The CyberArk Red Team has uncovered a new technique for domain fronting that allows cyber attackers to abuse Content Delivery Networks, including Akamai, to mask malware command and control (C2) traffic.
CyberArk’s research demonstrates high reputation domains — including those of Fortune 100 companies – can be used to mask malware command and control traffic, allowing the malware to remain completely undetected. This discovery is a game changer – one that effectively enables attackers to bypass defensive security systems such as network monitoring and control tools that rely on SSL fingerprinting and “known good” domains. It also ends cyber defenders’ ability to trust that high reputation domain destinations are a trusted indicator of internet traffic.
Analogous to the evolution of endpoint protection solutions that now rely on a mix of “known good” and “known bad” applications to protect the enterprise, this research signals a major shift in network protection where defenders can no longer trust outbound traffic that is “known good.”
The underlying issue is associated with the design of the HTTP protocol and therefore many CDNs are potentially impacted – including Akamai which is one of the largest and carries 15-30% of the world’s internet traffic.
Serious security risks associated with this attack include:
- Malware can now be much more resilient and its command and control infrastructure harder to shut down
- It now becomes virtually impossible to trace malware back to a specific domain
- Attribution becomes even more difficult
- Certain widely-used security measures including traditional network monitoring and controls tools can easily be bypassed by attackers, reinforcing the need for more modern security technologies that provide protective controls and detection INSIDE the network.
CyberArk’s blog on this subject can be seen here:
