Proxy: Цепочка прокси-серверов
Other sub-techniques of Proxy (4)
To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source. A particular variant of this behavior is to use onion routing networks, such as the publicly available TOR network. (Citation: Onion Routing) In the case of network infrastructure, particularly routers, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain within the Wide-Area Network (WAN) of the enterprise. By leveraging Patch System Image, adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This custom onion routing network will transport the encrypted C2 traffic through the compromised population, allowing adversaries to communicate with any device within the onion routing network. This method is dependent upon the Network Boundary Bridging method in order to allow the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s WAN. Protocols such as ICMP may be used as a transport.
Примеры процедур |
|
| Название | Описание |
|---|---|
| Keydnap |
Keydnap uses a copy of tor2web proxy for HTTPS communications.(Citation: synack 2016 review) |
| MacSpy |
MacSpy uses Tor for command and control.(Citation: objsee mac malware 2017) |
| GreyEnergy |
GreyEnergy has used Tor relays for Command and Control servers.(Citation: ESET GreyEnergy Oct 2018) |
| Ursnif |
Ursnif has used Tor for C2.(Citation: NJCCIC Ursnif Sept 2016)(Citation: ProofPoint Ursnif Aug 2016) |
| Attor |
Attor has used Tor for C2 communication.(Citation: ESET Attor Oct 2019) |
| APT28 |
APT28 has routed traffic over Tor and VPN servers to obfuscate their activities.(Citation: TrendMicro Pawn Storm Dec 2020) |
|
During CostaRicto, the threat actors used a layer of proxies to manage C2 communications.(Citation: BlackBerry CostaRicto November 2020) |
|
| Inception |
Inception used chains of compromised routers to proxy C2 communications between them and cloud service providers.(Citation: Symantec Inception Framework March 2018) |
| Leviathan |
Leviathan has used multi-hop proxies to disguise the source of their malicious traffic.(Citation: CISA AA21-200A APT40 July 2021) |
|
During Operation Wocao, threat actors executed commands through the installed web shell via Tor exit nodes.(Citation: FoxIT Wocao December 2019) |
|
| FIN4 |
FIN4 has used Tor to log in to victims' email accounts.(Citation: FireEye Hacking FIN4 Dec 2014) |
| Siloscape |
Siloscape uses Tor to communicate with C2.(Citation: Unit 42 Siloscape Jun 2021) |
| APT29 |
A backdoor used by APT29 created a Tor hidden service to forward traffic from the Tor client to local ports 3389 (RDP), 139 (Netbios), and 445 (SMB) enabling full remote access from outside the network and has also used TOR.(Citation: Mandiant No Easy Breach)(Citation: MSTIC Nobelium Oct 2021) |
| Operation Wocao |
Operation Wocao has executed commands through the installed web shell via Tor exit nodes.(Citation: FoxIT Wocao December 2019) |
| Tor |
Traffic traversing the Tor network will be forwarded to multiple nodes before exiting the Tor network and continuing on to its intended destination.(Citation: Dingledine Tor The Second-Generation Onion Router) |
| Dok |
Dok downloads and installs Tor via homebrew.(Citation: objsee mac malware 2017) |
| Cyclops Blink |
Cyclops Blink has used Tor nodes for C2 traffic.(Citation: NCSC CISA Cyclops Blink Advisory February 2022) |
| StrongPity |
StrongPity can use multiple layers of proxy servers to hide terminal nodes in its infrastructure.(Citation: Bitdefender StrongPity June 2020) |
| Industroyer |
Industroyer used Tor nodes for C2.(Citation: Dragos Crashoverride 2017) |
| WannaCry |
WannaCry uses Tor for command and control traffic.(Citation: SecureWorks WannaCry Analysis) |
| Dridex |
Dridex can use multiple layers of proxy servers to hide terminal nodes in its infrastructure.(Citation: Checkpoint Dridex Jan 2021) |
| Kobalos |
Kobalos can chain together multiple compromised machines as proxies to reach their final targets.(Citation: ESET Kobalos Feb 2021)(Citation: ESET Kobalos Jan 2021) |
Контрмеры |
|
| Контрмера | Описание |
|---|---|
| Filter Network Traffic |
Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic. |
Обнаружение
When observing use of Multi-hop proxies, network data from the actual command and control servers could allow correlating incoming and outgoing flows to trace malicious traffic back to its source. Multi-hop proxies can also be detected by alerting on traffic to known anonymity networks (such as Tor) or known adversary infrastructure that uses this technique. In context of network devices, monitor traffic for encrypted communications from the Internet that is addressed to border routers. Compare this traffic with the configuration to determine whether it matches with any configured site-to-site Virtual Private Network (VPN) connections the device was intended to have. Monitor traffic for encrypted communications originating from potentially breached routers that is addressed to other routers within the organization. Compare the source and destination with the configuration of the device to determine if these channels are an authorized Virtual Private Network (VPN) connections or other encrypted modes of communication. Monitor ICMP traffic from the Internet that is addressed to border routers and is encrypted. Few if any legitimate use cases exist for sending encrypted data to a network device via ICMP.
Ссылки
- Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
- Wikipedia. (n.d.). Onion Routing. Retrieved October 20, 2020.
- Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
- Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
- Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021.
- Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
- The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
- Prizmant, D. (2021, June 7). Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments. Retrieved June 9, 2021.
- Symantec. (2018, March 14). Inception Framework: Alive and Well, and Hiding Behind Proxies. Retrieved May 8, 2020.
- Roger Dingledine, Nick Mathewson and Paul Syverson. (2004). Tor: The Second-Generation Onion Router. Retrieved December 21, 2017.
- NCSC, CISA, FBI, NSA. (2022, February 23). New Sandworm malware Cyclops Blink replaces VPNFilter. Retrieved March 3, 2022.
- Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
- Patrick Wardle. (2017, January 1). Mac Malware of 2016. Retrieved September 21, 2018.
- Proofpoint Staff. (2016, August 25). Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality. Retrieved June 5, 2019.
- NJCCIC. (2016, September 27). Ursnif. Retrieved June 4, 2019.
- Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019.
- Check Point Research. (2021, January 4). Stopping Serial Killer: Catching the Next Strike. Retrieved September 7, 2021.
- M.Leveille, M., Sanmillan, I. (2021, January). A WILD KOBALOS APPEARS Tricksy Linux malware goes after HPCs. Retrieved August 24, 2021.
- M.Leveille, M., Sanmillan, I. (2021, February 2). Kobalos – A complex Linux threat to high performance computing infrastructure. Retrieved August 24, 2021.
- Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
- Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020.
- CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.
- Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018.
- Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022.
- Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.