Skip to content

Hide Navigation Hide TOC

Edit

GSMA MoTIF

Mobile Threat Intelligence Framework (MoTIF) Principles.

Authors
Authors and/or Contributors
GSMA

Monitor Radio Interface

The adversaries may monitor radio interface traffic to passively collect information about the radio network configuration or about subscribers in close vicinity of the adversary. (1), (2), (3), (4).

Internal MISP references

UUID ef315196-4c0f-50d5-85b7-eb5fe3757ba3 which can be used as unique global reference for Monitor Radio Interface in MISP communities and other software using the MISP galaxy

External references
  • page 14 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
  • (1) Borgaonkar, R. & Shaik, A. (2015). LTE and IMSI Catcher Myths. Black Hat USA 2015 (2) Electronic Frontier Foundation. (2019). Gotta Catch 'Em All: Understanding How IMSI-Catchers Exploit Cell Networks. (3) Kumar, P. et.al. (2021). Murat: Multi-RAT False Base Station Detector (Section IIB) (4) Rupprecht, D. et.al. (2018). On Security Research Towards Future Mobile Network Generations. (Section III D)
Associated metadata
Metadata key Value
external_id MOT3001
kill_chain ['Techniques:Reconnaissance']

Broadcast Channel

In mobile networks the adversary needs to obtain information about the cell configuration parameters that will be used to prepare for the next phase of an attack that is utilizing the radio interface. Example of configuration could be the physical cell ID (PCI), neighbouring cells, frequencies used, Tracking Area Codes (TAC). (1), (2), (3), (4)

Internal MISP references

UUID 7dcf1eaa-a0c6-51c8-8e5f-dfd2e033cd50 which can be used as unique global reference for Broadcast Channel in MISP communities and other software using the MISP galaxy

External references
  • page 15 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
  • (1) Li, Z. et al. (2017). FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild. (2) Borgaonkar, R. & Shaik, A. (2015). LTE and IMSI Catcher Myths. Black Hat USA 2015 (3) Electronic Frontier Foundation. (2019). Gotta Catch 'Em All: Understanding How IMSI-Catchers Exploit Cell Networks. (4) Quintin, C. (2020). Detecting Fake 4G Base Stations in Real Time. Black Hat USA 2020.
Associated metadata
Metadata key Value
external_id MOT3001.301
kill_chain ['Techniques:Reconnaissance']

Gather Victim Identity Information

Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, etc.) as well as sensitive details such as credentials. In mobile networks, the adversary wants to obtain information about subscriber and phone identities to conduct more targeted attacks. Subscriber identity can be, for example, MSISDN, IMSI, GUTI, TMSI.

Internal MISP references

UUID c2993424-1861-5fab-8bd8-4b3f19082e42 which can be used as unique global reference for Gather Victim Identity Information in MISP communities and other software using the MISP galaxy

External references
  • page 16 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
  • (1) The Register. (2017). After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts
  • ATT&CK Enterprise: Gather Victim Identity Information (T1589)
Associated metadata
Metadata key Value
external_id MOT1589
kill_chain ['Techniques:Reconnaissance']

Phone and Subscription Information

In mobile networks, targeted attacks towards subscribers have to be done using the subscriber identity. Obtaining the identity would allow the attacker to gather more information or initiate more targeted attacks. The adversary gathers phone or subscription related information about subscriber(s). Examples are phone number (MSISDN), IMSI (International Mobile Subscriber Identity), home mobile network operator, S@T browser availability on the UICC, IMEI (International Mobile Equipment Identity). The data might be acquired through interconnection, social engineering, social media or otherwise. (1)

Internal MISP references

UUID 6a035f24-73f0-5244-bc30-eb8cf5275ef7 which can be used as unique global reference for Phone and Subscription Information in MISP communities and other software using the MISP galaxy

External references
  • page 17 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
  • (1) The Register. (2017). After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts
  • ATT&CK Enterprise: Gather Employee Names (T1589.003),
Associated metadata
Metadata key Value
external_id MOT1589.301
kill_chain ['Techniques:Reconnaissance']

Network Service Scanning

An adversary may discover operator network related information (identifiers). Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system. In mobile networks, the adversary wants to obtain information about subscriber, signalling addresses, supported service at a certain server. The scan may take place from the Internet or the interconnection network or the radio network. Often automated mass scanning events take place.

Internal MISP references

UUID 19d9aa24-5b2d-5cd9-bf61-4a50ccabafed which can be used as unique global reference for Network Service Scanning in MISP communities and other software using the MISP galaxy

External references
  • page 17 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
  • (1) GSMA PRD IR.70 - SMS SS7 Fraud (Public)
  • ATT&CK Enterprise: Network Service Discovery (T1046),

FiGHT: Network Service Scanning (FGT1046) NOTE: These two MITRE techniques are actually the same, however due to an error the FiGHT technique was renamed.

Associated metadata
Metadata key Value
external_id MOT1046
kill_chain ['Techniques:Discovery']

Scan Signalling Addresses

By sending signalling messages to the network, the adversary tries to check if mobile network nodes leak node or network related information, or bypasses defences ((1) (2) below). Using this sub-technique as a preparatory step, the adversary can then tune his further attack steps to send specific attack messages based on this scan. Examples are SS7 scans to evaluate if a Global Title is in use or not. The adversary may also probe which PLMN-ID values are accepted by the HPLMN in Diameter Authentication Information Request (AIR).

Internal MISP references

UUID 827add59-8d04-57e3-b72a-22484d8ea618 which can be used as unique global reference for Scan Signalling Addresses in MISP communities and other software using the MISP galaxy

External references
  • page 18 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
  • (1) Enea. (2017). Designated Attacker - Evolving SS7 Attack Tools (2) Enea. (2018). Diameter Signalling Security - Protecting 4G Networks
  • ATT&CK Enterprise: IP Block Scanning (T1595.001)
Associated metadata
Metadata key Value
external_id MOT1046.301
kill_chain ['Techniques:Discovery']

Search Closed Sources

Adversaries may search and gather information about victims from closed sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime black markets. Adversaries may search and collect information about the mobile network operator from closed or semi-closed sources. Typical examples are GSMA IR.21, IR.85, FS.30 or T-ISAC, information from insiders or partners. The information acquisition might be done legally or illegally.

Internal MISP references

UUID 0c536c66-1918-59f9-9f51-c1460c69c917 which can be used as unique global reference for Search Closed Sources in MISP communities and other software using the MISP galaxy

External references
  • page 19 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
  • (1) The Intercept. (2014). Operation AURORAGOLD: How the NSA Hacks Cellphone Networks Worldwide. (2) https://www.wikileaks.org/hackingteam/emails/emailid/72166
  • ATT&CK Enterprise: Search Closed Sources (T1597)
Associated metadata
Metadata key Value
external_id MOT1597
kill_chain ['Techniques:Reconnaissance']

Mobile Network Operator Sources

The adversary may gather information about the mobile network operator to be used in initial access or for preparation of the attack. This can be network architecture, protocols, ports, Global Titles, roaming partners, suppliers. The adversary may search in closed sources like GSMA roaming database RAEX IR.21 (1), IMEI database (2) or IR.85.

Internal MISP references

UUID 82018f31-afeb-5452-918e-f47e1379d717 which can be used as unique global reference for Mobile Network Operator Sources in MISP communities and other software using the MISP galaxy

External references
  • page 20 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
  • (1) The Intercept. (2014). Operation AURORAGOLD: How the NSA Hacks Cellphone Networks Worldwide. (2) https://www.wikileaks.org/hackingteam/emails/emailid/72166
Associated metadata
Metadata key Value
external_id MOT1597.301
kill_chain ['Techniques:Reconnaissance']

Acquire Infrastructure

Adversaries may buy, lease, or rent infrastructure that can be used during targeting. For example, commercial service providers exist that offer access to signalling infrastructure or sell False Base Station solutions. Use of these infrastructure solutions allows an adversary to stage, launch, and execute operations. Solutions may help adversary operations blend in with traffic that is seen as normal.

Internal MISP references

UUID 653c42ec-68ae-5372-a2d8-65353df704cf which can be used as unique global reference for Acquire Infrastructure in MISP communities and other software using the MISP galaxy

External references
  • page 20 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
  • (1) TBIJ. (2020) Spy companies using Channel Islands to track phones around the world.
  • ATT&CK Enterprise: Acquire Infrastructure (T1583)
Associated metadata
Metadata key Value
external_id MOT1583
kill_chain ['Techniques:Resource-Development']

Core Signalling Infrastructure Access

Adversaries may buy, lease, or rent SS7, Diameter, GTP-C signalling infrastructure access or services that can be used during targeting (1), (2), (3). Targeted attacks to mobile network operators may use ‘surveillance as a service’ specialists to achieve their goals (2). Their attacks often blend in with normal traffic coming from partners of the victim mobile network operator and make attribution difficult. Fraudsters and spammers may use specific partner gateways or access to messaging servers for their purposes.

Internal MISP references

UUID a7a503d3-cfcb-52f0-b76b-ce5d1604efb6 which can be used as unique global reference for Core Signalling Infrastructure Access in MISP communities and other software using the MISP galaxy

External references
  • page 21 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
  • (1) TBIJ. (2020) Spy companies using Channel Islands to track phones around the world. (2) CitizenLab. (2020). Running in Circles Uncovering the Clients of Cyberespionage Firm Circles. (3) TBIJ. (2021). Swiss tech company boss accused of selling mobile network access for spying. (4) Enea (2021) 5G Network Slicing Security in 5G Core Networks (5) Mobileum (2023) OAuth2.0 Security and Protocol Exploit Analysis in 5G Ecosystem
Associated metadata
Metadata key Value
external_id MOT1583.301
kill_chain ['Techniques:Resource-Development']

Radio Interface Access

Adversaries may buy, lease, or obtain physical access to a mobile operator network base station or use their own rogue cellular base (Stingray) station for launching an attack (2) (3). The adversary could set up a rogue cellular base station infrastructure and then use it to eavesdrop on or manipulate cellular device communication. A compromised cellular femtocell could be used to carry out this technique (1).

Internal MISP references

UUID f165ba28-bf24-5151-ac17-ae9ffa96f124 which can be used as unique global reference for Radio Interface Access in MISP communities and other software using the MISP galaxy

External references
  • page 22 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
  • (1) DePerry, D. & Ritter T. (2013). I Can Hear You Now - Traffic Interception and Remote Mobile Phone Cloning with a Compromised CDMA Femtocell. Black Hat USA2013 (2) Wired (2016). Here's How Much a StingRay Cell Phone Surveillance Tool Costs (3) Alibaba.com. Wholesale imsi catcher 4g For Online Communication
Associated metadata
Metadata key Value
external_id MOT1583.302
kill_chain ['Techniques:Resource-Development']

Develop Capabilities

Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle. In mobile networks adversary may develop false base stations (1), mobile exploits, core signalling exploitation tools (2), SIM card exploits, radio exploitation tools and other tools to initiate attacks.

Internal MISP references

UUID eb832cc6-e988-52f8-9a22-391ed593dfe1 which can be used as unique global reference for Develop Capabilities in MISP communities and other software using the MISP galaxy

External references
  • page 23 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
  • (1) Motherboard. (2018). Here's How Easy It Is to Make Your Own IMSI-Catcher (2) Lighthouse Reports. (2022). Revealing Europe's NSO.
  • ATT&CK Enterprise: Develop Capabilities (T1587).
Associated metadata
Metadata key Value
external_id MOT1587
kill_chain ['Techniques:Resource-Development']

Mobile Network Tool

Adversary develops special tools for mobile networks that carry out and deliver mobile network targeted exploits. (1) (2)

Internal MISP references

UUID 61b1a6a4-2140-5479-9ac0-386d4e91839f which can be used as unique global reference for Mobile Network Tool in MISP communities and other software using the MISP galaxy

External references
  • page 24 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
  • (1) Motherboard. (2018). Here's How Easy It Is to Make Your Own IMSI-Catcher (2) Lighthouse Reports. (2022). Revealing Europe's NSO. (3) Mobileum. (2023) OAuth2.0 Security and Protocol Exploit Analysis in 5G Ecosystem
  • N/A
Associated metadata
Metadata key Value
external_id MOT1587.301
kill_chain ['Techniques:Resource-Development']

The adversary may get access to the target network via the interconnection interface.

Internal MISP references

UUID 48318fd2-a653-581e-8c13-7f3846dfbb8f which can be used as unique global reference for Exploit Interconnection Link in MISP communities and other software using the MISP galaxy

External references
  • page 24 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
  • (1) P1 Security. (2021). All authentication vectors are not made equal.
Associated metadata
Metadata key Value
external_id MOT3002
kill_chain ['Techniques:Initial-Access']

The adversary may get access to the target network via a direct signalling link connected to the international exchange.

Internal MISP references

UUID b4dfe23b-1e4e-5979-b4e4-9b3dcecfddb2 which can be used as unique global reference for International Direct Signalling Link in MISP communities and other software using the MISP galaxy

External references
  • page 25 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
  • (1) Enea. (2022). HiddenArt - A Russian-linked SS7 Threat Actor (2) P1 Security. (2021). All authentication vectors are not made equal.
Associated metadata
Metadata key Value
external_id MOT3002.301
kill_chain ['Techniques:Initial-Access']

The adversary may get access to the target network via a direct signalling link connected to the national exchange.

Internal MISP references

UUID 43af1748-6207-54d4-a402-a4371fcdd5cd which can be used as unique global reference for National Direct Signalling Link in MISP communities and other software using the MISP galaxy

External references
  • page 25 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
  • (1) P1 Security. (2014). SS7map: mapping vulnerability of the international mobile roaming infrastructure
Associated metadata
Metadata key Value
external_id MOT3002.302
kill_chain ['Techniques:Initial-Access']

Exploit via Core Signalling Interface

The adversary may access the target network by exploiting signalling (i.e. control plane) protocols.

Internal MISP references

UUID acd147cf-5a45-5bbf-b74d-7a59175b4c64 which can be used as unique global reference for Exploit via Core Signalling Interface in MISP communities and other software using the MISP galaxy

External references
  • page 26 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
  • (1) P1 Security. (2021). All authentication vectors are not made equal.
Associated metadata
Metadata key Value
external_id MOT3003
kill_chain ['Techniques:Initial-Access']

SS7 Protocol

The adversary may access the target network by using SS7 protocol.

Internal MISP references

UUID 139f89a6-7727-5e80-a3a5-c33ba1e66775 which can be used as unique global reference for SS7 Protocol in MISP communities and other software using the MISP galaxy

External references
  • page 27 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
  • (1) The Washington Post. (2014). For sale: Systems that can secretly track where cellphone users go around the globe. (2) Lighthouse Reports. (2022). Revealing Europe's NSO. (3) Mc Daid, C. (2020) Watching the Watchers - How Surveillance Companies track you using Mobile Networks. #rC3 2020.
Associated metadata
Metadata key Value
external_id MOT3003.301
kill_chain ['Techniques:Initial-Access']

Diameter Protocol

The adversary may access the target network by using Diameter protocol.

Internal MISP references

UUID 0bae4fc7-da2e-5b93-91aa-9a3a975db351 which can be used as unique global reference for Diameter Protocol in MISP communities and other software using the MISP galaxy

External references
  • page 27 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
  • (1) P1 Security. (2021). All authentication vectors are not made equal. (2) Mc Daid, C. (2020) Watching the Watchers - How Surveillance Companies track you using Mobile Networks. #rC3 2020.
Associated metadata
Metadata key Value
external_id MOT3003.302
kill_chain ['Techniques:Initial-Access']

HTTPS/2 Protocol

The adversary may access the target network by using HTTPS/2 protocol.

Internal MISP references

UUID 2c5d4f4f-7bf8-5b99-b9d9-4b3509ed468f which can be used as unique global reference for HTTPS/2 Protocol in MISP communities and other software using the MISP galaxy

External references
  • page 28 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
  • (1) Mc Daid, C. (2020) Watching the Watchers - How Surveillance Companies track you using Mobile Networks. #rC3 2020..
Associated metadata
Metadata key Value
external_id MOT3003.303
kill_chain ['Techniques:Initial-Access']

Trusted Relationship

Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third-party relationship exploits an existing connection that may not be protected or requires more complicated defence mechanisms to detect and prevent unauthorized access to a network. (1) (2)

Internal MISP references

UUID 231c6854-14a3-5b1c-974b-2f33107274de which can be used as unique global reference for Trusted Relationship in MISP communities and other software using the MISP galaxy

External references
  • page 28 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
  • (1) The Washington Post. (2014). For sale: Systems that can secretly track where cellphone users go around the globe. (2) Lighthouse Reports. (2022). Revealing Europe's NSO
  • ATT&CK Enterprise: Trusted Relationship (T1199)
Associated metadata
Metadata key Value
external_id MOT1199
kill_chain ['Techniques:Initial-Access']

Exploit Interconnection Agreements

The technique can be conducted by malicious partner or adversaries with access to interconnection networks or roaming partner’s mobile network. The adversary can remotely conduct the attacks by launching signalling messages e.g. related to location tracking, communication interception, or subscriber identify retrieval. (1), (2), (3)

Internal MISP references

UUID cb5103d5-5852-5184-8dbf-3f40f5ec0b9f which can be used as unique global reference for Exploit Interconnection Agreements in MISP communities and other software using the MISP galaxy

External references
  • page 29 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
  • (1) P1 Security (2021). All authentication vectors are not made equal. (2) The Washington Post. (2014). For sale: Systems that can secretly track where cellphone users go around the globe. (3) Lighthouse Reports. (2022). Revealing Europe's NSO (4) Enea. (2022). HiddenArt - A Russian-linked SS7 Threat Actor
Associated metadata
Metadata key Value
external_id MOT1199.301
kill_chain ['Techniques:Initial-Access']

Exploit via Radio Interface

Adversaries may use the radio access network to initiate attacks towards the UE or the mobile network.(1) (2) (3) The adversary may leverage vulnerabilities in the protocols that make up the signalling procedures in a radio network, for example network information (SIB1) messages, or the RRC protocol, or NAS protocols to initiate attacks towards the UE or the mobile network.

Internal MISP references

UUID 71f277f6-ded8-5a7e-84d3-fee99280bc66 which can be used as unique global reference for Exploit via Radio Interface in MISP communities and other software using the MISP galaxy

External references
  • page 30 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
  • (1) Borgaonkar, R. & Shaik, A. (2015). LTE and IMSI Catcher Myths. Black Hat USA 2015 (2) Electronic Frontier Foundation. (2019). Gotta Catch 'Em All: Understanding How IMSI-Catchers Exploit Cell Networks. (3) Quintin, C. (2020). Detecting Fake 4G Base Stations in Real Time. Black Hat USA 2020.
  • ATT&CK Mobile: Exploit via Radio Interfaces (T1477). Note: Deprecated
Associated metadata
Metadata key Value
external_id MOT3006
kill_chain ['Techniques:Initial-Access', 'Techniques:Discovery']

AS Signalling

Adversaries may modify or trigger control plane procedures on the radio interface control plane using Access Stratum (AS) signalling that occurs between the UE and the base station.

Internal MISP references

UUID fc78b217-a914-52fe-a139-3bcdc9a07f5c which can be used as unique global reference for AS Signalling in MISP communities and other software using the MISP galaxy

External references
  • page 31 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
  • (1) Electronic Frontier Foundation. (2019). Gotta Catch 'Em All: Understanding How IMSI-Catchers Exploit Cell Networks
Associated metadata
Metadata key Value
external_id MOT1477.301
kill_chain ['Techniques:Initial-Access']

NAS Signalling

Adversaries may modify or trigger Non-Access-Stratum (NAS) signalling related procedures that is generated from a false base station infrastructure. The adversary may impersonate core network elements (such as MME) towards the UE or UE towards the core network elements.

Internal MISP references

UUID fd65d912-3ab1-5543-b488-9d328d56c2e5 which can be used as unique global reference for NAS Signalling in MISP communities and other software using the MISP galaxy

External references
  • page 32 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
  • (1) CableLabs: (2019). False Base Station or IMSI Catcher: What You Need to Know. (2) Electronic Frontier Foundation. (2019). Gotta Catch 'Em All: Understanding How IMSI-Catchers Exploit Cell Networks
Associated metadata
Metadata key Value
external_id MOT1477.302
kill_chain ['Techniques:Initial-Access', 'Techniques:Discovery']

Radio Broadcast Channel (SIB1)

The adversary leverages the radio broadcast System Information Block1 messages (SIB1) to advertise to the target UEs new cell configuration that in return forces the UE to initiate different procedures like for example, cell re- selection or Tracking Area Update.(1), (2), (3)

Internal MISP references

UUID ce4ae0c9-9d83-5285-8b3f-40475aff0d19 which can be used as unique global reference for Radio Broadcast Channel (SIB1) in MISP communities and other software using the MISP galaxy

External references
  • page 32 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
  • (1) Aftenposten (2015). New report: Clear signs of mobile surveillance in Oslo, despite denial from Police Security Service. (2) CableLabs: (2019). False Base Station or IMSI Catcher: What You Need to Know. (3) Quintin, C. (2020). Detecting Fake 4G Base Stations in Real Time. Black Hat USA 2020.
Associated metadata
Metadata key Value
external_id MOT1477.303
kill_chain ['Techniques:Initial-Access']

Identify Subscriber

An adversary may obtain a subscriber permanent or temporary identifier via various means. An adversary may obtain the subscriber identifier by using HLR Lookup, or by monitoring the radio interface. An adversary may obtain identifying information from 5G UEs only after the UE has been bid down (downgraded) to a lower security protocol e.g. 4G, since in 4G and 3G it is possible for the network to ask the UE to send its IMSI (International Subscriber Identifier) in the clear over the radio interface. The 5G UE sends an encrypted permanent identifier (called Subscriber Concealed Identifier (SUCI)) over the radio interface as part of the initial registration to the 5G network. Some non-UE specific information is part of the Subscriber Permanent Identifier or SUPI and is not encrypted (e.g., home network name).

Internal MISP references

UUID 79253aa8-a5a9-5bda-bd8a-062b1eece315 which can be used as unique global reference for Identify Subscriber in MISP communities and other software using the MISP galaxy

External references
  • page 33 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
  • (1) Enea. (2016). Tracking the Trackers: Advanced Rogue Systems Exploiting the SS7 Network
  • Subscriber Profile Identifier Discovery: Intercept bid-down SUPI | MITRE

FiGHT™ *= This is the same Technique as MITRE FiGHT, however a different name is used, MITRE FiGHT may potentially update in the future

Associated metadata
Metadata key Value
external_id MOT5019
kill_chain ['Techniques:Discovery', 'Techniques:Collection']

Trigger Subscriber Terminated Activity

The adversary can trigger mobile terminating activity, such as making calls to the subscriber’s profile (1), sending silent SMS (2), or trigger notifications from the instant messengers (1), to trigger paging of the subscriber. The technique can be made more stealthy by using silent phone calls or silent SMSs (2) (3), The adversary can monitor the paging activity in the radio network and use that information to correlate the paging with the for identifying the target subscriber identifier.

Internal MISP references

UUID aa7dc324-0f5d-5ce8-b0d2-1d872f180693 which can be used as unique global reference for Trigger Subscriber Terminated Activity in MISP communities and other software using the MISP galaxy

External references
  • page 34 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
  • (1) Shaik, A. et al. (2016). Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems. (2) Nohl, K. & Munaut, S. (2010) GSM Sniffing. 27th CCC. (3) Hussain, S. et al. (2019) Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information.
  • N/A
Associated metadata
Metadata key Value
external_id MOT5019.301
kill_chain ['Techniques:Discovery']

Retrieve Subscriber Identity Information

The adversary can retrieve subscriber information such as the IMSI, MSISDN, SUPI, SUCI etc

Internal MISP references

UUID ca405a15-74d0-575e-9774-253d40c74e53 which can be used as unique global reference for Retrieve Subscriber Identity Information in MISP communities and other software using the MISP galaxy

External references
  • page 35 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
  • (1) Enea. (2016). Tracking the Trackers: Advanced Rogue Systems Exploiting the SS7 Network
  • N/A
Associated metadata
Metadata key Value
external_id MOT5019.302
kill_chain ['Techniques:Discovery', 'Techniques:Collection']

Retrieve Subscriber Network Information

The adversary can retrieve subscriber network information such as the current serving network element(s)

Internal MISP references

UUID 2ac5c163-9e09-5d4a-bf32-bad2ad3e2882 which can be used as unique global reference for Retrieve Subscriber Network Information in MISP communities and other software using the MISP galaxy

External references
  • page 35 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
  • (1) Enea. (2016). Tracking the Trackers: Advanced Rogue Systems Exploiting the SS7 Network
  • N/A
Associated metadata
Metadata key Value
external_id MOT5019.303
kill_chain ['Techniques:Discovery', 'Techniques:Collection']

Masquerading

Adversaries may attempt to manipulate parameters in the control signalling to make them appear legitimate or benign to mobile subscribers, end nodes and/or security tools. Masquerading occurs when the parameter value is manipulated or abused for the sake of evading defences, or convincing the target to believe it is communicating with a spoofed entity. A typical masquerading operating is manipulation of the source node address.

Internal MISP references

UUID 9518c6e3-152f-5e9c-9321-acce8347a19d which can be used as unique global reference for Masquerading in MISP communities and other software using the MISP galaxy

External references
  • page 36 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
  • (1) P1 Security. (2021). All authentication vectors are not made equal. (2) Aftenposten (2015). New report: Clear signs of mobile surveillance in Oslo, despite denial from Police Security Service.
  • ATT&CK Enterprise: Masquerading (T1036),
Associated metadata
Metadata key Value
external_id MOT1036
kill_chain ['Techniques:Defence-Evasion']

Originating Entity Spoofing

The adversary may attempt to manipulate the originating address information, such as Global Title Address, Diameter Host or Realm information for the sake of evading defences. The adversary may attempt to manipulate the configured cell ID on the false base station to configure it to a known cell ID in the network to evade detection.

Internal MISP references

UUID 87cce0fb-1e5a-5b8b-aae5-58fcd4b3186a which can be used as unique global reference for Originating Entity Spoofing in MISP communities and other software using the MISP galaxy

External references
  • page 37 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
  • (1) P1 Security. (2021). All authentication vectors are not made equal. (2) Aftenposten (2015). New report: Clear signs of mobile surveillance in Oslo, despite denial from Police Security Service. (3) Enea. (2022). HiddenArt - A Russian-linked SS7 Threat Actor
Associated metadata
Metadata key Value
external_id MOT1036.301
kill_chain ['Techniques:Defence-Evasion']

Disguise Signalling Messages

The adversary can disguise its signalling messages in order to avoid detection and blocking of their attacks. Examples include using unexpected addresses, unexpected message format or unexpected message encoding.

Internal MISP references

UUID 7258f576-72e9-5f27-ad69-f84e24a0eb18 which can be used as unique global reference for Disguise Signalling Messages in MISP communities and other software using the MISP galaxy

External references
  • page 37 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
  • (1) Symsoft & P1 Security. (2018). SS7 and Diameter: Exploit Delivery over signalling protocols. (2) Mc Daid, C. (2019). Simjacker – the next frontier in mobile espionage. VB2019
Associated metadata
Metadata key Value
external_id MOT3005
kill_chain ['Techniques:Defence-Evasion']

Unexpected Encoding

The adversary may use an unexpected encoding of the signalling message in order to bypass detection and any defences which may be in place.

Internal MISP references

UUID d6e3a64e-518d-59df-89d1-522ebc81c49d which can be used as unique global reference for Unexpected Encoding in MISP communities and other software using the MISP galaxy

External references
  • page 38 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
  • (1) Puzankov, K. (2019) Hidden Agendas: bypassing GSMA recommendations on SS7 networks. HITB AMS SecConf May 2019
Associated metadata
Metadata key Value
external_id MOT3005.301
kill_chain ['Techniques:Defence-Evasion']

Access Subscriber Data

The adversary can collect several types of user-specific data. Such data include, for instance, subscriber identities, subscribed services, subscriber location or status.

Internal MISP references

UUID c1a47611-44fc-5e82-a05e-4958366ba9e3 which can be used as unique global reference for Access Subscriber Data in MISP communities and other software using the MISP galaxy

External references
  • page 38 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
  • (1) P1 Security. (2021). All authentication vectors are not made equal. (2) Mc Daid, C. (2019). Simjacker – the next frontier in mobile espionage. VB2019
Associated metadata
Metadata key Value
external_id MOT3004
kill_chain ['Techniques:Credential-Access', 'Techniques:Collection']

Subscriber Authentication Data

The adversary may acquire subscriber authentication information from mobile network registers, such as HLR/HSS/AuC or MSC/VLR, SGSN, MME. For example, the adversary may query subscriber keys, authentication vectors etc. and use this information to tailor further phases of the attack.

Internal MISP references

UUID 8161ff0c-485f-5941-854f-e0bd1d1f9b99 which can be used as unique global reference for Subscriber Authentication Data in MISP communities and other software using the MISP galaxy

External references
  • page 39 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
  • (1) P1 Security. (2021). All authentication vectors are not made equal.
Associated metadata
Metadata key Value
external_id MOT3004.301
kill_chain ['Techniques:Credential-Access', 'Techniques:Collection']

Network Sniffing

Adversaries may sniff network traffic to capture information about an environment, including authentication material, base station configuration and user plane traffic passed over the network.

Internal MISP references

UUID d5712f47-879c-531e-96f7-c46aa1fd591c which can be used as unique global reference for Network Sniffing in MISP communities and other software using the MISP galaxy

External references
  • page 40 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
  • (1) Kotuliak, M. et al. (2022) LTrack : Stealthy Tracking of Mobile Phones in LTE
  • Network Sniffing, Technique T1040 - Enterprise | MITRE ATT&CK®

Network Sniffing | MITRE FiGHT™ (FGT1040)

Associated metadata
Metadata key Value
external_id MOT1040
kill_chain ['Techniques:Collection']

Radio Interface

An adversary may eavesdrop on unencrypted or encrypted traffic to capture information to and from a UE. An adversary may employ a back-to-back false base station to eavesdrop on the communication and relay communication between the intended recipient and the intended source, over the radio interface. The adversary may also passively sniff the radio traffic and capture specific traffic that can be then, if possible, analyzed.(1) When operating a false base station the adversary needs to obtain information about the cell configuration parameters that will be used to prepare for the next phase of an attack that is utilizing the radio interface. Example of configuration could be the Physical Cell ID (PCI), neighbouring cells, frequencies used, Location Area Codes/Tracking Area Codes (LAC/TAC).(2) The adversary may use methods of capturing control plane or user plane traffic on the radio interface.

Internal MISP references

UUID c0ec2969-4985-57e1-a11d-1e5c157cef3e which can be used as unique global reference for Radio Interface in MISP communities and other software using the MISP galaxy

External references
  • page 41 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
  • (1) Borgaonkar, R. & Shaik, A. (2015). LTE and IMSI Catcher Myths. Black Hat USA 2015 (2) Li, Z. et al. (2017). FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild. (3) P1 Security. (2021). All authentication vectors are not made equal.
  • Network Sniffing: Radio interface | MITRE FiGHT™ (FGT1040.501)
Associated metadata
Metadata key Value
external_id MOT1040.501
kill_chain ['Techniques:Collection']

Locate Subscriber

An adversary may obtain the UE location using radio access or core network. Adversary may employ various means to obtain UE location (coarse, fine) using radio access or core network.

Internal MISP references

UUID d14aa06e-105d-5fd8-a521-040564fdb756 which can be used as unique global reference for Locate Subscriber in MISP communities and other software using the MISP galaxy

External references
  • page 41 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
  • (1) Enea. (2022). HiddenArt - A Russian-linked SS7 Threat Actor (2) Mc Daid, C. (2019). Simjacker – the next frontier in mobile espionage. VB2019 (3) The Washington Post. (2014). For sale: Systems that can secretly track where cellphone users go around the globe
  • Location Tracking, Technique T1430 - Mobile | MITRE ATT&CK®

Locate UE | MITRE FiGHT™ (FGT5012)

Associated metadata
Metadata key Value
external_id MOT5012
kill_chain ['Techniques:Collection']

Core Network Function Signalling

An adversary in the core network exploits signalling protocols to obtain the location of the UE. User location tracking is part of normal cellular operation. Adversaries with access to core network or a core network function (NF) can misuse signalling protocols (e.g., SS7, GTP and Diameter or the SBI API calls), or exploit vulnerabilities in the signalling plane, in order to obtain location information for a given UE.

Internal MISP references

UUID 6e07b027-229c-5581-b079-633bc8f73a8c which can be used as unique global reference for Core Network Function Signalling in MISP communities and other software using the MISP galaxy

External references
  • page 42 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
  • (1) Enea. (2022). HiddenArt - A Russian-linked SS7 Threat Actor. (2) Mc Daid, C. (2020) Watching the Watchers - How Surveillance Companies track you using Mobile Networks. #rC3 2020..
  • Locate UE: Core Network Function Signaling | MITRE FiGHT™

(FGT5012.004)

Associated metadata
Metadata key Value
external_id MOT5012.501
kill_chain ['Techniques:Collection']

Search Open Websites/Domains

Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.(1)(2)(3) Adversaries may gather subscription or residence related information about subscriber(s). Examples are phone number (MSISDN), home address, home mobile network operator. Adversaries may gather information about the mobile network operator to be used in initial access or for preparation of the attack. This can be network architecture, protocols, ports, Global Titles, roaming partners, or suppliers (4).

Internal MISP references

UUID 3cbac245-ee47-5892-b031-0618fff739b4 which can be used as unique global reference for Search Open Websites/Domains in MISP communities and other software using the MISP galaxy

External references
  • page 43 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
  • (1) Cyware Hacker News. (2019). How Hackers Exploit Social Media To Break Into Your Company. (2) Security Trails. (2019). Exploring Google Hacking Techniques. (3) Offensive Security. (n.d.). Google Hacking Database. Retrieved October 23, 2020. (4) Holtmanns, S. (2018). Secure Interworking Between Networks in 5G Service Based Architecture. ETSI Security Week 2018.
  • Search Open Websites/Domains, Technique T1593 - Enterprise | MITRE

ATT&CK® GSMA Non-public materials

Associated metadata
Metadata key Value
external_id MOT1593
kill_chain ['Techniques:Reconnaissance']

Social Media

Adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff. Adversaries may search in different social media sites depending on what information they seek to gather. Threat actors may passively harvest data from these sites, as well as use information gathered to create fake profiles/groups to elicit victim’s into revealing specific information (i.e. Spearphishing Service)(1). Information from these sources may reveal opportunities for other forms of reconnaissance, establishing operational resources, and/or initial access. Social media sites may contain information about subscriber phone numbers, address etc, which can be used e.g. when installing false base stations in close vicinity of the victim. (2)

Internal MISP references

UUID 8463c2cd-cc58-5537-a083-62a80671e1f4 which can be used as unique global reference for Social Media in MISP communities and other software using the MISP galaxy

External references
  • page 44 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
  • (1) Cyware Hacker News. (2019). How Hackers Exploit Social Media To Break Into Your Company. (2) Equifax UK. (2022). The risks of sharing your location on social media.
  • Search Open Websites/Domains: Social Media, Sub-technique

T1593.001 - Enterprise | MITRE ATT&CK®

Associated metadata
Metadata key Value
external_id MOT1593.001
kill_chain ['Techniques:Reconnaissance']

Adversary-in-the-Middle

Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as Network Sniffing (1) (2). Adversaries may leverage the AiTM position to attempt to monitor traffic.

Internal MISP references

UUID 2c7b4a8d-ce6f-5244-ac52-871b0eb5136f which can be used as unique global reference for Adversary-in-the-Middle in MISP communities and other software using the MISP galaxy

External references
  • page 44 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
  • (1) Electronic Frontier Foundation. (2019). Gotta Catch 'Em All: Understanding How IMSI-Catchers Exploit Cell Networks (2) P1 Security. (2021). All authentication vectors are not made equal.
  • Adversary-in-the-Middle, Technique T1557 - Enterprise | MITRE

ATT&CK® Adversary-in-the-Middle | MITRE FiGHT™ (FGT1557)

Associated metadata
Metadata key Value
external_id MOT1557
kill_chain ['Techniques:Persistence']

Radio Interface Authentication Relay

An adversary positions itself on the radio interface to capture information to and from the UE. Adversary can deploy a false base station as a back-to-back base station - UE combination to impersonate UE towards the real eNB or core network element (such as MME), and impersonate base station or core network element towards the target UE (1) (2).

Internal MISP references

UUID b3278450-e723-54ad-85fa-4e97868c3a1c which can be used as unique global reference for Radio Interface Authentication Relay in MISP communities and other software using the MISP galaxy

External references
  • page 45 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
  • (1) Electronic Frontier Foundation. (2019). Gotta Catch 'Em All: Understanding How IMSI-Catchers Exploit Cell Networks (2) P1 Security. (2021). All authentication vectors are not made equal. https://labs.p1sec.com/2021/09/30/all-authentication-vectors-are-not-made-equal/
  • Adversary-in-the-Middle: Radio interface | MITRE FiGHT™
Associated metadata
Metadata key Value
external_id MOT1557.301
kill_chain ['Techniques:Persistence']

Supply Chain Compromise

Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise can take place at any stage of the supply chain including: • Manipulation of development tools • Manipulation of a development environment • Manipulation of source code repositories (public or private) • Manipulation of source code in open-source dependencies • Manipulation of software update/distribution mechanisms • Compromised/infected system images (multiple cases of removable media infected at the factory)(1) (2) • Replacement of legitimate software with modified versions • Sales of modified/counterfeit products to legitimate distributors • Shipment interdiction While supply chain compromise can impact any component of hardware or software, adversaries looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels.

Internal MISP references

UUID 4131a562-0ac0-5985-af11-b14cd4c4fe57 which can be used as unique global reference for Supply Chain Compromise in MISP communities and other software using the MISP galaxy

External references
  • page 46 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
  • (1) The Register. (2023). Millions of mobile phones come pre-infected with Malware (2) Schneider Electric. (2018). Security Notification – USB Removable Media Provided With Conext Combox and Conext Battery Monitor.
  • Supply Chain Compromise, Technique T1195 - Enterprise | MITRE

ATT&CK®

Associated metadata
Metadata key Value
external_id MOT1195
kill_chain ['Techniques:Initial-Access']

Compromise Software Supply Chain

Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.

Internal MISP references

UUID 52769709-9c9f-5cf7-8a50-3d5422b0fc03 which can be used as unique global reference for Compromise Software Supply Chain in MISP communities and other software using the MISP galaxy

External references
  • page 47 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
  • (1) The Register (2023). Millions of mobile phones come pre-infected with Malware
  • Supply Chain Compromise: Compromise Software Supply Chain, Sub-

technique T1195.002 - Enterprise | MITRE ATT&CK®

Associated metadata
Metadata key Value
external_id MOT1195.002
kill_chain ['Techniques:Initial-Access']

Network Function Service Discovery

An adversary may query the Network Repository Function (NRF) to discover restricted Network Function (NF) services to further target that NF.

Internal MISP references

UUID 6beb2c07-a10e-566a-b2d4-fe08ad6b7ab8 which can be used as unique global reference for Network Function Service Discovery in MISP communities and other software using the MISP galaxy

External references
  • page 47 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
  • (1) R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield. (2021). Towards dynamic threat modelling in 5G core networks based on MITRE ATT&CK. (2) Mobileum (2023) OAuth2.0 Security and Protocol Exploit Analysis in 5G Ecosystem
  • Network Function Service Discovery | MITRE FiGHT™ (FGT5003)
Associated metadata
Metadata key Value
external_id MOT5003
kill_chain ['Techniques:Discovery']

Exploitation for Credential Access

Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code.

Internal MISP references

UUID 8d9a29cc-d66c-5cc6-9500-4426765d6b7e which can be used as unique global reference for Exploitation for Credential Access in MISP communities and other software using the MISP galaxy

External references
  • page 48 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
  • (1) Mobileum (2023) OAuth2.0 Security and Protocol Exploit Analysis in 5G Ecosystem
  • Exploitation for Credential Access, Technique T1212 - Enterprise |

MITRE ATT&CK® https://fight.mitre.org/techniques/FGT5003/

Associated metadata
Metadata key Value
external_id MOT1212
kill_chain ['Techniques:Credential-Access']

Data Manipulation

Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

Internal MISP references

UUID ed3417df-6918-545f-8986-e967e1924b7f which can be used as unique global reference for Data Manipulation in MISP communities and other software using the MISP galaxy

External references
  • page 49 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
  • (1) The Register. (2017). After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts (2) Mobileum (2023) OAuth2.0 Security and Protocol Exploit Analysis in 5G Ecosystem
  • Data Manipulation, Technique T1565 - Enterprise | MITRE ATT&CK®

Data Manipulation | MITRE FiGHT™ (FGT1565)

Associated metadata
Metadata key Value
external_id MOT1565
kill_chain ['Techniques:Impact']

Stored Data Manipulation

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data

Internal MISP references

UUID e63a74cc-381c-51c4-870c-94c5a70ea851 which can be used as unique global reference for Stored Data Manipulation in MISP communities and other software using the MISP galaxy

External references
  • page 49 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
  • (1) Mobileum (2023) OAuth2.0 Security and Protocol Exploit Analysis in 5G Ecosystem
  • Data Manipulation: Stored Data Manipulation, Sub-technique T1565.001
  • Enterprise | MITRE ATT&CK®
Associated metadata
Metadata key Value
external_id MOT1565.001
kill_chain ['Techniques:Impact']