One night I was browsing one of the darkweb forums when I came across this image. An actor was selling his SS7 vulnerability for $5,000.
In this blog post, we will technically analyze step-by-step how a cyber actor found the SS7 (Signaling System No.7) vulnerabilities, how they presented them and how they tried to sell them.
• First of all, I would like to give a brief information about SS7
📡 What is SS7?
SS7 is a global signaling protocol used to establish calls, send messages and share roaming information between telephone networks. But weaknesses in the SS7 infrastructure have been the target of attackers for years.
Example attack vectors:
SMS and call forwarding,Location monitoring,Authentication circumventionI'll tell you how I analyzed it, through the meeting with the threat actor and the dialogues that took place between us as if we were a buyer
In the first stage, since he left a TOX address as a contact address, I created a new account from tox and named it after a famous ransomware group.
First of all, we don't forget to adopt a friendly and unregulated hacker attitude xd
Then I immediately asked him if he was selling the ss7 vulnerability. And that's exactly what he said, first of all, since I couldn't ask him directly about the vulnerability, I waited for his help on how to know if it was a scam or not.
And there was a response that had to show respect to the customer. “Well... I can provide you some proofs”
Then he didn't know if I was a sure buyer or not, so he tried to use escrow to avoid wasting time. “And actually it is mandatory to use escrow, so we both make sure that we will neither lose time nor money 😁”
Then I said I would use the escrow system, but first I asked if there was any evidence he could show me
And he said yes, I will send you proof of a device I used a few days ago.
And he threw these images, and then he said “btw, you still need to turn this into a working RCE (Remote Code Execution exploit).”
He said that this is the only detail but I can pull the whole database of the web application, I can also get the credentials for asterisk PBX.
He noted that the device was quite old, so he could get a working shell without any problems
And this is how he showed me the data he leaked.
Since he sent an image of a website analyzed with Wappalyzer, I asked him if it was in the form of a website to get more detailed information
And yes, the web app said that this device contains a web server and that's where it discovered the vulnerability.
However, he said that the device has other services related to SS7 activity, he said that he used a tool to intercept some SS7 activity and said wait a minute I will show you
And in order not to waste time, he wanted to check if I really had money. So he asked for a photo that I had 5 thousand dollars. Excusing the slowness of Tox, I prepared an image in 2 minutes
Then he sent me these images and he said, “Here is the Nmap scan for the device, you can see that the SIP service port 5060 is open.”
In the second image he said he used ngrep to show the network traffic. There is not much traffic but the target is active, so you can verify our SS7 operation from there, he said.
And that's it, now let's move on to the fun part, which is to analyze and summarize what the actor is trying to say
🛰️🌐 Analysis and Summary
၊၊||၊၊၊| TARGET RESEARCH
The actor first finds devices with open SIP (Session Initiation Protocol) ports using Shodan, Fofa or similar scan engines. These are usually port 5060.
Tools used:
Shodan (open device search),nmap (port scan),sngrep (SIP traffic monitoring).၊၊||၊၊၊| DEVICE SCANThe actor uses nmap to determine which ports of the target system are open and which services are running.
nmap -sV target-ipWith the help of this command, it checks whether services such as SIP, Apache, SSH are open.
၊၊||၊၊၊| VULNERABILITY DISCOVERYWeb applications on the target system (e.g. PHP-based applications running on Apache) are scanned.
Learn the software versions used with browser plug-ins such as Wappalyzer.
Known vulnerabilities (CVE) or unknown vulnerabilities, so called 0day, are searched for.
Here we saw Apache and PHP running on CentOS on the screens shown by the actor
၊၊||၊၊၊| WHAT KIND OF A THREATThe actor states that it does not provide full RCE (remote code execution), meaning that a non technical buyer cannot use it on their own.
An advanced Ransomware team, hacker groups or APT groups develop an exploit with given vulnerabilities and data.
It attacks by connecting to the SS7 protocol without authorization.
🤔💭 The End
And that's it, ss7 it was a fun topic to write about, and I found it strange that the actor so simply described the use of the ss7 vulnerability. What are your views and if you want to discuss, contact me on my social media, thanks for reading.
→ ←