sent. If the query is sent, it may be ignored by the compromised host.\r\n\r\nThe data may be of the following categories:\r\nC2 data – This involves remote command and control information like system change, routing information change, etc.\r\nUser/System data – This involves information such as identifiers, files, credentials, etc.", "meta": { "access-required": "user", "architecture-segment": "User Plane, Control Plane", "bluf": "An adversary may move targeted data and remain undetected during the exfiltration process by using DNS requests. ", "criticalassets": [ { "Description": "Whoever controls the DNS servers controls how and what end users connect to over the network, making DNS servers a type of critical infrastructure.", "Name": "DNS Servers" } ], "detections": [ { "detects": "Monitor executed commands and arguments that may steal data by exfiltrating it over an existing command and control channel.", "fgdsid": "DS0017", "name": "Command" }, { "detects": "Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP).", "fgdsid": "DS0029", "name": "Network Traffic" } ], "external_id": "FGT1048.501", "kill_chain": [ "fight:Command-and-Control", "fight:Exfiltration" ], "mitigations": [ { "fgmid": "FGM5024", "mitigates": "Use strong data integrity protection algorithms within 5G network such as airlink, backhaul and core network.", "name": "Integrity protection of data communication" }, { "fgmid": "M1031", "mitigates": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool and will likely be different across various malware families and versions. Adversaries will likely change tool command and control signatures over time or construct protocols in such a way to avoid detection by common defensive tools. \nScan all external traffic header fields to detect any suspicious protocol or port number use.", "name": "Network Intrusion Prevention" } ], "object-type": "technique", "platforms": "5G", "postconditions": [ { "Description": "Attacker can route command and control traffic through DNS to control botnets or other entities.", "Name": "Command and Control Network" }, { "Description": "Attacker has a route to exfiltrate stolen data disguised as DNS packets.", "Name": "Exfiltration Route" }, { "Description": "This involves information such as identifiers, files, user credentials, etc.", "Name": "User/System data" } ], "preconditions": [ { "Description": "There must not be an endpoint detection and response capability to validate whether host/network function/UE is communicating with a malicious DNS server or a valid one.", "Name": "Unauthenticated DNS Services" } ], "procedureexamples": [ { "Description": "Operators do not strictly enforce flow monitoring for free DNS service via the standard five-tuple flow ID (src IP, dest IP, src port, dest port, protocol). Instead, they use only the destination port (or plus protocol ID), thus exposing a vulnerability.\nAdversary may setup fake DNS server to receive exfiltered data.\nAdversarial activity could be a person who has remote access or a worm collecting and transmitting protected information. [2]", "Name": "Free DNS loophole" } ], "refs": [ "[1] “Bhadhra Framework”: S.P. Rao, S. Holtmanns, T. Aura, “Threat modeling framework for mobile communication systems” - https://arxiv.org/pdf/2005.05110.pdf", "[2] Peng, C., Li, C., Tu, G., Lu, S., & Zhang, L. (2012 . Mobile data charging: new attacks and countermeasures. Proceedings of the 2012 ACM conference on Computer and communications security. - https://dl.acm.org/doi/pdf/10.1145/2382196.2382220", "[3] Merve Sahin, Aurelien Francillon, Payas Gupta, and Mustaque Ahamad. 2017. \n“Sok: Fraud in telephony networks”. In 2017 IEEE European Symposium on Security\nand Privacy (EuroS&P . IEEE, p235–250 - https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7961983&tag=1", "[4] Kui Xu, Patrick Butler, Sudip Saha, Danfeng (Daphni Yao in DNS CC Journal, “DNS for Massive-Scale Command and Control” - https://people.cs.vt.edu/~danfeng/papers/DNS-CC-JOURNAL.pdf", "https://fight.mitre.org/data%20sources/DS0017", "https://fight.mitre.org/data%20sources/DS0029", "https://fight.mitre.org/mitigations/FGM5024", "https://fight.mitre.org/mitigations/M1031", "https://fight.mitre.org/techniques/FGT1048.501" ], "status": "This is a theoretical behavior in context of 5G systems.", "subtechnique-of": "FGT1048", "typecode": "fight_subtechnique_to_attack_technique" }, "related": [ { "dest-uuid": "cccb021c-dd96-5d72-904f-c55ad24598de", "type": "mitigated-by" }, { "dest-uuid": "519ee587-bcda-5021-997d-9fc257c4720a", "type": "mitigated-by" }, { "dest-uuid": "b4de23d7-4248-56f9-9468-6d1217a5f7ff", "type": "detected-by" }, { "dest-uuid": "becdcf31-3d2a-53bb-8251-51e9da4a0df6", "type": "detected-by" }, { "dest-uuid": "c6b2b946-0822-5890-9092-c08dcc7f3487", "type": "subtechnique-of" } ], "uuid": "4041250a-4a28-5877-9817-e4846ec78c5e", "value": "Covert Exfiltration of Data Via DNS Request" }, { "description": "Adversaries may breach or otherwise leverage organizations who have access to intended victims.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1199)", "meta": { "architecture-segment": "5G", "bluf": "Adversaries may breach or otherwise leverage organizations who have access to intended victims.", "detections": [], "external_id": "FGT1199", "kill_chain": [ "fight:Initial-Access", "fight:Impact" ], "mitigations": [], "object-type": "technique", "platforms": "5G", "refs": [ "https://attack.mitre.org/techniques/T1199", "https://fight.mitre.org/techniques/FGT1199" ], "status": "This is an observed behavior in Enterprise networks.", "typecode": "attack_technique_with_fight_subs" }, "related": [ { "dest-uuid": "9fa07bef-9c81-421e-a8e5-ad4366c5a925", "type": "related-to" } ], "uuid": "f1d89d8c-28cb-5e96-a689-bbff038fe2ee", "value": "Trusted Relationship" }, { "description": "Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1562)", "meta": { "architecture-segment": "5G", "bluf": "Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.", "detections": [], "external_id": "FGT1562", "kill_chain": [ "fight:Defense-Evasion" ], "mitigations": [], "object-type": "technique", "platforms": "5G", "refs": [ "https://attack.mitre.org/techniques/T1562", "https://fight.mitre.org/techniques/FGT1562" ], "status": "This is an observed behavior in Enterprise networks.", "typecode": "attack_technique_with_fight_subs" }, "related": [ { "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", "type": "related-to" } ], "uuid": "f504e92d-9f52-56b8-8fe1-aad7285cd440", "value": "Impair Defenses" }, { "description": "Adversaries may gather information about the victim's hosts that can be used during targeting.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1592)", "meta": { "architecture-segment": "5G", "bluf": "Adversaries may gather information about the victim's hosts that can be used during targeting.", "detections": [], "external_id": "FGT1592", "kill_chain": [ "fight:Reconnaissance" ], "mitigations": [], "object-type": "technique", "platforms": "5G", "refs": [ "https://attack.mitre.org/techniques/T1592", "https://fight.mitre.org/techniques/FGT1592" ], "status": "This is an observed behavior in Enterprise networks.", "typecode": "attack_technique_with_fight_subs" }, "related": [ { "dest-uuid": "09312b1a-c3c6-4b45-9844-3ccc78e5d82f", "type": "related-to" } ], "uuid": "d4895d7d-51ee-5222-b969-133109f5c6ed", "value": "Gather Victim Host Information" }, { "description": "Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1078)", "meta": { "architecture-segment": "5G", "bluf": "Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.", "detections": [], "external_id": "FGT1078", "kill_chain": [ "fight:Persistence", "fight:Defense-Evasion", "fight:Privilege-Escalation", "fight:Initial-Access" ], "mitigations": [], "object-type": "technique", "platforms": "5G", "refs": [ "https://attack.mitre.org/techniques/T1078", "https://fight.mitre.org/techniques/FGT1078" ], "status": "This is an observed behavior in Enterprise networks.", "typecode": "attack_technique_with_subs_with_addendums" }, "related": [ { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "type": "related-to" } ], "uuid": "885cc34d-43de-5539-82f0-8b7d98b8e4a1", "value": "Valid Accounts" }, { "description": "Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1542)", "meta": { "architecture-segment": "5G", "bluf": "Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system.", "detections": [], "external_id": "FGT1542", "kill_chain": [ "fight:Persistence", "fight:Defense-Evasion" ], "mitigations": [], "object-type": "technique", "platforms": "5G", "refs": [ "https://attack.mitre.org/techniques/T1542", "https://fight.mitre.org/techniques/FGT1542" ], "status": "This is an observed behavior in Enterprise networks.", "typecode": "attack_technique_with_fight_subs" }, "related": [ { "dest-uuid": "7f0ca133-88c4-40c6-a62f-b3083a7fbc2e", "type": "related-to" } ], "uuid": "5efe3c21-5ced-5489-a076-3b2f0515164f", "value": "Pre-OS Boot" }, { "description": "Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise protect data communications.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1600)", "meta": { "architecture-segment": "5G", "bluf": "Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise protect data communications.", "detections": [], "external_id": "FGT1600", "kill_chain": [ "fight:Defense-Evasion" ], "mitigations": [], "object-type": "technique", "platforms": "5G", "refs": [ "https://attack.mitre.org/techniques/T1600", "https://fight.mitre.org/techniques/FGT1600" ], "status": "This is an observed behavior in Enterprise networks.", "typecode": "attack_technique_with_fight_subs" }, "related": [ { "dest-uuid": "1f9012ef-1e10-4e48-915e-e03563435fe8", "type": "related-to" } ], "uuid": "bb3c722d-a179-5bb9-bb66-0298fa30876d", "value": "Weaken Encryption" }, { "description": "Adversaries may abuse a container administration service to execute commands within a container.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1609)", "meta": { "architecture-segment": "5G", "bluf": "Adversaries may abuse a container administration service to execute commands within a container.", "detections": [], "external_id": "FGT1609", "kill_chain": [ "fight:Credential-Access", "fight:Discovery" ], "mitigations": [], "object-type": "technique", "platforms": "5G", "refs": [ "https://attack.mitre.org/techniques/T1609", "https://fight.mitre.org/techniques/FGT1609" ], "status": "This is an observed behavior in Enterprise networks.", "typecode": "attack_technique_with_fight_subs" }, "related": [ { "dest-uuid": "7b50a1d3-4ca7-45d1-989d-a6503f04bfe1", "type": "related-to" } ], "uuid": "2e0867ae-af8b-5750-bccd-b2c00d4586d6", "value": "Container Administration Command" }, { "description": "Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1020)", "meta": { "architecture-segment": "5G", "bluf": "Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.", "detections": [], "external_id": "FGT1020", "kill_chain": [ "fight:Discovery", "fight:Exfiltration" ], "mitigations": [], "object-type": "technique", "platforms": "5G", "refs": [ "https://attack.mitre.org/techniques/T1020", "https://fight.mitre.org/techniques/FGT1020" ], "status": "This is an observed behavior in Enterprise networks.", "typecode": "attack_technique_with_subs_with_addendums" }, "related": [ { "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", "type": "related-to" } ], "uuid": "734aef71-1f6a-508c-94ed-8583c7d6b685", "value": "Automated Exfiltration" }, { "description": "Adversaries may search for common password storage locations to obtain user credentials.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1555)", "meta": { "architecture-segment": "5G", "bluf": "Adversaries may search for common password storage locations to obtain user credentials.", "detections": [], "external_id": "FGT1555", "kill_chain": [ "fight:Credential-Access" ], "mitigations": [], "object-type": "technique", "platforms": "5G", "refs": [ "https://attack.mitre.org/techniques/T1555", "https://fight.mitre.org/techniques/FGT1555" ], "status": "This is an observed behavior in Enterprise networks.", "typecode": "attack_technique_with_fight_subs" }, "related": [ { "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", "type": "related-to" } ], "uuid": "e60d9edc-1991-55e6-bd53-fad92e88de9e", "value": "Credentials from Password Stores" }, { "description": "Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1498)", "meta": { "architecture-segment": "5G", "bluf": "Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users.", "detections": [], "external_id": "FGT1498", "kill_chain": [ "fight:Impact" ], "mitigations": [], "object-type": "technique", "platforms": "5G", "refs": [ "https://attack.mitre.org/techniques/T1498", "https://fight.mitre.org/techniques/FGT1498" ], "status": "This is an observed behavior in Enterprise networks.", "typecode": "attack_technique_with_fight_subs" }, "related": [ { "dest-uuid": "d74c4a7e-ffbf-432f-9365-7ebf1f787cab", "type": "related-to" } ], "uuid": "8583ca5f-ce71-5341-abda-f2b110994b7a", "value": "Network Denial of Service" }, { "description": "Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002), or replay attacks ([Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212)).\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1557)", "meta": { "architecture-segment": "5G", "bluf": "Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002), or replay attacks ([Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212)).", "detections": [], "external_id": "FGT1557", "kill_chain": [ "fight:Collection", "fight:Credential-Access" ], "mitigations": [], "object-type": "technique", "platforms": "5G", "refs": [ "https://attack.mitre.org/techniques/T1040", "https://fight.mitre.org/techniques/FGT1557" ], "status": "This is an observed behavior in Enterprise networks.", "typecode": "attack_technique_with_fight_subs" }, "related": [ { "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", "type": "related-to" } ], "uuid": "5ecccab0-9d6d-504c-92c4-408091a3c114", "value": "Adversary-in-the-Middle" }, { "description": "Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1565)", "meta": { "architecture-segment": "5G", "bluf": "Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data.", "detections": [], "external_id": "FGT1565", "kill_chain": [ "fight:Impact", "fight:Collection" ], "mitigations": [], "object-type": "technique", "platforms": "5G", "refs": [ "https://attack.mitre.org/techniques/T1565", "https://fight.mitre.org/techniques/FGT1565" ], "status": "This is an observed behavior in Enterprise networks.", "typecode": "attack_technique_with_subs_with_addendums" }, "related": [ { "dest-uuid": "ac9e6b22-11bf-45d7-9181-c1cb08360931", "type": "related-to" } ], "uuid": "0fb994bc-3a42-5ce9-8605-ce5d4454034e", "value": "Data Manipulation" }, { "description": "Adversaries may exploit software vulnerabilities in client applications to execute code.\r\n[To read more, please see the MITRE ATT&CK page for this technique](https://attack.mitre.org/techniques/T1203)", "meta": { "architecture-segment": "5G", "bluf": "Adversaries may exploit software vulnerabilities in client applications to execute code.", "detections": [], "external_id": "FGT1203", "kill_chain": [ "fight:Execution" ], "mitigations": [], "object-type": "technique", "platforms": "5G", "refs": [ "https://attack.mitre.org/techniques/T1203", "https://fight.mitre.org/techniques/FGT1203" ], "status": "This is an observed behavior in Enterprise networks.", "typecode": "attack_technique_with_fight_subs" }, "related": [ { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "related-to" } ], "uuid": "5e3ef71b-8af6-575f-88dc-b6823fabf786", "value": "Exploitation for Client Execution" } ], "version": 1 }