Bypassing NextGen Security: Crazy C&C Channels

Transcript

1. Crazy c2 Channels Bypassing Next-Gen Security w/ Crazy C&C Channels

2. Wolf Pack! Looking for 0days and malware! @DavidThurm @DavidThurm THANKS!

3. Bryce Kunz - Cloud Exploitation Expert AWS, Azure, Docker, K8s,

   DC/OS, Mesos, etc… & Red Team Lead Whois Bryce Kunz @TweekFawkes DHS NSA Cloud

4. Last-Gen

5. The Network Malware

6. The Goal Malware C2

7. Blocks: - IP Addresses - Ports Firewall 123.123.123.123 80/TCP -

   Execute Commands Malware Firewall Connect Back

8. Layers Any IoT Web Service: - Serverless Services - AWS

   Lambda, etc... - MQTTS, etc... IP Address Port 1.1.1.1 443

9. Web Proxy Blocks: - Domain Names - BlackList - Reputation

   Based - Attacker’s Buy Good Rep Domains bad.guy.com - Execute Commands Connect Back Malware Web Proxy

10. Any IoT Web Service: - Serverless Services - AWS Lambda,

    etc... - MQTTS, etc... IP Address Port 1.1.1.1 443 Domain name example.com

11. IPS Blocks: - Signatures (e.g. strings) - Previously Known Bad

    “root#” - Execute Commands Connect Back Malware IPS

12. Any IoT Web Service: - Serverless Services - AWS Lambda,

    etc... - MQTTS, etc... IP Address Port Protocol App, API, REST 1.1.1.1 443 HTTP <msg>c2</msg> Domain name example.com

13. Malware Analysis Blocks: - Files (in Transit) - Runs Files

    in Sandbox bad.guy.com - Execute Commands Connect Back Malware AMP

14. Any IoT Web Service: - Serverless Services - AWS Lambda,

    etc... - MQTTS, etc... IP Address Port Protocol App, API, REST 1.1.1.1 443 HTTP Files Domain name example.com

15. Transaction Logging Enables: - Logging of Traffic MetaData - Aggregation

    of MetaData (e.g. into Splunk) - Anomalies (e.g. rare Certificates) “root#” - Execute Commands Connect Back Malware BroIDS

16. Any IoT Web Service: - Serverless Services - AWS Lambda,

    etc... - MQTTS, etc... IP Address Port Encryption Protocol App, API, REST 1.1.1.1 443 TLS & Certs HTTP <msg>c2</msg> Domain name example.com

17. TLS/SSL Decryption Enables: - Inspection of TLS/SSL Traffic - Ability

    to inspect encrypted traffic “root#” - Execute Commands Connect Back Malware Web Proxy

18. Any IoT Web Service: - Serverless Services - AWS Lambda,

    etc... - MQTTS, etc... IP Address Port Encryption Protocol App, API, REST 1.1.1.1 443 TLS & Certs HTTP <msg>c2</msg> Domain name example.com

19. Next-Gen

20. Next-Gen Firewalls Features: - Application Awareness - Allow Only web-browsing

    bad.guy.com - Execute Commands Connect Back Malware Next-Gen Firewall

21. MEterpreter Reverse Http x86 windows/meterpreter/reverse_http LPORT=80 msfconsole - Execute Commands

    Connect Back Windows Target Next-Gen Firewall

22. MEterpreter Reverse Http x86 windows/meterpreter/reverse_http LPORT=80 Denied! msfconsole - Execute

    Commands Connect Back Windows Target Next-Gen Firewall

23. Koadic w/ RegSvr Stager Koadic 0x8 - Execute Commands Connect

    Back Windows Target Next-Gen Firewall

24. Koadic w/ RegSvr Stager Denied!

25. Koadic Koadic 0x8 - Execute Commands Connect Back Windows Target

    Next-Gen Firewall

26. Koadic Next-Gen Firewall Bypassed! Allowed!

27. Empire Empire v2.1 - Execute Commands Connect Back Windows Target

    Next-Gen Firewall

28. Empire Denied! Empire v2.1 - Execute Commands Connect Back Windows

    Target Next-Gen Firewall

29. Empire

30. Empire Defaults

31. “not” Empire Mod

32. Empire With Modified URIs - /totes/not/bad.php Empire v2.1 - Execute

    Commands Connect Back Windows Target Next-Gen Firewall

33. With Modified URIs - /totes/not/bad.php Allowed! Empire Next-Gen Firewall Bypassed!

34. Pupy Out of the box... pupy - Execute Commands Connect

    Back Windows Target Next-Gen Firewall

35. Allowed! Pupy Next-Gen Firewall Bypassed!

36. WebDavC2 Out of the box... WebDavC2 - Execute Commands Connect

    Back Windows Target Next-Gen Firewall

37. Allowed! WebDavC2 Next-Gen Firewall Bypassed!

38. OverAll Next-Gen Rating: Next-Gen Firewall Bypassed! Meterpreter Koadic Empire Pupy

    50% ? WebDav2

39. Crazy C2 #1

40. TwitterSphere ...

41. Survey Says! ...

42. Breakdown c2 via Twitter (so meta!)

43. Breakdown Y21kPXBvd2Vyc2hlbGwgLW5vcCAtbm9uaSAtdyAxIC1jIFdyaX RlLUhvc3QgbG9vb29vb29sego=

44. Breakdown Y21kPXBvd2Vyc2hlbGwgLW5vcCAtbm9uaSAtdyAxIC1jIFdyaX RlLUhvc3QgbG9vb29vb29sego= Base64 Encoded

45. CyberChef

46. Decode Base64 Decoded: cmd=powershell -nop -noni -w 1 -c Write-Host

    looooooolz

47. Breakdown cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz cmd=

    -> c2 protocol

48. C2 Logic if command == “cmd=”: (execute the command)

49. Multiple Commands if command == “cmd=”: (execute the command) elif

    command == “download=”: (download a file)

50. Sleep if command == “cmd=”: (execute the command) elif command

    == “download=”: (download a file) else: (sleep...)

51. Breakdown cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz powershell

    -> exe

52. No Profile cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz

    -nop -> no profile

53. Non Interactive cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz

    -noni -> non interactive

54. Window Style cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz

    -w 1 -> non interactive

55. Ps Command cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz

    -c Write-Host looooooolz

56. Window Style cmd=powershell -nop -noni -w 1 -c Write-Host looooooolz

    -c Write-Host looooooolz

57. Design c2 via Twitter (so meta!) Twitter Operations 3) Execute

    Commands 2) Read Tweet 1) Post Tweet Target Next-Gen Firewall

58. Open Source GitHub: Twittor Invoke-TwitterBot (needs update; uses deprecated api)

59. Espionage Equivalent C2 via the Plurk Social Network (Chinese Version

    of Twitter?) “Elirks” Malware

60. Crazy C2 #2

61. Design c2 via Gmail Gmail Gdog - Execute Commands 2)

    Read Em ail 1) Post Email Gdog Next-Gen Firewall

62. Open Source GitHub: Gdog Gcat (older version, no longer maintained

    )

63. Espionage C2 via the Gmail Gcat (Older version) used by

    allegedly Russian cyber threat actors

64. Crazy C2 #3

65. TwitterSphere ...

66. Survey Says! ...

67. Espionage C2 via Instagram Allegedly Russian cyber threat actors

68. c2 via Instagram Design Instagram Operator - Execute Commands Read

    Com m ent Post Comment Malware Next-Gen Firewall LP Bit.Ly/.... Evil.com 302

69. So Many Options

70. Very Well Known Options So Bored! - TCP -> Back

    Orifice, everything... - UDP -> Donald D…, everything... - HTTP -> everything... - HTTPS -> everything.... - DNS -> DnsCat2, many... - Domain Fronting -> latest trend, many….

71. Matrix Of The Known Interesting Any IoT Web Service: -

    Serverless Services - AWS Lambda, etc... - MQTTS, etc... IoT Web Service Read / W rite Malware Next-Gen Firewall

72. Trends: APIs/REST Anything Web with an API/REST: - Slack ->

    “SlackShell” - Discord -> “Dyper” - Telegram -> “RATAttack” Trusted Web - Execute Commands Read / W rite Malware Next-Gen Firewall

73. Trends: Web* Anything Web with a Twist: - WebDav ->

    “WebDavC2” - WebSockets -> “ZombieWeb” - QUIC, HTTP/2 -> “H1-QUIC”, etc... Trusted Web - Execute Commands Read / W rite Malware Next-Gen Firewall

74. Any IoT Web Service: - Serverless Services - AWS Lambda,

    etc... - MQTTS, etc... IP Address Port Encryption Protocol App, API, REST 1.1.1.1 443 TLS & Certs HTTP <msg>c2</msg> Domain name example.com

75. The New New

76. C2 Over... - AWS Lambda, Google Cloud Functions, etc… -

    Valid Certs, High Rep. Domains, Proxy through to Attacker’s Servers Serverless Prediction #1

77. Exfil Over... - IFTTT, Zapier, Cloud Elements, etc… - Wash

    Connections through 3rd party web services… (less focus than tor) - Valid Certs, High Rep. Domains, Proxy through to Attacker’s Servers WebHooks Prediction #2

78. IoT Prediction #3 C2 Over... - APIs, MQTTS, SQS, etc…

    - Blend in with Comms to Web Services & Message Queues

79. Conclusion

80. Conclusion Trusted Web Services… - are currently being (ab)used for

    c2 - And will increasingly be (ab)used for c2 to bypass security devices

81. Conclusion We need next-gen network technologies that will…. - Parse

    and Log web services/api/rest requests - Retrospective Analysis, etc… - Send to Central Logging Systems (e.g. splunk)

82. Conclusion Once parsed and logged, we need systems to... -

    Analyze requests for anomalies (ML?) - Who sends base64 messages over twitter other than a bot?

83. March 16th Sandy, Utah BSidesSLC Bryce Kunz @TweekFawkes s2.fyi NSA

    Cloud

84. End Bryce Kunz @TweekFawkes