Data exfiltration is a form of security breach whereby attackers attempt to break into a network and gain control of a target machine to steal valuable data. IT security teams try to prevent data exfiltration by predicting exactly how the data will be stolen from a machine. Common detection techniques focus on attributes of the valuable data and non-standard network traffic destinations, but attackers can exploit commonly used network channels to bypass these defense mechanisms.
DNS Tunneling Data Exfiltration
Hackers embed encrypted chunks of data in DNS queries or establish a DNS tunnel from within the network. After data exfiltration it can be decrypted at the other end and put back together to get the sensitive information. HTTP or SSH can also be tunneled, compressed, and encrypted over DNS —much to the dismay of security staff and network administrators.
Security teams should inspect port 53 in Firewalls and IDS. Inspect the Firewall traffic to gain an understanding of what is actually passing through that is not authentic DNS traffic. Look for strange packet sizes or anomalies in the number of connections. To find exfiltrated data, randomly inspect DNS information packets and look for TXT records and host.subdomain in DNS queries and use lexical analysis, entropy, and time-series analysis to determine the presence of data in queries.
Social Media C2 Data Exfiltration
Malware operators exploit social media networks to communicate with their bots. Many hackers have begun using Twitter as the C2 channel for their malware intrusions and data exfiltration. They create fake profiles on Twitter and then post a particular set of encrypted commands to these profiles. If a malicious profile is detected and taken offline, the bot herder can use exploit tools like TwitterNET to create thousands of additional fake profiles instantly. In April 2017 Cisco’s Talos reported on a Remote Administrative Tool (RAT) malware they coined ROKRAT. ROKRAT exploits a well-known vulnerability (CVE-2013-0808) to download a binary disguised as a .jpg file and then uses Twitter and two cloud platforms, Yandex and Mediafire, for both C2 communications and exfiltration platforms. These platforms make use of HTTPS connectivity and are difficult to block globally because their use is seen as legitimate. Twitter just announced it will be rolling out a longer character limit that doubles the previous limit of 140 to 280 characters. This may increase the likelihood of dataleaks over the popular social media network.
Security experts should mark suspicious social media traffic and block it, rendering the malware or botnet unable to relay data back to the C2 server. Consider blocking access to social media sites on sensitive networks.
Tal Morgenstern is Head of R&D, Endpoint Detection and Response Team at Cyberbit.
Read more malware posts by Tal:
5 Open Source Malware Tools You Should Have in Your Arsenal
WannaCry Ransomware Exposed – Behavioral Analysis in Cyberbit EDR
Whitelisting Fails: 4 Ways Malware Bypass Application Whitelisting