March 2, 2022

Devious Packets

Thank you to everyone who attended the webinar with Binary Defense's Randy Pargman and Open Source Context's Donald "Mac" McCarthy.

We promised there would be some PCAP files uploaded. You can download them here.

The file 0.pcap is a cURL of the site https://randy-pretzels.recipes.global.fastly.net. This site may no longer be up, but when you went to the site a few things happened:

There was a DNS lookup for the host. This is important, because it is one of several indicators that there may be something malicious at play. There was not a registered domain for randy-pretzels.recipes at the time of the presentation. Fastly is not doing anything wrong. This is how Fastly works. It does however allow for an attacker to make a non-existent domain/service to appear more legit. By monitoring for these values of CDNs within your own DNS environment, and locating no existent services, you develop a potentially interesting and valuable intelligence nugget about your adversary.

Second, the user would have been presented with a screen similar to this:

There is a certificate mismatch that generally occurs in the default configurations. Part of this is because with a non-existent domain, it is difficult for the attacker to obtain a valid certificate for Fastly to use on behalf of the service.

There are ways to blunt the impact and make this less of a problem (even make the certificate warning not appear), but we will refrain from giving a roadmap to attackers who may not be aware of this technique. In making this happen however, there are some additional interesting tool-marks that are left for the defender to be able to use.

Finally, if the user had clicked through this warning, it would have redirected to either the Binary Defense website or the Open Source Context blog depending on conditions. This is a perfect place for the user to see a familiar page after an unfamiliar step. It also can lull the user into a sense of security that nothing bad happened. Even though when this site was up, there were several redirects through javascript and html before the user got to a "safe spot." Plenty of opportunity to place cookies or launch drive-by attacks at the user.

The second PCAP, 1.pcap, is of a cURL to https://randy-pargman-pretzels.recipes.my-cdn-net.com. When we gave this presentation, the domain of my-cdn-net.com was under 24 hours old. This represents a statistically risky domain. Since users are used to seeing "cdn" in their web addresses on behalf of companies, this does not stand out as abnormal. Also, the webpage was cached and served from Fastly. This gave defenders virtually no chance to do any reputation monitoring or defensive posturing other than at a) the host/domain name (DNS) level or b) the endpoint. If you don't have a pDNS service or other feed to point out domain resolution age, the first opportunity is lost. This means it falls entirely on an EDR to evaluate traffic coming from a legitimate, reputable CDN like Fastly.

Our live demo ended in an interesting rick roll. In reality, domain fronting and the use of CDNs is a great way for an attacker to make traffic "look and feel" legitimate and minimize the number of chances an attacker has to respond.