Abusing 3rd-Party Services For Command And Control Vince Trune

Vince Trune - @Truneski whoami Vince Trune - @Truneski Electronics Engineer from Jomo Kenyatta University of Agriculture and technology . Red-Teamer and Freelance Penetration Tester. First time AfricaHackon conference presenter (be nice) More into Threat, Emulation and Replication.

About This talk about how attackers can abuse trusted 3rd party services and file sharing services to your detriment and profit.

Intro 3rd party services include social media sites like Twitter and Facebook File sharing sites like DropBox and Google docs.

3rd Party Advantages Social media services are now a necessity for any marketing team, PR team and by extension the technical teams. File Sharing sites are free, easy to use, extremely fast and can be used in conjunction with social media sites. Almost whitelisted and unmonitored traffic in most organizations.

Why Do This Talk Already being used by Advanced Persistent Threats (APTs) in the wild. Give a technical edge to our Red-Team OPs. (Offense fuels Defense) More fun and a tremendous learning experience.

Advanced Persistent Threats

Attacker Infrastructure Paid Cloud Services Digital ocean, AWS, Azure, etc.. Utilize previously compromised infrastructure Hack people to hack other people Utilize 3rd party services and file sharing sites Utilize techniques to bend traffic in “legitimate” ways

Real World Case Studies

Dropbox: Operation BugDrop Targeted Ukraine on a Grand Scale. Prime Motivation for early release of Invoke-DBC2. DropBox for Data Exfiltration and Storing C2 Plugins.

Github: WINNT GANG Github for Command & Control . Financially motivated and engaged in active Cyber-Espionage. Mostly uses Plug-X RAT for its attacks.

Twitter: APT 29 Uses Twitter to control their malware (Hammertoss) Stego over Github for data Exfiltration. Russian State Sponsored Probably.

Current Tools GCat - Shell over gmail Empire 2.0 - Able to do custom C2 modules including 3rd party apps DropSmack - C2 over Dropbox sync folder Instegogram - C2 over Instagram with stego DropBoxC2 - C2 Over Dropbox Invoke-DBC2 – C2 over Powershell and DropBox

Threat Emulation & Replication: My Approach Adversary Emulation Features Uses API for all interaction with the C2 services. AES-128 For Encryption of Communications. PowerShell for client-side(victim) code: Runs in memory, Powerful and Wide Scalability.

Limitations Hard to model and truly emulate the adversarial tactics and techniques Requires considerable skill for a small Red Team Our Proof Of Concepts are easily defeated.

Demos

Defend The Land Invest in your Security Team Endpoint Based: Binary Signature Heuristics(AV) Network Baseline: Timestamp Analysis & Beaconing Establish a Baseline for nodes in the environment Network & Process Correlation & EventLogging Should Powershell be calling out to Twitter’s API

Data Sources to Consider Network PCAP / Span off of core switch and egress DNS logs or passive DNS Netflow Proxy logs Internal Threat Intel (Sandbox Detonation) Endpoint (eventing is best) Process listing events Network connection events DNS lookup events Service add/removal events Program install / uninstall events

APTs are creative and will find ways to use your weaknesses Conclusion APTs are creative and will find ways to use your weaknesses 3rd party services make for quick and easy C2 or exfiltration vectors Detecting the use of 3rd party services for C2 is difficult Requires foundational network collection Attacker activity will often come in a series of behaviors to create a pattern Need to look for anomalous activity

References

Questions