Web Service: Односторонняя связь
Other sub-techniques of Web Service (3)
ID | Название |
---|---|
.001 | Закладка с данными |
.002 | Двусторонняя связь |
.003 | Односторонняя связь |
Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system without receiving return output over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Примеры процедур |
|
Название | Описание |
---|---|
EVILNUM |
EVILNUM has used a one-way communication method via GitLab and Digital Point to perform C2.(Citation: Prevailion EvilNum May 2020) |
Leviathan |
Leviathan has received C2 instructions from user profiles created on legitimate websites such as Github and TechNet.(Citation: FireEye Periscope March 2018) |
Metamorfo |
Metamorfo has downloaded a zip file for execution on the system.(Citation: Medium Metamorfo Apr 2020)(Citation: FireEye Metamorfo Apr 2018)(Citation: Fortinet Metamorfo Feb 2020) |
OnionDuke |
OnionDuke uses Twitter as a backup C2.(Citation: F-Secure The Dukes) |
HAMMERTOSS |
The "tDiscoverer" variant of HAMMERTOSS establishes a C2 channel by downloading resources from Web services like Twitter and GitHub. HAMMERTOSS binaries contain an algorithm that generates a different Twitter handle for the malware to check for instructions every day.(Citation: FireEye APT29) |
Контрмеры |
|
Контрмера | Описание |
---|---|
Restrict Web-Based Content |
Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. |
Network Intrusion Prevention |
Use intrusion detection signatures to block traffic at network boundaries. |
Обнаружение
Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure or the presence of strong encryption. Packet capture analysis will require SSL/TLS inspection if data is encrypted. Analyze network data for uncommon data flows. User behavior monitoring may help to detect abnormal patterns of activity.(Citation: University of Birmingham C2)
Ссылки
- Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
- F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
- Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved December 22, 2021.
- FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved September 17, 2015.
- Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020.
- Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020.
- Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
- FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
Связанные риски
Риск | Связи | |
---|---|---|
Передача данных по скрытым каналам из-за
возможности маскировки вредоносного трафика под легитимный в сетевом трафике
Конфиденциальность
Раскрытие информации
|
|
|
Несанкционированное управление ИТ инфраструктурой из-за
возможности маскировки вредоносного трафика под легитимный в сетевом трафике
Повышение привилегий
Целостность
НСД
|
|
|
Утечка информации из-за
возможности маскировки вредоносного трафика под легитимный в сетевом трафике
Конфиденциальность
Раскрытие информации
|
|
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.