APT29 group used domain fronting to evade detection long before these techniques were widely known
28.3.2017 Securityweek APT
Experts at FireEye discovered the APT29 group adopted domain fronting long before these techniques were widely known in the IT security community.
Security firm FireEye continues to follow APT29 group (aka The Dukes, Cozy Bear and Cozy Duke), on Monday it revealed that the cyber spies have been using a technique called “domain fronting” to make hard the attribution of their attacks.
In December, the Signal development team introduced the ‘domain fronting’ technique to circumvent censorship.
The astonishing news is that the APT29 group adopted domain fronting long before these techniques were widely known in the IT security community.
The domain fronting is a technique that relies on the use of different domain names at different application layers to evade censorship.
The domain fronting techniques “hides the remote endpoint of a communication. Domain fronting works at the application layer, using HTTPS, to communicate with a forbidden host while appearing to communicate with some other host, permitted by the censor,” as described in a paper published by researchers from the University of California, Berkeley, Psiphon, and Brave New Software.
“The key idea is the use of different domain names at different layers of communication. One domain appears on the “outside” of an HTTPS request—in the DNS request and TLS Server Name Indication—while another domain appears on the “inside”—in the HTTP Host header, invisible to the censor under HTTPS encryption.” continues the paper.”A censor, unable to distinguish fronted and nonfronted traffic to a domain, must choose between allowing circumvention traffic and blocking the domain entirely, which results in expensive collateral damage”
The Domain fronting technique is easy to deploy and use and doesn’t require special activities by network intermediaries.
The APT29 group has used the Domain fronting technique for at least two years, the hackers leveraged the Tor network to communicate with infected machines. In order to disguise Tor traffic as apparently legitimate traffic, the cyberspies used Meek, a Tor plugin that was specific designed to implement the domain fronting technique and allows users to send traffic to Tor inside a harmless-looking HTTPS POST request to google.com.
“APT29 has used The Onion Router (TOR) and the TOR domain fronting plugin meek to create a hidden, encrypted network tunnel that appeared to connect to Google services over TLS.” reads the analysis published by FireEye. “This tunnel provided the attacker remote access to the host system using the Terminal Services (TS), NetBIOS, and Server Message Block (SMB) services, while appearing to be traffic to legitimate websites. The attackers also leveraged a common Windows exploit to access a privileged command shell without authenticating.”
The attackers installed the Tor client and the Meek plugin on the targeted system by using a PowerShell script and a .bat file.
The APT29 group leveraged the Sticky Keys exploit to replace the legitimate executable with the Windows Command Prompt (cmd.exe) file and gain a shell on the targeted system with SYSTEM-level privileges. In this way, the attackers were able to execute several commands, including adding new accounts.
“The attacker executed the PowerShell script C:\Program Files(x86)\Google\start.ps1 to install the TOR services and implement the “Sticky Keys” exploit. This script was deleted after execution, and was not recovered.” continues the analysis.
The script that executes the Sticky Keys exploit is also used to gain persistence on the target machine, it creates a Windows service named “Google Update.”
“By employing a publicly available implementation, they were able to hide their network traffic, with minimal research or development, and with tools that are difficult to attribute. Detecting this activity on the network requires visibility into TLS connections and effective network signatures.” concluded the analysis.