APT29, a/k/a Cozy Bear, has been utilizing a technique called domain fronting in order to secure backdoor access to targets for nearly two years runni
APT29, a/k/a Cozy Bear, has been utilizing a technique called domain fronting in order to secure backdoor access to targets for nearly two years running, experts said Monday.
The nation state attackers have reportedly been pairing the anonymity software Tor with a Tor plugin that specializes in domain fronting in order to make it seem as if their traffic was going to a legitimate website, such as Google. Matthew Dunwoody, principal consultant at Mandiant, described the technique in a FireEye blog post on Monday.
Domain fronting, akin to hiding in plain sight, is a networking technique used to obscure the true endpoint of a connection. The technique, first detailed in a paper (.PDF) by academics at the University of California Berkeley in 2015, uses HTTPS to communicate with a censored host while on it appears, on the outside, to be communicating with a completely different, permitted host–in this case Google.
The pluggable transport for Tor, meek, relays HTTPS requests through a third-party server, usually a content delivery network (CDN) associated with multiple domains, to make it look like the browser is talking to a basic website. The technique is traditionally used to thwart censorship online or to bypass firewalls.
Dunwoody claims APT29 attackers set up a Tor hidden service to enable a backdoor. The encrypted network tunnel allows for the forwarding of traffic from the client to local ports 139 – NetBIOS, 445 – Server Message Block, and 3389 – Terminal Services.
“This provided the attackers full remote access to the system from outside of the local network using the hidden TOR (.onion) address of the system,” Dunwoody writes.
The attackers managed to cover their tracks by making it seem like they were connecting to Google services over TLS. While it looked like normal HTTPS POST requests were going to google.com on a Google-owned IP address, the traffic was really being sent through a reflection server to Tor.
Google disabled the reflection server being used, meek-reflect.appspot.com, Mandiant said, but acknowledges that other servers, from Google’s cloud infrastructure, and from supported CDNs, can do the same thing.
The attackers also leveraged Sticky Keys, a Windows ease of access feature used for facilitating keyboard shortcuts, to maintain persistence. By replacing the binary for Sticky Keys with a Windows Command Processor, the attackers made it so when the shift key was pressed five times, it’d open a system-level command shell.
“From this shell, the attackers can execute arbitrary Windows commands, including adding or modifying accounts on the system, even from the logon screen (pre-authentication). By tunneling RDP traffic to the system, the attackers could gain both persistent access and privilege escalation using this simple and well-known exploit,” Dunwoody wrote.
Dunwoody says the fact the attackers used a freely available software, Tor, with meek, helped keep their work under wraps.
“By employing a publicly available implementation, they were able to hide their network traffic, with minimal research or development, and with tools that are difficult to attribute,” Dunwoody said, “Detecting this activity on the network requires visibility into TLS connections and effective network signatures.”
Dunwoody and Nick Carr, a senior manager with Mandiant’s security consulting and incident response team, first discussed the backdoor in a talk at DerbyCon last fall but this is the first time technical details around the technique have been published.
It’s unclear exactly how long APT29 has been using the technique. Mandiant said Monday that attackers with the group adopted the technique before it “was widely known.” PoPETs, a journal that publishes papers accepted to the Privacy Enhancing Technologies Symposium, released the University of California paper on domain fronting back in 2015, suggesting APT29 may have had the technique down for two years now.
Domain fronting began figuring into the way the Android version of the secure messenger Signal works in some countries just last year. Moxie Marlinspike, Open Whisper Systems’ founder, said in December that when Egypt and UAE Signal users send messages through the service, it appears as if they’re normal HTTPS requests to google.com. If either country wanted to block Signal messages, they would have to block all of google.com.
APT29 is perhaps best known for having a hand in several attacks against American political think tanks and non-governmental organizations last November, along with intrusions at the Democratic National Committee last summer.
The Russian APT group was also implicated by Crowdstrike in attacks against the White House, State Department, and Joint Chiefs of Staff last summer, while Kaspersky Lab reported in 2015 that CozyDuke, an APT group similar to Cozy Bear, carried out data mining attacks against the White House and the Department of State in 2014.
It’s believed the same group was originally behind the MiniDuke backdoor discovered by Kaspersky Lab and CrySys Lab in 2013 and also connected to Hammertoss, a data theft tool found in 2015. Researchers with FireEye, who discovered the tool on a single organization’s network, said at the time it was linked to the same APT group. The tool relied on Twitter and special instructions encrypted in images stored on GitHub to carry out espionage.