Malware takes stealth approach to global content delivery networks
Content delivery networks that deliver web content to users based on their locations are now a primary threat for malware and command & control (C&C) traffic, security firm CyberArk warns.
The technique, called ‘domain fronting’, has been seen working across tens of thousands of high reputation domains, including those of Fortune 100 companies, but has been most prevalent in Akamai content delivery networks (CDNs).
According to CyberArk, this method allows attackers to bypass security systems such as network monitoring and tools that rely on SSL fingerprinting as well as ‘known good’ domains.
Organisations that use distinguishing tactics such as using ‘known good’ and ‘known bad’ domains are no longer safe and defenders can’t trust ‘known good’ outbound traffic anymore, and threat detection should focus inside the network.
It is not only harder to shut down malware, but also harder to trace it back to a specific domain and find out where it came from.
The Akamai CDN carries between 15-30% of the world’s internet traffic, which makes it a prime target for attacks.
CyberArk researchers say that the Tor project not only used Akamai domains to bypass China’s content filtering networks and was later blocked in China. The Tor project also used Google and other CDNs to avoid censorship.
Researchers say attackers are looking for two major vulnerabilities in CDNs for their command and control purposes: a two way read-write mechanism, malware that is designed specifically for that channel, and that users’ machine must be infected with the malware.
After a series of tweaks to the custom malware, CDN identification and server names, nothing is amiss on the defender’s end.
“The client machine will be communicating with a high-reputation domain’s IP address, and the web traffic will be encrypted and signed by this domain. In appearance, this will thus appear as legitimate traffic to a highly trusted entity,” researchers say in a blog.
One of the few ways organisations may be detect domain fronting traffic is by using an HTTPS proxy as part of a man-in-the-middle campaign. This allows organisations to decrypt all encrypted traffic and inspect it, but it does come with risks.
Some domains use HSTS, a security protocol that forces all users to communicate through HTTPS only. As a result, only some firms can decrypt SSL traffic that targets those domains.
CyberArk researchers say another approach is for organisations to use an HTTPS proxy with SSL termination. This allows them to spot a mismatch between the host header and request uniform resource locator (URI).
The CDN could also give each domain virtual IP addresses that are tied to a specific SSL certificate. This stops malware from nesting in CDNs, but there are simply not enough public IPv4 addresses to make this happen, researchers conclude.