APT29, a/k/a Cozy Bear, has been utilizing a technique called domain fronting in order to secure backdoor access to targets for nearly two years running, experts said Monday.
The nation state attackers have reportedly been pairing the anonymity software Tor with a Tor plugin that specializes in domain fronting in order to make it seem as if their traffic was going to a legitimate website, such as Google. Matthew Dunwoody, principal consultant at Mandiant, described the technique in a FireEye blog post on Monday.
Domain fronting, akin to hiding in plain sight, is a networking technique used to obscure the true endpoint of a connection. The technique, first detailed in a paper (.PDF) by academics at the University of California Berkeley in 2015, uses HTTPS to communicate with a censored host while on it appears, on the outside, to be communicating with a completely different, permitted host–in this case Google.
The pluggable transport for Tor, meek, relays HTTPS requests through a third-party server, usually a content delivery network (CDN) associated with multiple domains, to make it look like the browser is talking to a basic website. The technique is traditionally used to thwart censorship online or to bypass firewalls.
Dunwoody claims APT29 attackers set up a Tor hidden service to enable a backdoor. The encrypted network tunnel allows for the forwarding of traffic from the client to local ports 139 – NetBIOS, 445 – Server Message Block, and 3389 – Terminal Services.
“This provided the attackers full remote access to the system from outside of the local network using the hidden TOR (.onion) address of the system,” Dunwoody writes.
The attackers managed to cover their tracks by making it seem like they were connecting to Google services over TLS. While it looked like normal HTTPS POST requests were going to google.com on a Google-owned IP address, the traffic was really being sent through a reflection server to Tor.
Google disabled the reflection server being used, meek-reflect.appspot.com, Mandiant said, but acknowledges that other servers, from Google’s cloud infrastructure, and from supported CDNs, can do the same thing.
The attackers also leveraged Sticky Keys, a Windows ease of access feature used for facilitating keyboard shortcuts, to maintain persistence. By replacing the binary for Sticky Keys with a Windows Command Processor, the attackers made it so when the shift key was pressed five times, it’d open a system-level command shell.
“From this shell, the attackers can execute arbitrary Windows commands, including adding or modifying accounts on the system, even from the logon screen (pre-authentication). By tunneling RDP traffic to the system, the attackers could gain both persistent access and privilege escalation using this simple and well-known exploit,” Dunwoody wrote.
Dunwoody says the fact the attackers used a freely available software, Tor, with meek, helped keep their work under wraps.
“On the network side, the difficulty was in needing insight into the TLS and seeing all the connections going to Google, which ruled out looking for unusual IPs, etc,” Dunwoody told Threatpost Monday.
“Using publicly available tools allowed them to achieve this without the years of work needed to develop the capability themselves. On the endpoint it wasn’t hard to find, based on known attacker methodologies for accessing systems, but figuring out what it was when we found it took a few minutes. The fact that the files aren’t evil per se and were well placed to blend in may throw off defenders,” Dunwoody said.
Dunwoody and Nick Carr, a senior manager with Mandiant’s security consulting and incident response team, first discussed the backdoor in a talk at DerbyCon last fall but this is the first time technical details around the technique have been published.
Dunwoody said Monday that APT29 adopted the technique before it “was widely known,” in early 2015, prior to the publication of the University of California paper by PoPETs, a journal that publishes papers accepted to the Privacy Enhancing Technologies Symposium, in May that year.
The APT group has been a trailblazer, at least when it comes to the technique, Dunwoody added.
“Domain fronting is getting more attention recently in pen-testing and research circles, which suggests we may see more of it in the future,” Dunwoody told Threatpost, “APT29 was ahead of the curve on this one. I’m not aware of any other groups using this technique.”
Domain fronting began figuring into the way the Android version of the secure messenger Signal works in some countries just last year. Moxie Marlinspike, Open Whisper Systems’ founder, said in December that when Egypt and UAE Signal users send messages through the service, it appears as if they’re normal HTTPS requests to google.com. If either country wanted to block Signal messages, they would have to block all of google.com.
APT29 is perhaps best known for having a hand in several attacks against American political think tanks and non-governmental organizations last November, along with intrusions at the Democratic National Committee last summer.
The Russian APT group was also implicated by Crowdstrike in attacks against the White House, State Department, and Joint Chiefs of Staff last summer, while Kaspersky Lab reported in 2015 that CozyDuke, an APT group similar to Cozy Bear, carried out data mining attacks against the White House and the Department of State in 2014.
It’s believed the same group was originally behind the MiniDuke backdoor discovered by Kaspersky Lab and CrySys Lab in 2013 and also connected to Hammertoss, a data theft tool found in 2015. Researchers with FireEye, who discovered the tool on a single organization’s network, said at the time it was linked to the same APT group. The tool relied on Twitter and special instructions encrypted in images stored on GitHub to carry out espionage.
