Covert Data Channel in TLS Dodges Network Perimeter Protection

Researchers have found a new covert data exchange technique that abuses the TLS protocol that can circumvent traditional network perimeter protections.

Researchers have released a proof-of-concept framework for a new covert channel for data exchange using the Transport Layer Security (TLS) protocol. The method exploits the public key certificate standard X.509 and could allow for post-intrusion C2 communication and data exfiltration to go unnoticed despite network perimeter protections.

According to Fidelis researchers, the covert data exchange takes advantage of the TLS handshake when certificates are exchanged. The technique doesn’t require – or ever establish – a TLS session. The covert data exchange takes place as the clients are negotiating the handshake using the TLS X.509 extension.

“Data transferred via X.509 extensions may bypass detection methods that do not inspect certificate values,” according to a technical explanation of a proof-of-concept published Monday.

“This would enable someone who already has persistence inside of a network to get past the perimeter defenses and perform a data exchange,” said Chad Robertson, director of threat research at Fidelis in an interview. “It’s a unique and novel method of covert data exchange and would have to be specifically looked for at the perimeter by a device that was inspecting certificates or anomalies in order to see the data embedded inside certificates.”

The attack is similar to data cloaking techniques such as DNS tunneling that takes advantage of the TXT transport layer within the DNS protocol used by top and second level domain name system servers.

Fidelis said that in the case of abusing the X.509 extension, an adversary could “place arbitrary binary data into the certificate or utilizing them as a covert channel,” researchers said.

“[The] TLS X.509 certificates have many fields where strings can be stored… The fields include version, serial number, issuer name, validity period and so on. The certificate abuse described in our research takes advantage of this fact to hide data transfer inside one of these fields. Since the certificate exchange happens before the TLS session is established, there appears to never be data transfer, when in reality the data was transferred within the certificate exchange itself.”

Initial research into this covert data exchange was outlined at the infosec conference BSides in Kansas City, MO in July. “Since then, we have done additional research to the point where we can demonstrate embedding Mimikatz into this field in the certificate exchange during the TLS negotiations,” Robertson said.

On Monday, Fidelis released a proof-of-concept attack, hosted on GitHub, that includes the framework for exchanging the data. It compliments additional research released in January discussing TLS abuse  (PDF) released by Fidelis.

According to Fidelis, they were able to store 60 kilobytes of data in each TLS X.509 exchange. “You could establish this channel and perform rapid certificate negotiations enabling the data transfer of large amounts of data,” Robertson said.

Suggested articles


  • Andrew Wolfe on

    Sounds like EternalBlue to me....
  • Jerry Schlimiss on

    Eternalblue is a remote code execution exploit in SMB. The research above relates to using the cert exchange in the intial TLS negotiation as a means of data exfilration
  • PKI Expert on

    This is a red herring and this is a poor attempt by Fedelis to gain some press coverage. In order for this "attack" to occur: 1. A PKI CA key or enrollment process must be compromised - Any well run PKI will protect against this. The enrollment should limit extensions and reject any enrollment. Even Subject Alt names should be validated to be existing devices within owned domains. 2. An external facing web server within the company must be compromised in order to swap the SSL certificate that will "respond" with covert data in its compromised extensions. - Again any well run company has established hardened networks for externally facing devices and this is not a simple. Once BOTH of these things have been completed THEN the "attack" mention can happen, but if either #1 or #2 has already occurred there is much more damage that can be done without the need of using this "covert" channel.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.