RSAC 2019: Why attackers need domain fronting
#1
Bug 
Quote:
[Image: domain-fronting-rsa2019-featured.jpg]

Domain fronting — a technique used to shield oneself behind a third-party domain — came into the spotlight after Telegram used it to avoid being blocked by the Russian Internet regulator Roskomnadzor. This time, SANS Institute speakers at the RSA 2019 conference covered the topic. For attackers, the scheme is not an attack vector so much as a way to control an infected computer and exfiltrate stolen data. Ed Skoudis, whose report we already covered, described an action plan typical of cybercriminals seeking to “disappear in clouds.”

Most complex APT attacks are detected when exchanging information with the command server. Sudden exchanges between a computer from inside a corporate network with an unknown external machine are a wakeup call, certain to trigger a response from the IS team — which is exactly why cybercriminals are dead set on concealing these communications. It’s become increasingly common to use various content delivery networks (CDNs) for that.

The algorithm Skoudis described looks like this:

1. There is a malware-infected computer on the corporate network.

2. This machine sends a DNS query to a clean and trusted website from a trusted CDN.

3. The attacker, also a client of the same CDN, hosts its website there.

4. The infected computer establishes an encrypted TLS connection with the trusted website.

5. Inside this connection, the malware forms an HTTP 1.1 query addressing the attacker’s Web server on the same CDN.

6. The website forwards the query to its malware servers.

7. The communication channel is established.

To the IS specialists in charge of the corporate network, it all appears as communication with a safe website from a known CDN via an encrypted channel because they treat the CDN, the client of which is their company, as part of the trusted network. That’s a big mistake.
Continue Reading
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
QOwnNotes
26.7.2 Added supp...Kool — 03:40
WhatsApp Launches New Username Feature ...
WhatsApp Opens Usern...harlan4096 — 17:12
AnyDesk 9.7.9 for Windows
Version 9.7.9 for ...harlan4096 — 15:57
uBOLite 2026.705.2152 (already available...
uBOLite 2026.705.2...harlan4096 — 10:23
Microsoft Warns Windows 11 Enterprise De...
Microsoft has issu...harlan4096 — 10:22

[-]
Birthdays
Today's Birthdays
avatar (56)Step 1
Upcoming Birthdays
avatar (47)dapedDow
avatar (49)TromPerl
avatar (46)RidgeDimb
avatar (37)ipumaqar
avatar (51)tanliorsPeri
avatar (43)lapedDow
avatar (49)rituabew
avatar (37)omyjul
avatar (41)papedDow
avatar (50)ArnoldFum
avatar (38)yfaza
avatar (49)Kevensi
avatar (48)ConradRoand
avatar (39)boineDon
avatar (51)spoofTum
avatar (50)WillieVot
avatar (40)Grompelbawn
avatar (41)vkseogaF
avatar (37)usogy
avatar (40)ywixazok
avatar (38)ixoqe
avatar (36)pa.OpenTran

[-]
Online Staff
There are no staff members currently online.

>