sb-nz logo
Story image

Malware takes stealth approach to global content delivery networks

24 Jul 2017

Content delivery networks that deliver web content to users based on their locations are now a primary threat for malware and command & control (C&C) traffic, security firm CyberArk warns.

The technique, called ‘domain fronting’, has been seen working across tens of thousands of high reputation domains, including those of Fortune 100 companies, but has been most prevalent in Akamai content delivery networks (CDNs).

According to CyberArk, this method allows attackers to bypass security systems such as network monitoring and tools that rely on SSL fingerprinting as well as ‘known good’ domains.

Organisations that use distinguishing tactics such as using ‘known good’ and ‘known bad’ domains are no longer safe and defenders can’t trust ‘known good’ outbound traffic anymore, and threat detection should focus inside the network.

It is not only harder to shut down malware, but also harder to trace it back to a specific domain and find out where it came from.

The Akamai CDN carries between 15-30% of the world’s internet traffic, which makes it a prime target for attacks.

CyberArk researchers say that the Tor project not only used Akamai domains to bypass China’s content filtering networks and was later blocked in China. The Tor project also used Google and other CDNs to avoid censorship.

Researchers say attackers are looking for two major vulnerabilities in CDNs for their command and control purposes: a two way read-write mechanism, malware that is designed specifically for that channel, and that users’ machine must be infected with the malware.

After a series of tweaks to the custom malware, CDN identification and server names, nothing is amiss on the defender’s end.

“The client machine will be communicating with a high-reputation domain’s IP address, and the web traffic will be encrypted and signed by this domain. In appearance, this will thus appear as legitimate traffic to a highly trusted entity,” researchers say in a blog.

One of the few ways organisations may be detect domain fronting traffic is by using an HTTPS proxy as part of a man-in-the-middle campaign. This allows organisations to decrypt all encrypted traffic and inspect it, but it does come with risks.

Some domains use HSTS, a security protocol that forces all users to communicate through HTTPS only. As a result, only some firms can decrypt SSL traffic that targets those domains.

CyberArk researchers say another approach is for organisations to use an HTTPS proxy with SSL termination. This allows them to spot a mismatch between the host header and request uniform resource locator (URI).

The CDN could also give each domain virtual IP addresses that are tied to a specific SSL certificate. This stops malware from nesting in CDNs, but there are simply not enough public IPv4 addresses to make this happen, researchers conclude.

Story image
Pandemic sees organisations of all sizes and industries invest in CTI
There is opportunity for organisations to better manage their cyber-threat intelligence for greater security and threat intelligence effectiveness by adopting the right tools and processes.More
Story image
ThreatQuotient hits $22.5m in new financing, continues growth streak
“Since we first invested in ThreatQuotient in 2017, their team has continued to prove to the market that there is a critical need for cybersecurity solutions aimed at security operations."More
Story image
Zscaler and CrowdStrike release integrations for end-to-end security
This collaboration between the two cloud-native security companies provides joint customers with adaptive, risk-based access control to private applications.More
Story image
Attivo Networks expands Active Directory suite for greater protection
"We see Active Directory exploitation used in the majority of ransomware, insider and advanced attacks. We are pleased to now offer our customers early and efficient solutions for preventing the misuse of Active Directory.”More
Story image
Mobile devices biggest enterprise security threat - report
Businesses have left themselves vulnerable and open to cyber criminals in the rush to ensure their workforce could operate remotely during the Covid-19 pandemic.More
Story image
Ransomware and Microsoft Exchange attacks surging 
There are global surges in ransomware attacks alongside increases in cyber attacks targeting Microsoft Exchange Server vulnerabilities, according to Check Point Research.More