5G core GTP-U user-plane injection → subscriber MITM
Attacker on a transit network between mobile-core hops (or with compromised UPF). GTP-U packets are typically unfiltered between PEs; inject packets into subscriber bearers — credential capture, free-of-charge tunnels, downstream attacks.
§ Context
Assumed environment: target operates a 5GC / 4G EPC with insufficient GTP-U filtering between user-plane functions and transport network. Attacker has internal foothold on transit infrastructure.
§ Steps
- 01Foothold on transit / shared infraInitial AccessT1078— Valid Accounts
- 02Capture app-layer creds / tokensCredential AccessT1539— Steal Web Session Cookie
- 03MITM subscriber data sessionCredential AccessT1557— Adversary-in-the-Middle
- 04Identify GTP-U traffic between UPFsCredential AccessT1040— Network Sniffing
- 05Spoof GTP-U packet into target bearerLateral Movement5G-GTP-U— GTP-U User-Plane Spoof
§ References
- T1078Valid Accounts
- T1539Steal Web Session Cookie
- T1557Adversary-in-the-Middle
- T1040Network Sniffing
§ Frequently asked
- What is the "5G core GTP-U user-plane injection → subscriber MITM" attack path?
- Attacker on a transit network between mobile-core hops (or with compromised UPF). GTP-U packets are typically unfiltered between PEs; inject packets into subscriber bearers — credential capture, free-of-charge tunnels, downstream attacks. It chains 5 steps drawn from real-world offensive-security techniques.
- What starting position does this attack require?
- The first step is Foothold on transit / shared infra (T1078) — a initial access primitive. Assumed environment: target operates a 5GC / 4G EPC with insufficient GTP-U filtering between user-plane functions and transport network.
- What is the final impact of this kill-chain?
- The final step lands on Spoof GTP-U packet into target bearer (5G-GTP-U), which falls under Lateral Movement. From here, an operator typically pivots into post-exploitation or maintains persistence.
- How can defenders detect or prevent this attack?
- Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.
§ Related dossiers
- Shared techniques2
Mifare Classic crack → cloned hotel key
Many hotel / corporate door systems still use Mifare Classic. Capture nonces during normal use, recover the Crypto-1 key with mfoc / mfcuk, write to a 'magic UID' card — full access to the property.
- Shared techniques2
BGP prefix hijack → traffic interception
From a compliant origin AS, announce a more-specific or origin-spoofed prefix belonging to the victim. Internet routing converges on the attacker AS; traffic for that prefix flows through attacker for inspection / DoS.
- Shared techniques2
MITM HL7 v2 → tamper lab orders / results
HL7 v2 over MLLP is plaintext pipe-delimited. From the same VLAN as the lab analyser ↔ EHR link, MITM and rewrite OBX result segments — changes the patient's documented test result.
- Shared techniques2
FIDO2 caBLE hybrid → phone authenticator hijack
Attacker phishing site shows the legitimate FIDO2 QR. Victim scans with their phone authenticator. The link completes the WebAuthn ceremony in the attacker's browser — they're now signed in as the victim.
- Shared techniques2
F5 BIG-IP iControl auth bypass (CVE-2022-1388) → root on LB
Connection-header smuggle bypasses iControl REST auth, command-injection RCE as root. Load balancers see all traffic — recover TLS keys, session cookies, internal SSO config.
- Shared techniques2
Citrix Bleed → steal authenticated session → MFA bypass
Send a long Host header to a vulnerable NetScaler — memory disclosure leaks an authenticated session token already past MFA. Replay the token to log into the corporate VPN.