In Part 1 of this 2 part blog series, we outlined how domain fronting enables bad actors to hide their illegitimate traffic under the cloak of legitimate websites.
Now we explore how and why hackers use domain fronting and also discuss some strategies to secure your enterprise network from this evasion tactic.
Domain Fronting: The Origins
Domain fronting was developed to help people access blocked or censored online resources. For example, it enables users in China to access YouTube. Users trying to access a website send requests over DNS, TLS and HTTP protocols. For Chinese users, DNS and TLS requests will refer to a legitimate, allowed website; HTTPS will reroute them to YouTube. Thus, domain fronting disguises the true destination of the connection and hides the blocked domain YouTube under an allowed domain.
Messaging apps like Signal and Telegram used domain fronting with CDNs to bypass censorship in several countries until the capability was shut down, most notable by AWS.
Despite its honourable beginnings, domain fronting is now exploited by cybercriminals to illegally gather web resources and deliver malware over enterprise networks.
A High-Profile Recent Example
In 2017, it was discovered that the Russian hacker group APT29 had been using the anonymity software Tor to make it appear that their traffic was going to a legitimate website.
The attackers took advantage of the way Internet CDNs route traffic. They also set up a Tor hidden service to enable an encrypted network tunnel that appeared to connect to Google services over TLS. The tunnel allowed traffic to be forwarded to specific local ports, giving them remote access to victim systems using their hidden Tor (.onion) address.
Why Attackers Use Domain Fronting
With domain fronting, the hacker’s domain is hidden behind a high-trust domain. Their traffic “mirrors” legitimate traffic, so they avoid detection as they attempt to enter a network for any of the below objectives.
They may seek to make their traffic seem legitimate to communicate with infected machines and secure backdoor access to targets’ data. An example is an APT29 attack.
Another goal is to steal sensitive or confidential data, e.g. patents, vaccine information, business plans, or any other type of Intellectual Property.
Bad actors also use domain fronting to launch supply chain attacks to access enterprise networks, install malware, compromise data and encrypt their infrastructure to make it inaccessible to authorized users.
Most organizations that come to Packetlabs for cybersecurity support initially lack protection from domain fronting. Almost all small and medium businesses don’t have the expertise to detect – much less block – malicious traffic resulting from domain fronting. If attacks use the same infrastructure as high-trust domains like Yelp or Whole Foods, malicious traffic goes unnoticed, and a hacker who gets into their system stays there undetected for a long time. APT29 used this stealthy methodology for two years before discovery.
How to Protect your Company from Domain Fronting
Google and Amazon closed domain fronting on their CDNs in 2018. Therefore, some security professionals believe that domain fronting has “died.” The fact is that this problem continues to affect enterprise networks because it still works on other CDNs. For example, CDNs that service major networks like Whole Foods and Yelp have not turned it off. That’s why defending against this evasive exfiltration technique is critical.
A proxy server is a powerful defence against domain fronting. At Packetlabs, we advise our clients to install it for all Internet connections configured for TLS interception. A proxy server acts as an intermediary server that can view your network traffic. Configure it so that the HTTP 1.1 host header matches the URL domain. If there’s a mismatch, you can overwrite the domain and log the action. You can also create rules to raise alerts for mismatches.
Ensure that there are no dangling DNS- or CDN- fronted resources that the CDN would route to an origin host that is not present. For malware protection, incorporate defensive techniques like strong host security, application whitelisting, and code signing. Encrypt all data in the cloud, and store the encryption keys safely.
Domain fronting is one of the hardest command and control (C2) techniques for enterprise security teams to detect. Packetlabs’ penetration testers and red teams conduct domain fronting as a part of their exploitation. They emulate the actions of bad actors, assess the health of client networks, and make suggestions on how they can reduce their vulnerability to malicious traffic and strengthen their cybersecurity.