The rise of the mobile botnet in the 5G era
Real Conversations podcast | S5 E15 | August 10, 2023
Kevin McNamee heads up Nokia's Threat Intelligence Lab. This lab analyzes hundreds of thousands of malware samples each day to create the detection rules that power Nokia’s network based end-to-end security solutions.
Kevin McNamee, founder of Nokia’s Threat Intelligence Lab, discusses the rise of the mobile botnet and why 5G is fundamentally more secure.
Below is a transcript of this podcast. Some parts have been edited for clarity.
Michael Hainsworth: Kevin McNamee is the founder of Nokia’s Threat Intelligence Lab. And in the 2023 report, he focuses on distributed denial of service attacks from botnets, how consumer malware like banking trojans and adware are spreading like wildfire, and the role the mobile network under 5G has in expanding that threat surface – and exponentially increasing security over 4G. McNamee has seen these threats evolve over the last decade.
Kevin McNamee: For most of those 10 years, the data has come from our NetGuard Endpoint Security product. That's a malware detection system that we deploy in carrier networks, and we receive aggregated feedback from those deployments that enables us to determine the malware state and consumer endpoint devices. This year, however, we've added some additional sources of information. We've included information from our Deepfield Defender DDoS product. We've also included information from our threat intelligence people and our security operations center which basically gets data from our CSP, it's a synopsis of customer data from around the world, certainly anonymized and aggregated from those customers.
MH: And what would you say the key findings are from this year's threat intelligence report?
KN: About 60% of the actual malware activity that we observe in the network is due to IoT botnets, and IoT botnets can be used for several things, but most of this activity is the botnets building themselves. These things can automatically expand themselves to literally millions of devices. We've also learned from our CSP customers from a survey we did that they’re getting very concerned these days about breaches and that’s something that they’re worried about. On the malware side, ad click bots, banking Trojans and crypto miners are sort of the main malware we’re seeing out there in the field. And then finally, I think in terms of DDoS attacks. Most DDoS attacks are leveraging IoT botnets and those botnets of quite large scale. And so the people that are operating these DDoS attacks are certainly in the business of building and creating botnets and then using them against their adversaries.
MH: Everybody has some responsibility to secure an IoT device, the vendor who created it, the enterprise that deployed it, the network provider whose infrastructure on which it lives. How do we establish who's responsible for what?
KN: Well, I think the responsibility goes across the board. For the people who are building and manufacturing these devices, it's very important that they build them securely from the get-go. That means that they should make sure that the operating systems and software that they're using to put them together have been updated, don't have any vulnerabilities, and most importantly can be updated in place on-site because any of these software systems that are used to build these new vulnerabilities are discovered over time. And you have to be able to update that software in place. If the software is not updated to solve these security vulnerabilities, what it means is these devices, if they're visible to the internet, can be compromised very quickly and become part of a botnet.
The people who are deploying the devices, also bear some responsibility. As I mentioned before, first of all, if the manufacturer is providing updates, it's very important that they apply them. If the manufacturer's going to all that trouble, might as well make sure the devices are secure.
The second thing is from our findings, these devices tend to be compromised when they're visible to the internet. That's what these botnets do. They're going around and looking through the network looking for vulnerable devices. If you can make the devices a little bit less visible, then it really helps a lot. And this can be done by putting them behind firewalls, by using network address translation, and other things like that. So, between the manufacturers and the operators, there’s a lot of shared responsibility.
MH: And I imagine the network operator who's hosting all of these devices, they have a responsibility as well once the manufacturer has closed the loophole on a bug or a glitch and someone else has managed to update it to ensure that it's functional. If in fact those two things haven't been done, you sort of have this third layer of protection.
KN: Yes, that's a very good point. I mentioned device visibility as being one of the things that can make it more vulnerable. The network operators certainly are able to provide that protection. They can put these devices, as I said, protected by firewalls, they can use network address translation. There's no point having a device visible on the internet if it doesn't have to be. And the network operators can certainly play a role in that.
MH: How is the network operator itself providing security under 5G?
KN: 5G is fairly new and it does provide a lot more security than the previous generations of mobile networks, particularly in the mobile core. In the mobile core in 5G, all the control plane traffic is protected through encryption, mutual authentication and data integrity. This is something that wasn't available in the previous generations. The core itself is much more secure. Also, the connection between service providers, service providers have to communicate to provide roaming services. And this, again, has also got additional security with 5G.
The big thing that we have to be concerned about with 5G, however, is the fact that the attack surface has been opened up somewhat. And this is not due to the network architecture or anything like that. It's simply due to the fact that with 5G, you've got a lot more bandwidth. There's a lot more bandwidth to use in, for example, DDoS attacks. You're moving some of the services out to the edge of the network, and that means you're putting a sort of multi-vendor applications out there in the radio access network, a place where these applications are usually used to being secured in data centers behind firewalls. The security operations people and the service providers have to learn how they can secure these out in the field. And I think the final thing is with 5G, the number of IoT type of devices, the number of these small devices that might not be as secure as you'd want them to be, are going to be on the network. So those are the three things I think the service providers have to look out for when they're securing their 5G networks.
MH: One 5G feature that we really didn't leverage in the past and that's network slicing.
KN: Yes, that's a great point. Network slicing basically allows the service provider to segment their network into different logical networks that are used for different applications. And it means you can put those applications that require more security in a specific network slice where you can apply additional security measures. An example would be, a bank might want to connect their ATM machines through a specific secured slice, and that would mean that the security operations people can pay much more attention to ensuring that's secure. I mean, first of all, the major thing is that it means other people can't access that network traffic, and that in itself is a large security feature. So slicing is definitely one of the advantages of 5G.
MH: You mentioned a bank might use 5G, a factory floor might use 5G slicing as well, all sorts of different campus-oriented uses for network slicing within that 5G world. But let's come back to the banking example you gave because you had mentioned earlier that one of the findings that you had in this particular report was that banking Trojans have almost doubled in the last year. I suppose we need to step back and talk about what a banking Trojan is. I know what a Trojan is, but I guess this is hackers going after my financial information specifically.
KN: That’s exactly what it is. This comes as malware that you would install either on your laptop or even your mobile phone.
MH: So, like a game you want to play, or an app for graphic design or something?
KN: Yes, exactly. You go out to an app store, download this “free game”, and you install it in your phone, and it's got malware embedded in it. And what the malware does it sits, it lurks in the background waiting for you to do some electronic banking. When you do that, there's several different flavors of it, but one of the main ones is when you connect to your bank's website, it will jump in as a man in the middle, and it will monitor the communication between you and the bank's website. And what it will do with that is it will basically enable it to get your user ID, your password, that one time security code that the bank might send you. All of that becomes available to it because it's actually sitting between you and the bank. It then takes that information, it sends it off in real time to the person that's operating the banking Trojan, the cybercriminal, and then they can use that information to go in and drain your bank account very quickly. So that's what the banking Trojan is.
Now because it wants to understand the communication between you and your bank, oftentimes this malware is specific to a specific bank in a specific area. So, there's a whole variety of different types of malware focused on different banks in different national languages, etc. It's quite widespread. We've noticed the trend, it has been increasing over the past three or four years, and it's also moved from the laptop to the mobile phone as its main platform for operating. And the reason is it goes to the place that you're doing your banking from, and it can be quite dangerous because you can lose money very quickly.
MH: Like everything else, the hackers are going to where the people are. And if we've moved from laptop-based computing to smartphone-based computing, I suppose it makes a lot of sense. I'm a Mac guy, I'm an iPhone guy. I thought I was sort of immune to the kinds of malware attacks that we're seeing. Can you give me a sense as to where these are taking place? I imagine this is Android primarily, and what percentage of us walking around, because almost all of us have one of these little glowing rectangles, what percentage of us are walking around with malware on our phones?
KM: It’s typically about 0.1%. At any time, 0.1% of smartphones will have malware on them. Doesn't sound like a lot, but it's 1 in 1,000, and you wouldn't want to be the 1 in 1,000 whose devices have been hacked. And so, it's not like it's affecting half the people, but over time everybody eventually hits the problem.
Now you mentioned iPhone and Android. The main way that you're going to get malware on your smartphone is by downloading a ‘Trojanized’ app. And the iPhone is a bit more secure because the Apple Store is very secure. You can only download apps from the Apple Store. You can't download them from anything else, and they check for malware. In the Android space, there's a thing called sideloading that you can activate, which means you can basically download an app from anywhere. This means that the Android becomes a bigger target because it's easier to get the ‘Trojanized’ applications installed on an Android. I would recommend if you're using an Android based phone, take some additional steps. There's Google Play Protect, which is an excellent mechanism to use. You can get antivirus for your Android. And the key thing is only to download apps from app stores that you trust. Don't turn on sideloading, or install an unapproved app from an unapproved developer, unless you really, really have to.
MH: Crypto mining is a huge opportunity to infect someone's phone. I assumed you needed a high-end PC with a massive graphical processing unit to do crypto mining, but people are now doing this on their phones?
KM: Yes, it's sort of amazing when you think about it because you normally, as you said, you associate crypto mining with these huge servers with GPUs and all sorts of stuff like that. There's a lot of computation that goes into crypto mining. What they've done on the mobile side is instead of using one giant server, they use literally thousands of small phones to accomplish the same thing. So crypto mining in the mobile space is actually botnets of thousands, maybe even hundreds of thousands of phones working together in the background to solve those crypto problems and then report in and get paid in Bitcoin. So they use botnets to do it, and they use thousands and thousands of phones.
MH: You write that CSPs are struggling to keep up with the latest threats, and that more than a third of respondents experienced at least eight breaches in the last 12 months. How do we level up CSP protection?
KM: This is something the CSPs are worried about. They see this as a major issue. There's been a number that has got hit with sort of ransomware style attacks, some to their actual core network, others to the data systems that are behind that network. They're very concerned and they have been taking action to do that. We've noticed a big trend recently that endpoint detection response, which is usually deployed on people's laptops and in servers, is now being applied to the network infrastructure within these networks. And Nokia has stepped up its plate. We've just developed our own EDR, endpoint detection and response product to do that.
But for the CSPs, both mobile and fixed broadband, the key thing they must do is first be very actively monitoring their network for any of this type of activity. You have to make sure you see it when it's about to happen. Using threat intelligence to help you do that is a big step that you can take to do that. The threat intelligence tells you where the bad sites are, and what the bad IP addresses are. It gives you that extra information you need to monitor the situation.
The other thing is automated response. The ability to react quickly and solve problems before they do significant damage is also a key part in this situation. And of course, if you're worried about ransomware attacks, you've got to have a good disaster recovery plan just in case it happens.
MH: What role is artificial intelligence playing in the automated response in the threat intelligence component to this?
KN: Oh, it's huge. I mean, everybody knows that AI is just something that's sort of hit a new level in the past couple of years. And it's being applied to basically recognizing anomalies in people and network behavior. So, AI, machine learning can learn what's normal in the network. And when something slightly changes that and makes it a little bit more unusual, it is able now to recognize that and then that's fit into the automated response.
MH: Something as simple as, Michael has a habit of logging in from Toronto, Canada, so why is he logging in right now from London, England? That is suspicious. We need to flag that and keep an eye on that. And it's the sort of thing where in the olden days, you would have to have a physical person sitting in front of a dashboard on a screen to recognize that red flag. But now there are so many red flags coming in simultaneously that you need to hand that over to a machine learning algorithm.
KN: Yes, that's exactly it. The security operator is no longer capable of analyzing all the information. There's so much information coming in from all the systems in your network, from your firewalls, from your switches and routers, that you really need some sort of AI to be able to handle that diverse data and put it together, join the dots and discover when something unusual occurs.
MH: Despite the increased attack surface, 5G networks have more ring fences around the individual elements of the network, and we're using AI to help thwart attacks. Are you confident that 5G is more secure than 4G?
KN: Yes, certainly. They've made a lot of progress, as I said, particularly securing the core, securing the communication between service providers, and then the whole concept of network slicing really adds to what you can do in terms of security. It’s not sort of just, okay, so it's more secure, let's walk away. As I mentioned, the increased attack surface does mean that you have to pay more attention because of the increase in bandwidth and the huge number of devices that are going to be available, and the different types of communication. That communication is just in the RAN itself in the mobile edge cloud, you have to build to react fast. And so, there's no room to be complacent, certainly.
MH: For a telecom executive listening to this conversation, what do you want the key takeaway to be?
KN: Make sure your security operations people are monitoring the network 24/7, gathering that data to see what's up. Use threat intelligence to enhance the security operations process. Make sure you've got good sources of threat intel and it's applied properly; it can be acted upon. An automated response is key, particularly with the new high-speed 5G networks and all the additional devices. Last, but certainly not least, you've got to look at your disaster recovery plan to make sure that in the event that you do get a ransomware attack, or your network's hit, you can recover relatively quickly without any real impact on your customers.