Why is T1090 prevalent?
Connection proxies serve to obscure the identity or location of an adversary. While that’s important for a few reasons, it also simplifies a technique that has a wide variety of other, equally important functions.
In addition to providing cover from law enforcement or defensive strategies, proxies also increase adversarial resilience. It’s a relatively simple matter to trace an attack back to an IP address and then block it internally, have it blocked by a hosting or Internet service provider, or have it sinkholed through a variety of means. In this way, proxies enable the adversary to simply pack up and move their attack infrastructure to a new location should their original infrastructure become compromised.
Proxies can also serve as discrete methods for adversaries to access and remove information from networks of interest. Adversaries use a wide variety of proxy methods to hide their command and control traffic, including PuTTY/SSH forwarding, Dynamic DNS, domain fronting, fast flux, Tor, i2p, SOCKS, STUN, and host firewall forwarding. We’ll examine this in more depth below.
One of the most prominent examples of adversaries using a connection proxy comes to us from Duqu, which first emerged in 2011 and has been attributed to the same actor responsible for Stuxnet. Considering the overwhelming volume of research and analysis that’s been written about Duqu and its predecessors, it’s difficult to succinctly summarize the threat. However, Duqu was primarily an information-stealing trojan, the main purpose of which was espionage. In terms of connection proxies, Duqu’s command infrastructure was set up to forward traffic from compromised machines to proxy servers not affiliated with, and thereby cloaking, the actual C2 server(s).
The group commonly identified as APT10 is a long-standing threat group known for conducting espionage attacks targeting defense, aerospace, and telecommunications organizations in the United States, Europe, and Japan. While proxy activity probably has very little to do with APT10’s notoriety, the attack group has taken something of a novel approach to proxying its attack traffic. They are known to compromise, and subsequently route their traffic through the systems of their target’s service providers. In this way, their espionage activity appears to be the legitimate network traffic of companies that work closely with their victims.
According to MITRE, there are a number of data sources associated with this technique, and having access to these will help security teams seeking to detect adversaries who are leveraging connection proxies.
- Process use of network
- Process monitoring
- Netflow/Enclave netflow
- Packet capture
COMMON USES BY ADVERSARIES
- Using proxies for internal or external communication
- Injecting into trusted processes to make connections
- Routing connections through less attributable access points
There are many ways that an organization can get a handle on proxy connections. They should begin by performing a network baseline of egress traffic by geolocation, port, and frequency by endpoint. This provides the visibility required to understand what is normal and abnormal in a given environment. This is achievable through network monitoring. It’s also possible to observe this activity in proxy logs—specifically unexpected egress ports.
At the endpoint level, security teams should begin by identifying normal process execution around netsh.exe, PuTTY, Telnet, SSH and other proxy methods. Most of the access to internal or business-related systems will be benign. Therefore, it makes sense to build out use-cases for extraordinary process execution. For example, most employees have never used PuTTY, therefore, if it is executed, it’s probably worth examining.
Among the most prevalent forms of connection proxying is the abuse of trusted, core system processes by compromised processes. On Windows systems, malware will tend toward injection into processes such as svchost.exe and others like it, as these are likely to have elevated privileges and thus have or can access explicit proxy configurations that would otherwise prevent an arbitrary process or user from establishing an outbound connection. The best detection approach in these cases is to understand how platforms operate at a lower level, what processes are authorized to communicate via the network, and with which remote endpoints.
Security teams may also want to trace back and identify the source of traffic—specifically the processes that are generating it. It’s also a good idea to build out use-cases for identifying or even preventing the use of Tor, Dynamic DNS, and other network services that route traffic to or through less attributable access points. One of the most draconian, but also most effective, approaches is to lock down egress traffic by whitelisting what is needed as opposed to permitting everything.
Proxies are a necessary part of the internet that are bound to become more popular for both legitimate and illegitimate reasons. Therefore, it’s absolutely necessary that security teams develop strategies that allow for benign uses of proxies when needed while also finding methods for preventing adversarial proxying.