Researchers have released a proof-of-concept framework for a new covert channel for data exchange using the Transport Layer Security (TLS) protocol. The method exploits the public key certificate standard X.509 and could allow for post-intrusion C2 communication and data exfiltration to go unnoticed despite network perimeter protections.
According to Fidelis researchers, the covert data exchange takes advantage of the TLS handshake when certificates are exchanged. The technique doesn’t require – or ever establish – a TLS session. The covert data exchange takes place as the clients are negotiating the handshake using the TLS X.509 extension.
“Data transferred via X.509 extensions may bypass detection methods that do not inspect certificate values,” according to a technical explanation of a proof-of-concept published Monday.
“This would enable someone who already has persistence inside of a network to get past the perimeter defenses and perform a data exchange,” said Chad Robertson, director of threat research at Fidelis in an interview. “It’s a unique and novel method of covert data exchange and would have to be specifically looked for at the perimeter by a device that was inspecting certificates or anomalies in order to see the data embedded inside certificates.”
The attack is similar to data cloaking techniques such as DNS tunneling that takes advantage of the TXT transport layer within the DNS protocol used by top and second level domain name system servers.
Fidelis said that in the case of abusing the X.509 extension, an adversary could “place arbitrary binary data into the certificate or utilizing them as a covert channel,” researchers said.
“[The] TLS X.509 certificates have many fields where strings can be stored… The fields include version, serial number, issuer name, validity period and so on. The certificate abuse described in our research takes advantage of this fact to hide data transfer inside one of these fields. Since the certificate exchange happens before the TLS session is established, there appears to never be data transfer, when in reality the data was transferred within the certificate exchange itself.”
Initial research into this covert data exchange was outlined at the infosec conference BSides in Kansas City, MO in July. “Since then, we have done additional research to the point where we can demonstrate embedding Mimikatz into this field in the certificate exchange during the TLS negotiations,” Robertson said.
On Monday, Fidelis released a proof-of-concept attack, hosted on GitHub, that includes the framework for exchanging the data. It compliments additional research released in January discussing TLS abuse (PDF) released by Fidelis.
According to Fidelis, they were able to store 60 kilobytes of data in each TLS X.509 exchange. “You could establish this channel and perform rapid certificate negotiations enabling the data transfer of large amounts of data,” Robertson said.