A new method of covert channel data exchange has been uncovered. It uses a well-known and widely implemented public key certificates standard (X.509), which is a hallmark of both TLS and SSL IP implementations for securing web communications.
According to Jason Reaves, threat research principal engineer at Fidelis Security, there’s a flaw in the way the certificates are exchanged, which could allow them to be hijacked for command-and-control (CnC) communication. The process also ends up bypassing common security measures.
Reaves created a proof of concept (PoC) that shows a malicious binary being transferred over TLS negotiation traffic to simulate a threat actor transferring the Mimikatz data-extraction malware to an already compromised system.
Essentially, certificates are exchanged during the TLS handshake, before the secure connection is made. By placing arbitrary binary data into the certificates themselves, Reaves uncovered a system that could be used to send or receive data from both a client and a server perspective. Meanwhile, the data transferred via X.509 extensions may bypass detection methods that do not inspect certificate values. As he explained in an analysis:
X.509 certificates have many fields where strings can be stored...The fields include version, serial number, Issuer Name, validity period and so on. The certificate abuse...takes advantage of this fact to hide data transfer inside one of these fields. Since the certificate exchange happens before the TLS session is established there appears to never be data transfer, when in reality the data was transferred within the certificate exchange itself.
When it comes to mitigation and detection, the PoC uses self-signed certificates, so blocking self-signed certificates at the perimeter could be a useful protection mechanism for these attacks. Another possibility for signaturing is checking for executables in certificates.
While no exploit has yet been seen in the wild, the widespread use of these certificates means that many organizations are potentially open to this new data transfer method, which in and of itself is not all that unusual.
“Using covert channels to move data across a network is not new…Appending data to ICMP, for example, was proposed as a means to transfer data back in 2005, with citations pointed to publications from 1997,” Reaves said. “Indeed, one of the earliest mentions of practical covert channel use comes in a government publication from 1993. Researchers continue to find novel ways to abuse protocols and RFC implementations to achieve difficult-to-detect data transfer methods.”