Cofense IntelligenceTM is seeing continued use of a cyber-attack technique known as domain fronting. It’s yet another way hackers conceal their malicious activity, in this case using work-arounds to evade security controls and gain access to command-and-control (C2) infrastructure (scroll down for a technical explanation).
Cozy Bear, the Russian threat actors, used similar tactics when they hacked the Democratic National Committee in 2016. Today, businesses are dealing with phishing and malware attacks that domain fronting enables.
While Google and Amazon have taken measures in their CDNs to curtail this trend, we have seen an uptick in C2 infrastructure hosted in Cloudflare CDNs (figures 2-4 below). Last month, Cofense Intelligence reported that Cloudflare domains were being abused by threat actors to launch malware attacks on finance departments.
Why is this a problem?
If part of your cyber defense strategy is using a web gateway to prevent employees from visiting non-categorized sites, or blocking based on a threat intelligence feed of known C2 hosts, you can’t practically block access to a CDN without disrupting Internet-reliant business processes.
CISOs should make sure their SOCs are aware of the problem when reviewing suspicious emails reported by employees. While we wait for traditional cyber perimeter controls to catch up to this threat, a phishing training and reporting program (see Cofense PhishMeTM and Cofense ReporterTM), plus a phishing-specific response capability (see Cofense TriageTM and Cofense VisionTM) is the last line of defense.
Malware operators continue to use domain fronting to bypass security measures and reach their command and control (C2) infrastructure hosted on content delivery networks (CDN). This C2 communication technique is difficult to defend against due to the large overhead required and strong reliance on CDNs. Certain CDN providers have recently changed their network schemes and policies in response to this threat, however, domain fronting is still possible through some of the minor CDN hosts.
Domain fronting is the exploitation of an encrypted connection to a CDN to gather web resources otherwise blocked by network security measures.
- First, the client initiates a connection to a legitimate domain (front domain) via HTTP.
- Second, the originating connection request is read in the clear and is inspected by network security measures.
- Third, an HTTPS connection is created when the connection is encrypted with an SSL layer, allowing the contents of the traffic to bypass inspection.
- Finally, The HTTP Host header is read by the server for the resources needed.
The HTTP host header, for this technique, is manipulated to gather resources from a nefarious site on the same CDN. The connection to the manipulated HTTP host header inside the encrypted traffic bypasses network security measures that don’t decrypt the traffic.
For domain fronting to work, the nefarious site and the legitimate site must both be hosted by the same CDN. The ability to pull resources from other sites works because of the inner networking of the CDN and the routing access availability to other parts of their hosting environment. This technique is also utilized with The Onion Router (TOR) node bridges and the meek protocol. The Russian hacker group that breached the Democratic National Committee in 2016, APT29, also known as Cozy Bear, used the TOR meek protocol for their C2 infrastructure communication. Figure 1 gives an overview of this technique.
Figure 1 Technique of domain fronting to bypass inspection.
Google and Amazon CDNs mitigated this technique by preventing any routing from one owner’s site to another. This is done by matching the HTTP host header with the original server name indication (SNI) request, implemented in late April and early May 2018. Since then, Cofense Intelligence has seen an increase in the number of phishing campaigns delivering malware in which the C2 was hosted by Cloudflare.
Figure 2 shows the contrast in Cloudflare C2 seen used by malware before and after May 2018, when Google and Amazon imposed barriers to such activity on their CDNs.
Figure 2 Analyzed C2’s hosted on Cloudflare before and after May 2018.
Figure 3 shows the breakdown of malware families that have used Cloudflare for C2 infrastructure after May of this year.
Figure 3 Malware families utilizing C2’s hosted by Cloudflare since May 2018.
Figure 4 shows the number of different hosts hosted by Cloudflare to which each malware family connects.
Figure 4 Number of C2’s hosted by Cloudflare for each malware family.
Domain fronting has been used by hacktivists and threat actors like APT29 to conceal their malicious activity. CDNs are starting to take the necessary steps to mitigate domain fronting by negating routing from one owner’s site to another, but this ability still persists because it allows for routing to take place among a single owner’s sites.
Defending against this type of communication is a heavy lift for the information technology team. Stopping a malicious email campaign within the email security stack before it gets to the end user’s inbox, and training users to identify phish that do reach their inboxes, are keys to helping mitigate this evasive exfiltration techniques like domain fronting.
Learn more about how Cofense stops active phishing threats.
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.