Vulnerability Helps Researchers Expose Malware C&C Servers
We usually get to hear of vulnerabilities that cybercriminals exploit to expose or steal data. This time it’s the other way around; the criminals are at the receiving end. A vulnerability has helped researchers expose malware C&C servers.
A vulnerability in a penetration testing tool that was being used by hackers is now helping researchers expose the locations of thousands of malware C&C (Command-and-Control) servers. This vulnerability, which is now patched, affected the penetration testing tool Cobalt Strike, which is a legitimate tool that researchers have been using to emulate cyber-attacks. But for the past five years, cybercriminal groups too had started using Cobalt Strike which has been around for over a decade.
It was because of its ease of use and scalability that Cobalt Strike turned the favorite of cybercriminal gangs like FIN6 and FIN7 (Carbanak) as well as nation-state cyber-espionage groups, like APT29 (Cozy Bear). These threat actors would first use Cobalt Strike to host their C&C servers and then they’d deploy malware on the networks of many enterprises through the Cobalt “beacons” (the implant component of Cobalt Strike is called the “beacon”) that they plant on the infected hosts.
Meanwhile, researchers at the Dutch security firm Fox-IT discovered a bug in the Cobalt Strike server component that allowed them to track hackers for the last few years. Fox-IT researchers have revealed that the Java-based NanoHTTPD web server of Cobalt Strike accidentally added in the server’s HTTP responses an additional whitespace, which helped in detecting Cobalt Strike communications between beacons and their C&C servers across the years.
A Fox-IT blog post dated February 26, 2019 discusses this discovery in detail. The blog post says, “One of Fox-IT’s InTELL analysts, with a trained eye for HTTP header anomalies, spotted an unusual space in the response of a Cobalt Strike team server in one of our global investigations into malicious activity. Though this might seem irrelevant to a casual observer, details such as these can make a substantial difference in combating malicious activity, and warranted additional research into the set-up of the team servers. This ultimately led to Fox-IT being able to better protect our clients from actors using Cobalt Strike.”
The blog post further says, “The webserver of the team server in Cobalt Strike is based on NanoHTTPD, an opensource webserver written in Java. However this webserver unintendedly returns a surplus whitespace in all its HTTP responses. It is difficult to see at first glance, but the whitespace is there in all the HTTP responses from the Cobalt Strike webserver… Using this knowledge it is possible to identify NanoHTTPD servers, including possible Cobalt Strike team servers. We found out that public NanoHTTPD servers are less common than team servers. Even when the team server uses a Malleable C2 Profile, it is still possible to identify the server due to the “extraneous space”.”
When Cobalt Strike 3.13 was released on January 2, 2019, the “extraneous space” was fixed. Fox-IT points out that this indicates that this vulnerability was present in Cobalt Strike for almost 7 years, assuming it used NanoHTTPD since the first version, released in 2012. The Fox-IT blog points out that a careful look can help spot the space in some of the author’s original YouTube videos, dating back to 2014.
Fox-IT has revealed that in total the company has observed 7718 “unique Cobalt Strike team server or NanoHTTPD hosts between the period of 2015-01 and 2019-02”. The company has also published a list of historical IP addresses that used to or are still hosting Cobalt Strike C&C servers. Some of these could be legitimate instances of companies using the tool for testing purposes, but many of these could also be from hacker groups. Hence security teams in companies could use the list to check their network logs and identify breaches if any.
There are reports of companies confirming Fox-IT’s discovery. Anyhow, with servers getting patched post such confirmations, current scans for the bug are yielding fewer results.
Cybercriminals might use pirated, unregistered and cracked versions of Cobalt Strike and hence the bug might remain unpatched for a long time. However, legitimately-owned servers will receive the Cobalt Strike patch and hence most of the servers that come up during scans would be those of cybercriminals.
Related Resources: