sb-nz logo
Story image

Malware takes stealth approach to global content delivery networks

24 Jul 2017

Content delivery networks that deliver web content to users based on their locations are now a primary threat for malware and command & control (C&C) traffic, security firm CyberArk warns.

The technique, called ‘domain fronting’, has been seen working across tens of thousands of high reputation domains, including those of Fortune 100 companies, but has been most prevalent in Akamai content delivery networks (CDNs).

According to CyberArk, this method allows attackers to bypass security systems such as network monitoring and tools that rely on SSL fingerprinting as well as ‘known good’ domains.

Organisations that use distinguishing tactics such as using ‘known good’ and ‘known bad’ domains are no longer safe and defenders can’t trust ‘known good’ outbound traffic anymore, and threat detection should focus inside the network.

It is not only harder to shut down malware, but also harder to trace it back to a specific domain and find out where it came from.

The Akamai CDN carries between 15-30% of the world’s internet traffic, which makes it a prime target for attacks.

CyberArk researchers say that the Tor project not only used Akamai domains to bypass China’s content filtering networks and was later blocked in China. The Tor project also used Google and other CDNs to avoid censorship.

Researchers say attackers are looking for two major vulnerabilities in CDNs for their command and control purposes: a two way read-write mechanism, malware that is designed specifically for that channel, and that users’ machine must be infected with the malware.

After a series of tweaks to the custom malware, CDN identification and server names, nothing is amiss on the defender’s end.

“The client machine will be communicating with a high-reputation domain’s IP address, and the web traffic will be encrypted and signed by this domain. In appearance, this will thus appear as legitimate traffic to a highly trusted entity,” researchers say in a blog.

One of the few ways organisations may be detect domain fronting traffic is by using an HTTPS proxy as part of a man-in-the-middle campaign. This allows organisations to decrypt all encrypted traffic and inspect it, but it does come with risks.

Some domains use HSTS, a security protocol that forces all users to communicate through HTTPS only. As a result, only some firms can decrypt SSL traffic that targets those domains.

CyberArk researchers say another approach is for organisations to use an HTTPS proxy with SSL termination. This allows them to spot a mismatch between the host header and request uniform resource locator (URI).

The CDN could also give each domain virtual IP addresses that are tied to a specific SSL certificate. This stops malware from nesting in CDNs, but there are simply not enough public IPv4 addresses to make this happen, researchers conclude.

Story image
Securing SAP to ensure better operational security
Securing information and systems is a process that needs to start long before these vulnerabilities are exposed to help limit potential risk and impacts, writes Acclimation managing partner Cameron Sherrard.More
Story image
Creating private data regulations for employees
Whether employees are hired on a part-time or full-time basis, everyone must know about data privacy regulations. Everyone needs to be responsible for keeping the organisation’s data secure. More
Story image
Why best-practice threat data management provides confident automation
Understanding an organisation’s threat landscape requires having both the right threat data sources and the proper prioritisation to derive actionable threat intelligence for your organisation. More
Story image
Why IT and HR must work together to help businesses weather the storm
Employers are striving to balance team productivity, security and employee engagement. If remote work is the new norm, it’s impossible to ignore the challenging nature of the situation, writes Gigamon manager for A/NZ George Tsoukas.More
Story image
Fujitsu new tech ensures inter-business data trust
The technology can verify when and by whom the data was created, and whether it has been tampered with, to ensure trusted data exchange.More
Story image
Palo Alto Networks extends cloud native security platform with new modules
Palo Alto Networks has announced the availability of Prisma Cloud 2.0, including four new cloud security modules, thus extending its Cloud Native Security Platform (CNSP). More