Ever spent hours perusing a packet capture attempting to figure out what data was moved? Whether it is a CTF, suspicious user activity, or plain curiosity; reversing the various encoding schemes used to transmit traffic has always been a challenge, particularly when the sender is motivated to make it as difficult as possible to decode. De-mystifying these deviously dangerous ways to communicate allows us as blue-team defenders to detect exfiltration and protect against it. Or, for red-team aficionados, it grants inspiration to create novel new tunnelling protocols.
The usage of tunnelling and encoding/decoding provides attackers a method to hide what is being sent. DNS, HTTP, and IPsec tunnels are well known, but did you know there are other ways to do tunnel? ICMP, custom protocols, and even application layer tunneling are utilized to bypass filters and automated detection tools. Take an encrypted and verified SSL session to Google, which defenders normally mark as safe. This could be part of the routing for a command-and-control server. Understanding the core fundamentals of tunnels, and language in general, reveals the nuances of detecting data exfiltration.
Now, there is a silver lining to the variety of devious tunnels. There is a lot of data to analyze for trends! At its core, any communication operates by having the abstract idea encoded into transmittable signal, then decoded by a receiver back into the original idea. For English speakers, this is done using the phonetic vocabulary built up over the years. As both the speaker and listener use the same encoding/decoding scheme for interpreting vocalizations, the data is successfully transferred.
However, how can communication be restricted to only those authorized? If you have ever played around with CyberChef, you have experienced the issue of choosing the wrong encoding scheme and getting gibberish output. Mismatching the language used is an essential part of cryptography. Encryption is the bane of blue-team defenders trying to find exfiltration streams, but at least defenders know the communication is happening. Secure cryptography is the go-to for keeping data confidential, but there is another way. Prevent the eavesdropper from trying to decode the message to begin with.
Tunneling data so it appears as “acceptable” makes use of limited defense capabilities. With the absurd number of network protocols running automatically between devices, many often assume they are legitimate. Once the assumption is made that a connection is secure, or otherwise legitimate, an attacker can utilize the lack of scrutiny by hiding data within the connection. Let’s look at some examples that showcase the exfiltration creativity employed by actors.
XVPN
VPNs are loved by users trying to bypass security controls. Fortunately, VPNs use easy to identify protocols and ports, right? During my time with the Cyberdome, the team encountered numerous alerts for relatively basic concerns. Internal hosts were scanning external IPs, contacting recently registered domains, and doing so without any major indicators of compromise. After some investigation, we discovered the XVPN app. It makes use of multiple property protocols that can encode its traffic as web, DNS, NTP, FTP, or custom ports. The key that allowed us to relate the incidents together was a server scan XVPN ran when opened. A sandbox run validated the behavior, allowing us to attribute future alerts from the application.
The Cyberdome team only noticed XVPN due to it being quite noisy, contacting upwards of 400 remote addresses at the same time. If XVPN had simply limited itself to a handful of servers, we would have been unaware that users were bypassing the web filter. Even if the DNS tunnels were found and stopped, it could use another priority protocol to bypass our alerts.
Google Calendar RAT Another prime example of ingenuity is this proof of concept out on GitHub. This command-and-control gateway works by listening to a Google calendar feed for events. From there, it reads the event description and executes any commands it finds, editing the description to include the output. Once installed, the attacker can remotely run commands and view output just by adding them to the calendar. As Google calendar uses SSL encryption and the certificates used are legitimate, most would consider connections to the calendar acceptable.
Time Based Communication
As long as both sides use the same language to encode and decode data, information can be transmitted through any stream. Even the timing of the communication can be abused. Imagine mapping characters to minutes in the hour. A=00:01, B=00:02 and so on. A trojan could then ping the C2 server once an hour, at the minute corresponding to the next character to send. While slow, with only 24 characters sent a day, an attacker could get a password hash within a week. To a defender, the traffic would appear almost random and could easily fly under the radar.
LED CPU Decoding
Falling down the rabbit hole even further, there are instances where an encoding scheme already exists, but it has not been realized yet. In a unique side channel attack, researchers found a process to record the slight power variations caused by CPU operations though the status LED. From there, the data being processed by the CPU could be interpreted.
Knowing how different CPU operations affect power draw is used as an unexpected language for attackers. Higher power draws when 1s are processed dim the LED slightly. Recording the minute fluctuations can then be mapped to what data was being sent to the CPU. For RFID card readers, this includes the hash and identifier used for authentication.
Conclusions
When designing systems and networks, remember to think about what isn’t seen. The assumptions we as cybersecurity defenders make can be abused by attackers to tunnel data under our noses. Any communication stream can be abused by devious attackers. For the pursuers of zero trust architecture, it’s an important reminder that every protocol and communication should be untrusted until proven otherwise.
Using Google calendar or recording the brightness of an LED are not the most effective forms to exfiltrate traffic. They do, however, highlight the creativity employed by attackers. Anywhere a predictable action can be controlled, data can also be encoded. Security professionals must remain vigilant to devious workarounds, especially through protocols and streams assumed to be safe.