Blog
How ExtraHop Shut Down a C&C Beaconing Attack
ExtraHop
August 25, 2021
The COVID pandemic has undoubtedly added to the risks stemming from unmanaged IoT. Offices were abandoned in a flash, and organizations went from an in-office model to remote work overnight, leaving more and more connected devices unpatched and forgotten. Print servers especially come to mind.
Attackers love print servers, these unassuming-yet-well-connected devices are an idyllic host for all sorts of nefarious activities. They don't process financial information or other sensitive customer data, so they tend to avoid close monitoring. A humble little print server is what set off a flurry of detections in an organization that had recently installed ExtraHop RevealX. The most sinister of which was C&C beaconing.
What is C&C Beaconing?
C&C beaconing (also called C2 beaconing) is a behavior associated with malware in which a compromised device periodically phones home to an external malicious server. The victim transmits beacons to fetch updates and ask for instructions from the attacker. The attacker might instruct a compromised device to open a remote shell (a program for running commands), install ransomware, or launch a denial-of-service (DoS) attack.
Here's how it generally works: The attacker exploits a device to install malware with a beacon agent, or tricks a victim into installing malware with the agent. The beacon agent defines how the victim should contact the attacker. Often, beaconing is designed to blend in with normal traffic, whether that's outbound HTTPS traffic or SMTP. Because beaconing helps an attacker maintain periodic contact with their victim, it's an essential part of an attack.
How a Beaconing Attack Unfolds
In this case, a malware-infected laptop connected to VPN served as the exploited device. It's important to note that a VPN connection allows malware to often bypass firewalls or traditional IDS systems—so when this laptop connected to the VPN, the attack had already successfully evaded any perimeter defenses.
From there it began the discovery phase with multiple enumerations to specifically seek out vulnerable print servers. It found one in under an hour. Next, it conducted a remote services launch on the victim print server to successfully establish a foothold inside the network.
Network enumeration and lateral movement, detected by Reveal(x)
The compromised print server then went from victim to offender, and the attack continued it's lateral movement by launching further remote services from the server onto three more victims, including a PRTG server.
The compromised PRTG server is notable for two reasons. First, PRTG is a network management platform that often holds the keys to the kingdom, AKA grants an attacker full network visibility of their enterprise as well as potential credentials to critical infrastructure. Second, PRTG servers are known to be very noisy, which often leads them to be whitelisted or ignored by security solutions. Finally, the attackers gained access by using an executable that was designed to masquerade as a legitimate Windows client, which all feels chillingly similar to tactics the SUNBURST attack used to evade detection.
The print server is now the offender, launching remote services
C&C Beaconing Detected
Now that access has been established, the malware phoned home for instructions though C&C beaconing. In this case, the malware on the compromised device began phoning home/beaconing to the attacker (over SSL/TLS) in a way that raised red flags.
At this point, a handful more Reveal(x) detections were firing, specifically detecting the C&C beaconing in two ways: through a suspicious outbound connection, and through suspicious patterns of beaconing-like behavior.
Suspicious SSL/TLS detections show C&C behavior immediately after remote services launch.
Reveal(x) showed that the compromised device established an outbound SSL/TLS connection with a server that had a malicious SSL certificate. Specifically, the certificate had a cryptographic fingerprint (a unique identifier that no other certificate should have) that is associated with Cobalt Strike. Cobalt Strike is a commercial tool for conducting red team attacks, but this tool is also known to be leveraged by adversaries for malicious purposes. This was important, because the domain name of the attacker's server appeared safe.
C&C Beaconing Patterns
Next, Reveal(x) quickly identified patterns of C&C beaconing behavior from the compromised device. Some telltale characteristics of malicious beaconing behavior can include:
- Random or dynamic time interval adjustments between beacon transmissions (from one hour to one day in between transmissions)
- Transmissions to suspicious IP addresses, domains, or ports (as noted by the related detection)
- Transmissions to domains created by domain generation algorithms (DGA) (this looks like gibberish)
- Reuse of a TCP connection for transmissions
- Evasion by techniques such as DNS tunneling, ICMP tunneling, or domain fronting
- Spoofed transmissions to a well-known or trusted server
Conclusion
The C&C Beaconing detections fired on a total of six devices, but by digging further into the 90-day record store, the security team identified one more device that had attempted to phone home to the mysterious IP. Because the team could quickly and easily ID all affected devices, they were able to shut out the attacker before a full-scale breach could occur by quarantining anything compromised. They also leveraged Reveal(x) integrations with Cisco ISE to auto-quarantine any future suspicious behaviors. In the end, a disaster was officially (and fairly easily) averted thanks to the fact that ExtraHop Reveal(x) sees all.