Unorthodox Command- and-Control Channels - What they are and how they work Building a secure digital society - CRESTCon
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Unorthodox Command-
and-Control Channels
What they are and how they work
Tabraiz Malik
PwC UK Cyber Security
Building a secure
digital society.
www.pwc.com
Introduction
Tabraiz Malik
• PwC, Cyber Security
• Work in the Ethical Hacking team (… we are hiring!)
• Previously worked in Rolls-Royce within the HPC team
PwC │ 2
Why this talk?
• Raising awareness of unusual C2 communications
• Emphasising need for identifying future threats
• Strengths and limitations of defensive techniques
PwC │ 3
What is a C2 channel?
• The way in which attackers communicate with victim machines
• Remote channels
Attacker Victim
PwC │ 4
Timeline of Malware
Unnamed Group
Instagram and Firefox extension SamSam
Hammertoss Webshells
Twitter RDP
Instegogram
‘ web servers
Infected WannaCry
Instagram RogueRobin
Tor proxy
China Chopper Fbot DNS
Web shell VPNFilter Blockchain DNS Google Drive
ROKRAT Tor
PrettyPark SANNY DarkBot Twitter
IRC HTTP IRC MULTIGRAIN
DNS
1999
2018
2015
2016
2012
2019
2017
PwC │ 5
Evolution of detection capabilities
• Intrusion Detection Systems (IDS) and Deep Packet Inspection (DPI)
• YARA rules
• Heuristic detection using language modelling and network artefact analysis
String 1-gram 2-gram 3-gram
“Hello my” “Hello my name”
“Hello my “Hello my “my name”
name is name is “my name is”
CRESTCon” CRESTCon” “name is”
“is CRESTCon” “name is CRESTCon”
• Behavioural analysis and anomaly-based detection
PwC │ 6
Case studies
1 HTTP 2 DNS “More and
more threat
actors are using
3 4 Steganography CDN to send
Social Media payloads past
network
security
5 X.509 appliances” –
PwC Threat
Intelligence
PwC │ 7
Hammertoss (2015)
1) Dynamically generates Twitter handles
Image: https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf PwC │ 8
Hammertoss (2015)
2) Malware operator publishes a tweet to the Twitter account timeline
3) Inspects tweet address
Image: https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf PwC │ 9
Hammertoss (2015)
4) Visits target URL downloads all content including image files
5) Hide commands in images.
6) Execute commands and upload output to cloud storage service
Read more on Hammertoss: https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf
PwC │ 10Hammertoss (2015)
Challenges to SOC analysts:
• Analysts would require more than just the binary to carry out
comprehensive analysis
• Valid Twitter handle required
• Access to malicious tweet(s) to decrypt content
PwC │ 11Instegogram (2016)
• Steganography can involve messages, images, videos
• Attack infrastructure combines steganography and social
media
Image: International Journal on Computer Science and Engineering Vol.1 (3), 2009, 137-141 PwC │ 12Instegogram (2016)
1) Embed commands into images
2) Upload images to Instagram account
Image: https://www.youtube.com/watch?v=ICN7rTmQdR4 PwC │ 13Instegogram (2016)
3) Decode image
4) Execute command
5) Embed output in an image and post on
to the Instagram account
Read more on Instegogram: https://www.endgame.com/blog/technical-blog/instegogram-leveraging-
instagram-c2-image-steganography
Image: https://www.youtube.com/watch?v=ICN7rTmQdR4 PwC │ 14x.509 (2018)
keyUsage=
extendedKeyUsage=
subjectKeyIdentifier=
Certificate
PwC │ 15x.509 (2018)
• Misusing the TLS handshake
• Bypassing detection methods that fail to inspect the certificates
which underpin TLS
Read more on x.509 as a C2:
Transferring a malicious executable (Mimikatz) in https://www.fidelissecurity.com/threatgeek/threat-
an X.509 certificate. intelligence/x509-vulnerabilities
Image: https://www.fidelissecurity.com/threatgeek/2018/02/exposing-x509-vulnerabilities PwC │ 16Novel C2 Channels
• My contributions to this research subject
• Threat Intelligence driven approach
• Exploring technologies that have become more prevalent in
corporate environment
PwC │ 17GitHub
Why GitHub? C2 PoC
• 28 million users • GitHub API
• 57 million repositories • Repository used as C2 channel
(public/private)
• Activation message: specific
string in Git commit
• Communications: Git comments
PwC │ 18PwC │ 19
Slack
Why Slack? C2 PoC
• Instant messaging • Slack API
• 10+ million daily active users • Slack channel used as C2
• 85,000 paying customers (public/private)
• Activation message: specific
string published to channel
• Communications: messages
published to channel
• Human simulated conversation
through Slack bots
PwC │ 20Slack
PwC │ 21JSFiddle
Why JSFiddle? C2 PoC
• Anonymous sharing • Public anonymous fiddle
• Permanent fiddles • Queries the most recent fiddle
• Widely used in the development version
community • Activation message: not used
• Communication: fiddle updated
with commands/output
PwC │ 22PwC │ 23
Cryptocurrency and Blockchain
Why Blockchain? C2 PoC
• Huge interest in the application • PwCoin
of blockchain • Valid addresses are accepted on
the PwCoin network
Why Cryptocurrencies? • Activation message: not used
• 32 million Bitcoin wallets • Communication: transactions
• 7.1 million active Bitcoin users issued with encoded content
PwC │ 24Bitcoin and Blockchain
PwC │ 25Countermeasures (1)
Basic & brittle solutions:
• Domain whitelisting
• Black-listing non-approved Slack subdomains
• Egress filtering and firewall exceptions
PwC │ 26Countermeasures (2)
Complex & current solutions
• Live system composed of layer 4 metrics associated with
timestamps and connection frequencies to determine
malicious traffic
• Fingerprinting TLS metadata & network flow analysis
• LogicHub – triage, respond and hunt
• Palo Alto Magnifier
• Software-defined firewalls for malicious traffic detection
PwC │ 27Future work
• Fine tuning human interaction within C2 channels
• Build non-standard detection models using new machine-
learning and data science powered techniques
• Alternative platforms such as Jira, Slido
PwC │ 28Key takeaways
• Heightened awareness of seemingly benign technologies
• Re-assess risk appetite based on enterprise-wide software inventory
• Automated security solutions are often not enough
• Complement core defences with more advanced detection systems
• Penetration testers can begin to explore similar technologies
deployed within organisations
PwC │ 29Thoughts, questions, feedback:
@wilbourneuk
tabraiz.malik@pwc.com
At PwC, our purpose is to build trust in society and solve important problems. We’re a network of firms in 157 countries with more than 223,000 people who are committed to delivering quality in assurance, advisory and tax services. Find out more and tell
us what matters to you by visiting us at www.pwc.com.
This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No
representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not
accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.
© 2019 PricewaterhouseCoopers LLP. All rights reserved. In this document, "PwC" refers to the UK member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further
details.
Design services 31310_PRES_04/18
PwC │ 30References
Reaves, J. (2018). “Covert channel by abusing x509 extensions”. http://vixra.org/pdf/1801.0016v1.pdf. Accessed 26/07/2018.
FireEye. (2015). “Hammertoss: Stealthy Tactics Define a Russian Cyber Threat Group”. https://www2.fireeye.com/rs/848-DID-242/images/rpt-
apt29-hammertoss.pdf. Accessed 22/08/2018.
Steganography Image. https://media.wired.com/photos/594db1717c1bde11fe06f341/master/w_799,c_limit/hidden_data-01.png. Accessed
24/08/2018.
Grant, D. (2016) “Instegogram: Leveraging Instagram for C2 Via Image Steganography”, https://www.endgame.com/blog/technical-
blog/instegogram-leveraging-instagram-c2-image-steganography. Accessed 28/08/2018.
Deep Secure. (2018). “Stegware Threat Removal for Web Gateways”, https://www.deep-
secure.com/uploads/files/deep_secure/resources/18/Deep_Secure_Solution_Brief_Stegware_Threat_Removal_for_Web_Gateways.pdf.
Accessed: 02/11/2018.
Berg, G., Davidson, I., Duan, M., Paul, G. (2003). “Searching For Hidden Messages: Automatic Detection of Steganography”.
https://www.aaai.org/Papers/IAAI/2003/IAAI03-007.pdf. Accessed 15/10/2018.
Sheridan, S., Keane, A. (2017). “Improving Stealthiness of DNS-based Covert Communication”,
https://pdfs.semanticscholar.org/e7bd/7b29b5357e7c9ffe43ff85aad1788e88c983.pdf. Accessed 18/10/2018.
Booth, J. (2018). “Heuristic DNS detections in Azure Security Center”, https://azure.microsoft.com/en-us/blog/heuristic-dns-detections-in-azure-
security-center/. Accessed 28/10/2018.
PwC │ 31References
GB Hackers. (2018) “Domain Fronting: A New Technique For Hiding Malware Command and Control (C2) Traffic within a Content Delivery
Network”. https://i0.wp.com/gbhackers.com/wp-content/uploads/2017/07/api.jpg?resize=904%2C420&ssl=1. Accessed: 17/02/2019.
Puodzius, C. (2017). “DownAndExec: Banking malware utilizes CDNs in Brazil”, https://www.welivesecurity.com/2017/09/13/downandexec-
banking-malware-cdns-brazil. Accessed 10/01/2019.
LogicHub (2018). https://www.logichub.com/company/news/logichub-accelerates-security-operations-rsa-archer-suite-support. Accessed
12/02/2019.
Google. (2017). ”Malware Beaconing Detection Methods”,
https://patentimages.storage.googleapis.com/2a/0d/78/23bdc0f69c794d/US20170187736A1.pdf. Accessed 11/01/2019
Finley, K. (2017). “Why workplace instant messaging is hot again”. https://www.wired.com/story/why-workplace-instant-messaging-is-hot-again.
Accessed 21/01/2019.
Gao, S., Li, Z., Yao, Y., Xiao, B., Guo, S., Yang, Y. (2018). “Software-Defined Firewall: Enabling Malware Traffic Detection and Programmable
Security Control”. http://www4.comp.polyu.edu.hk/~csbxiao/paper/2018/SDF-asiaccs18.pdf. Accessed 30/01/2019.
Cisco. (2017). “Detect threats in encrypted traffic without decryption, using network based security analytics”.
https://clnv.s3.amazonaws.com/2017/usa/pdf/BRKCRS-1560.pdf. Accessed 30/01/2019.
Reaves, J. (2018). “Sometimes What’s Missing is Right In Front of Us, We Only Need to Look”.
https://www.fidelissecurity.com/threatgeek/2018/02/exposing-x509-vulnerabilities. Accessed 26/07/2018.
PwC │ 32References
Crouch, H. Digital Health. “Message platform Slack reportedly eyeing up US healthcare sector. https://www.digitalhealth.net/2019/02/messaging-
platform-slack-healthcare-sector. Accessed: 04/02/2019.
Westbrook, I., BBC. (2015), “Hackers combine codes photos and Twitter to hit targets” https://www.bbc.co.uk/news/technology-33702678.
Accessed: 01/01/2019.
Liao, S. (2019). The Verge. “Here are the messaging apps Slack crushed on its road to IPO”.
http://www.theverge.com/tldr/2019/2/4/18210980/slack-ipo-messaging-apps-competition-chat. Accessed: 19/02/2019.
Eckert, N. (2019). DBK News. http://www.dbknews.com/2019/02/15/umd-senate-slack-communication-app-meeting-participation-vote.
Accessed: 18/02/2019.
Guri, ., Zadov, B., Bykhovsky, D., Elovici, Y. (2018). “PowerHammer: Exfiltrating Data from Air-Gapped Computers through Power Lines”.
https://arxiv.org/pdf/1804.04014.pdf. Accessed 13/02/2019.
Guri, M. (2018). “Mind the gap: This researcher steals data with noise, light, and magnets”. https://www.wired.com/story/air-gap-researcher-
mordechai-guri. Accessed: 19/02/2019.
Lielacher, A. (2019). “How Many People Use Bitcoin in 2019?”. https://www.bitcoinmarketjournal.com/how-many-people-use-bitcoin
PwC │ 33You can also read
