SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
New Zealand
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewall
#
ransomware
Search
Story image
#
Cybersecurity
#
Malware
#
Servers
Malware takes stealth approach to global content delivery networks
Mon, 24th Jul 2017
FYI, this story is more than a year old
Author image
By Sara Barker, Copywriter and Senior News Editor
Follow us

Content delivery networks that deliver web content to users based on their locations are now a primary threat for malware and command - control (C-C) traffic, security firm CyberArk warns.

The technique, called ‘domain fronting', has been seen working across tens of thousands of high reputation domains, including those of Fortune 100 companies, but has been most prevalent in Akamai content delivery networks (CDNs).

According to CyberArk, this method allows attackers to bypass security systems such as network monitoring and tools that rely on SSL fingerprinting as well as ‘known good' domains.

Organisations that use distinguishing tactics such as using ‘known good' and ‘known bad' domains are no longer safe and defenders can't trust ‘known good' outbound traffic anymore, and threat detection should focus inside the network.

It is not only harder to shut down malware, but also harder to trace it back to a specific domain and find out where it came from.

The Akamai CDN carries between 15-30% of the world's internet traffic, which makes it a prime target for attacks.

CyberArk researchers say that the Tor project not only used Akamai domains to bypass China's content filtering networks and was later blocked in China. The Tor project also used Google and other CDNs to avoid censorship.

Researchers say attackers are looking for two major vulnerabilities in CDNs for their command and control purposes: a two way read-write mechanism, malware that is designed specifically for that channel, and that users' machine must be infected with the malware.

After a series of tweaks to the custom malware, CDN identification and server names, nothing is amiss on the defender's end.

“The client machine will be communicating with a high-reputation domain's IP address, and the web traffic will be encrypted and signed by this domain. In appearance, this will thus appear as legitimate traffic to a highly trusted entity,” researchers say in a blog.

One of the few ways organisations may be detect domain fronting traffic is by using an HTTPS proxy as part of a man-in-the-middle campaign. This allows organisations to decrypt all encrypted traffic and inspect it, but it does come with risks.

Some domains use HSTS, a security protocol that forces all users to communicate through HTTPS only. As a result, only some firms can decrypt SSL traffic that targets those domains.

CyberArk researchers say another approach is for organisations to use an HTTPS proxy with SSL termination. This allows them to spot a mismatch between the host header and request uniform resource locator (URI).

The CDN could also give each domain virtual IP addresses that are tied to a specific SSL certificate. This stops malware from nesting in CDNs, but there are simply not enough public IPv4 addresses to make this happen, researchers conclude.

Related stories
RiverSafe teams up with Cribl to boost IT & data security services
Half of online traffic in 2024 generated by bots, report finds
Cisco launches Hypershield for AI-driven security upgrade
Keeper Security launches user-friendly passphrase generator
Axis unveils hybrid cloud platform for adaptable security solutions
Top stories
Fortinet recognised as Challenger in Gartner's 2024 Magic Quadrant for SSE
Coalition integrates cyber risk platform with top cloud services providers
Armis warns of major cyber-attack risk to 2024 global elections
i-PRO to support Genetec SaaS with new AI-enabled camera models
Illumio unveils AI enhancements for faster Zero Trust Segmentation adoption