RATs in the tunnel: Uncovering the cyber underworld.
Dave Bittner: Only Malware in the Building was filmed in front of a live studio audience. [ Music ]
Dave Bittner: All right, [inaudible 00:00:15].
Unidentified Person: Accessing Rick Howard's laptop.
Selena Larson: Dave, what are you doing?
Dave Bittner: Oh, nothing. >> Unidentified Person:: Access granted to Rick Howard's laptop. Just working on something important.
Selena Larson: You're not trying to redesign your personal website again, are you? Because the last time it looked like a Geocities nightmare. [ Laughter ]
Dave Bittner: No, no, no, no, I've learned my lesson. That background music was a bad idea. [ Music ]
Selena Larson: So what's the big secret then?
Dave Bittner: Well-
Selena Larson: Wait a second. Are you hacking someone?
Rick Howard: Hey, what's up, guys? [ Applause ] Anyone else having weird computer issues today?
Selena Larson: Like what, Rick?
Rick Howard: Well, I keep getting these emails about joining the Meats-of-the-Month Club.
Unidentified Person: You've got mail.
Rick Howard: You know, I didn't sign up for that, but now I can't stop thinking about bacon. [ Laughter ]
Selena Larson: Are you sure you didn't sign up during a late-night snack attack? [ Laughter ] Wait, wait, wait, wait, wait. Dave, did you hack Rick's laptop?
Dave Bittner: I did, but I only did it because Rick ate all of my famous buffalo dip at the company picnic. [ Music ] I just wanted a little payback.
Selena Larson: Dave, you can't just hack someone to get back at them. That's not cool.
Rick Howard: Jeez, dude, you could have just asked, now I'm stuck with a lifetime supply of sausages and salami. Wait, actually, that doesn't sound so bad. So thanks. I guess. [ Laughter ] [ Music ]
Selena Larson: Remember, folks, hacking is a serious issue, even if it's just for a prank. Always respect others' privacy and stay safe online. You never know what kind of trouble you might get into.
Dave Bittner: I'm sorry, Rick, I shouldn't have done that. Thanks, Selena for setting me straight.
Unison: Oh.
Rick Howard: No worries, Dave, just don't mess with my email again, or I'll send you a subscription to the Veggies-of-the-Month Club.
Selena Larson: Honestly, he probably needs one with all his dips. [ Laughter ] All right, everyone, stay cyber safe and remember whether it's spam emails or sneaky hacks, always keep your guard up online. [ Music ] [ Music ] Today, we're talking about the abuse of legitimate services for malware and phishing delivery. Threat actors don't always create and manage their own infrastructure or buy and build malware. They often rely on legitimate services to help them along the way. So what does this landscape look like? What are common tools threat actors are using? And why do hackers choose legitimate services over customized or commodity tooling? Some research that we published recently is about -- Dave, are you distracted by your dips?
Dave Bittner: I'm sorry, I have a delicious truffle parmesan aioli dip today. This is a rich and creamy dip made from truffle oil, grated parmesan cheese, garlic, and mayonnaise. It offers an earthy and umami packed experience. But carry on.
Rick Howard: I just gained 10 pounds listening to that description. [ Laughter ]
Selena Larson: The best part of aioli dips are they're just mayonnaise, but fancy.
Rick Howard: I subscribe to that philosophy.
Selena Larson: So anyway, Dave, if we could interrupt your lunch to go back to the abuse of legitimate services, one of the things that I wanted to talk about today was the abuse of Cloudflare Tunnels to deliver malware. I don't know if you guys have ever heard of this before, but it's kind of an interesting technique.
Rick Howard: Is it really different, or is it just another variation on the theme, Selena? [ Music ]
Selena Larson: It is a variation on the theme. So essentially, what it does is it abuses the TryCloudflare feature that allows an attacker to create a one-time tunnel without creating an account. So Cloudflare offers Cloudflare Tunnels as part of some of the services that they sell. But if you're a threat actor, you can just spin one up temporarily and then take it down again. So for those of you who aren't familiar, tunnels are a way to remotely access data and resources that aren't part of the local network. So very similar how- to how we might use a virtual private network, VPN or secure shell, SSH.
Dave Bittner: You know, Selena, Rick is so old, when you mention tunnels, he immediately thinks of his model train set. [ Laughter ] Rick also gets nervous when you mention tunnels. He's so old he doesn't like being around anyone digging deep holes in the ground.
Rick Howard: Oh, God.
Dave Bittner: Although, he does enjoy being inside of a tunnel. It's one of the few places so dark you can't see his wrinkles. You know the real reason Rick enjoys being inside of a tunnel, it's the echo. He never gets tired of hearing his own voice. [ Laughter ]
Rick Howard: I'm hoping that on the backside, when the echo returns, it might sound even better than the first time I said it, which is hard to say, but. [ Laughter ]
Selena Larson: Isn't that just a podcast?
Rick Howard: Exactly right. [ Laughter ]
Selena Larson: Well, threat actors like tunnels too, because when the same way they cloak Rick's wrinkles, they can also be a way to sort of cloak threat actor activity potentially, you know, using legitimate services for malware delivery or as part of an overall campaign, can sometimes allow threat actors to sort of hide in potentially legitimate network traffic. So-
Rick Howard: That's where I was confused, Selena because would they use it- they'd set up these tunnels to be like their command-and-control channel? Or are they establishing tunnels to victim data somehow and seeking it out that way? I'm- I'm unclear about how all that works.
Selena Larson: Yeah, so the malware payload URL is the TryCloudflare Tunnel, and then it will access or connect to the command and control that will then download the payload. So it's essentially spinning it up that way. But it is temporary, right? So we've seen a lot of this threat actor cluster in particular that we're tracking. We'll send it up, essentially each use of the TryCloudflare Tunnels it generates this subdomain on trycloudflare.com so it's just a series of random words separated by hyphens.trycloudflare.com, and the traffic to the subdomains is proxied through Cloudflare to the operator's local server. So again, you're seeing, in kind of the same way, how Cloudflare might be used to sort of cloak phishing websites for example, it's proxy through the operator's local server, so you don't necessarily communicate with threat actor directly. So it's kind of interesting how the threat actors are using this. But with each campaign, it's a new subdomain that's spun up so they're not relying on the same infrastructure over time. You don't have the ability necessarily to block just on subdomains, right? Like, oftentimes they're like, oh, indicators are compromised. Here's a- here's a domain, here's a- here's a C2 server that you should block it because it's used over and over and over again. But in this case, essentially, they can have a low-cost method, essentially to stage attacks, use these helper scripts limited exposure for detection and takedown efforts. So it's kind of- it's kind of interesting. And another thing that I thought was pretty cool about this particular threat campaign is so it goes through a variety of different things. So it's a URL leading to a shortcut dot URL file, a lot of different things. It uses WebDAV, so they're hosting the payload on one of these sort of external file shares. Again, WebDAV is a legitimate file hosting, file sharing type of service that you might again see in an enterprise. But what ultimately it leads us to a Python installer package and a series of Python scripts that actually lead to malware installation. So again, you're seeing Python, a legitimate software. Python scripts, something that you know a lot of people use in their day to day, but in this case, they're actually leading to malware installation. And loading the Python installer alongside the scripts is like, oh, well, if you don't have Python on your computer already, we'll set it up and then be able to execute the malware. So it's kind of an interesting, also a bit convoluted attack- [ Music ]
Dave Bittner: It strikes me that like what a- maybe a conundrum this is for Cloudflare, because on the one hand, you want to be able to demo your services, and you want that to be as friction free as possible, but then you have to dial in how much are you going to tolerate bad folks using your services for free, for bad things. [ Music ]
Rick Howard: Jeez, Dave, so serious here. You sound like the guy in the Mission Impossible Mission Tate.
Unidentified Person: This message will self-destruct.
Rick Howard: Take it down a notch, will you? This is only a podcast. [ Music ]
Selena Larson: We should make a self-destructing podcast, one of our episodes.
Rick Howard: All of our fans say that every day when we broadcast our thing.
Dave Bittner: Yeah.
Selena Larson: I mean, you do bring up a good point, Dave, right? I mean, you have- this is a conundrum that certainly not just Cloudflare is dealing with, but any company that provides some type of infrastructure service or tool that can be potentially abused by threat actors. I think that, you know, we see it with, for example, Google Drive or OneDrive. You have Discord and Telegram, we can get into this, which I thought was pretty interesting, actually, even info stealers using Steam, you know, the video game community, basically as a command-and-control service. So you have, you know, threat actors that are incorporating legitimate tools and services into their attack teams. And so this is a constant battle for the organizations whose services are being abused, because obviously they want to provide resources to people that are using it legitimately to try things out, or to, you know, store their legitimate files. And so I think it's a bit of a sort of whack-a-mole situation a lot of times, and especially if you're seeing something like temporary infrastructure, it could be very short lived. I mean, oftentimes we'll see a threat actor that I track pretty often, TA2541, they like using Google Drive URLs to deliver VBScripts, and they will store them on Google Drive. But it's so short lived because Google will take it down or they'll identify it as malware. So oftentimes, these might have short shelf lives, but they can be very effective, because oftentimes these are legitimate traffic. I mean, you're going to be using these tools in the enterprise. And so it's kind of clever on the part of the attackers. And this kind of speaks a little bit to the ongoing experimentation that we're seeing from a lot of different threat actors trying to expand their wheelhouse, trying new things, adopting new techniques to try and, you know, push the boundaries, see how effective these new techniques and tools can be. The TryCloudflare cluster that we're- that we're looking at, typically delivers remote access Trojans, so ultimately, they're delivering malware, right? So it's not that they're just going in there and, you know, trying to do a live off the land type of situation, they will ultimately download and execute malware on a host. So it's just part of the overall malicious attack chain in this case. So there's multiple opportunities for detection and defense. [ Music ]
Rick Howard: So as a treat, Selena there's two cases here there's the generic case, where they're using Cloudflare infrastructure for their, you know, command and control infrastructure with no relation to the victim. It's just a place- like they- like if they would have set up their own infrastructure, they're using Cloudflares to facilitate that stuff. That's the first case. In the second case, though, is, after they've actually compromised a victim that uses Cloudflare, they could use that infrastructure internally, and it looks like it's the victim's infrastructure. What makes it even less likely to be discovered, is that the way you're seeing it, or am I missing that?
Selena Larson: So we haven't seen the second example, but in theory, I mean, that's something that a threat actor could do it's, you know, very similar when you compromise an account for emails and then send emails and it looks like it's coming from a legitimate sender. So I think that, you know, the compromise of- of legitimate services and using them is something that is, of course, important, but separate from the abuse of legitimate services for a fully malicious activity. [ Music ]
Rick Howard: So what I find interesting, Dave about this is even the bad guys decided the cloud infrastructure is better way to go than building it themselves, right? They see the advantages than-
Dave Bittner: Yeah, and I think, you know, another element of this that Selena pointed out is that when you're piggybacking off of other people's legitimate infrastructure, you know, it's not like people are going to just block Google, right? If something's coming from a Google domain, you have to have scrutiny with it, but can't just block all of Google. Your users aren't going to stand for that.
Selena Larson: Yeah, and it's interesting too, because if we're talking about abusive legitimate services, we see, certainly, you know, software, cloud storage, a lot of for example, C2 with- like I was mentioning, like the social channels your Telegram or Discord. But then you also have this sort of interesting increase in delivery of legitimate remote access tools. So whether you call them RMMs, RMS, just a lot of- a lot of different acronym support, but they're essentially legitimate remote access software tools that you use in your day to day. So for example, ScreenConnect, Atera, NetSupport. And so that's pretty interesting, because, of course, you know, if you're an organization that uses ScreenConnect and you see the download and installation of ScreenConnect, it's not going to automatically be a red flag, as opposed to, you know, if you're downloading and installing an Agent Tesla executable that's going to light up your EDR. So it's- it's pretty interesting to see, sort of the adoption of some of these more RMM tools as part of the final stage. We've seen it with APT actors, certainly TA450 which is an Iranian-aligned actor, AKA MuddyWater, that delivered Atera, reported on that back in March. And then recently, we just published another piece of research about campaigns delivering ScreenConnect. So they're posing as the U.S. Social Security Administration to ultimately deliver ScreenConnect. So yeah, this increase in these RMM tool delivery, I think, is also very interesting and speaks to the sort of overall abuse of legitimate services trend, I think. [ Music ] Stay tuned. There's more to come after the break. [ Music ]
Rick Howard: So it appears to me the defensive strategy that would work here is some kind of Zero Trust strategy, but it's the way we- you've described the problem. It has to be so granular that I don't think many organizations have the capability to identify, you know, say, a Cloudflare Tunnel that is legitimate versus illegitimate, okay, that seems like that's a really hard thing to do. Am I wrong about that?
Selena Larson: Well, I think with the TryCloudflare, those are the sort of temporary free version, free tier. So I think, you know, blocking TryCloudflare domains if they're not used within your organization, is a very, very effective way of-
Rick Howard: But if you are- if you're using Try- what are we calling this thing again?
Selena Larson: TryCloudflare.
Rick Howard: TryCloudflare.
Selena Larson: Yeah. So they would be- yeah. So, of course, yeah, creating, like a safe list of domains. Similar, right, to what you're talking about, though, is very much sort of access control, restricting network traffic, making sure that that's legitimately used within your organization, and potentially restricting the use of it where it is not required or used. Certainly, you know, in general, you're going to have a setup to safe list various servers, whether that's, you know, for your ScreenConnect, or your NetSupport, or Atera, or, you know, even if a WebDAV, SMB, these are also things that we've seen abused a lot more as well, and sort of, you know, just blatantly allowing any outbound SMB connection is just not necessarily the best- the best way to do things.
Dave Bittner: Selena, just could you clarify what we're talking about with ScreenConnect here? I mean, I know, you know, for Rick, when he thinks about ScreenConnect, he's probably plugging in his 13-inch black and white Zenith television.
Rick Howard: So I can play Pong, all right, that's the reason you have that. [ Laughter ]
Selena Larson: You know, I have never played Pong.
Rick Howard: Oh, you are out of the club, Selena. You're out of the club. All right, producers, we need a new host. Get her out of here.
Dave Bittner: I mean, we can play Pong like in our browsers right now. There's nothing stopping you from playing Pong.
Selena Larson: I think I missed; I think I missed the draw of Pong. I was playing Oregon Trail. That was my- that was my computer- computer video game.
Rick Howard: Okay, some redemption, not much, but some redemption.
Dave Bittner: That's legit. See, the problem is, Rick actually experienced the Oregon Trail. He's so old.
Rick Howard: Yeah. And I want to talk to somebody about the inaccuracies they have in that game, all right? Because it just didn't get it correctly, right.
Selena Larson: You fiorded all the- all the rivers.
Dave Bittner: And then he died- died of dysentery. [ Laughter ]
Selena Larson: Yes, so when we're talking about ScreenConnect, it is a legitimate remote access software tools, that's- there's a lot of them that essentially will allow enterprises to remotely connect to your computer and manage software updates, file sharing, things like that. And we've just seen how threat actors can essentially use them as remote access Trojans, very much the same way, right? Where you can set it all up. And sometimes what we've seen is with, for example, telephone-oriented attack delivery, where, you know, it's someone who says, oh, here's this invoice that you need to pay. And you're talking on the phone with someone who pretends to be support, but what they're really doing is walking you through installing remote access software. They're like, I'll help you uninstall or help you pay for this or whatever. But what- essentially, what a victim is doing is enabling remote access on their- on their device. But of course, you know, if you're- if you're not familiar with the use of these tools, or you see something, oh, this is just legitimate remote access software. You know, you might not immediately think that, oh, hey, this is malware. So again, it just goes back to this idea of threat actors abusing legitimate services. So they're- they're not designed to be used that way. But unfortunately, threat actors have found ways to sort of get around these things and abuse them for malicious purposes. [ Music ]
Rick Howard: Well, when we talk about Zero Trust as a strategy, we typically talk about identity and access management for people. And most of the times, we talk about devices, okay, the thing that we lack right now as an industry, I believe, is software components, right? The internal scripts that we write, internal software that we write, and even commercial software that we use, right, who is authorized to use the ScreenConnect app? And will we allow data to go back and forth between that, I think people struggle with trying to figure those kinds of things out.
Selena Larson: Yeah, that's a good point. And also, if oftentimes Zero Trust runs up against the ease of use, right? So oftentimes you- you have a struggle with, as an organization, I want to be very secure, but my employees will be very frustrated if they have a lot of roadblocks and running into restrictions on the- on the things that they're used to using. So I think, you know, that's something that obviously we saw, I think, with the adoption of MFA, for example, people are like, "Wait, I have to enter another passcode?"
Rick Howard: Yeah.
Dave Bittner: So hard, so hard.
Selena Larson: Whenever you add additional friction to somebody's general workflow, it tends to cause frustration and oftentimes will be bypassed for convenience.
Rick Howard: Dave, what's the- what's the appropriate dip when you have to put in your second factor?
Dave Bittner: That's easy, smoked salmon and dill spread. [ Music ]
Unidentified Person: And now unnecessary cooking instructions with Dave Bittner, first our list of ingredients. Ingredient one.
Dave Bittner: Smoked salmon.
Unidentified Person: Ingredient two.
Dave Bittner: Cream cheese.
Unidentified Person: Ingredient three.
Dave Bittner: Fresh dill.
Unidentified Person: And finally, ingredients four and five.
Dave Bittner: Capers and just a little hint of lemon. [ Music ]
Unidentified Person: And then I guess you just like stir it all together. This has been unnecessary cooking instructions with Dave Bittner. Now, back to your regularly scheduled programming. [ Music ]
Dave Bittner: It's a wonderful distraction from when you want to throw your mobile device through a plate glass window. [ Laughter ]
Rick Howard: That sounds good.
Dave Bittner: Yeah. Selena, let me ask you this. I mean, what about the providers themselves? You kind of mentioned that folks like Google have, I guess, relatively quick turnaround of tamping these things down. But, like, from your point of view, the view that you have into these sorts of things, how does that game of whack-a-mole play out?
Selena Larson: So I think especially when we're talking about some of this like temporary infrastructure, it's very short lived, so if it doesn't have a whole lot of longevity, there's often not a lot that the organizations can necessarily do, get spun up and taken down really quickly. But I do think that a lot of these services have automated detections in place, very similar to how we have it on our own hosts, where, oh, if this is something that's malicious, or, you know, I caught this, we're not going to let anyone download it. So we certainly run into that with- oftentimes with cloud hosted malware. But it's an ongoing battle. I think some services are better at addressing it than other services, I think. And, you know, I do think that there is a very good discussion to be had, and that is ongoing, that at what point do we not have these available? And at what point do we say, it's not really worth protecting criminals and enabling criminals, but at the same time, it can be very, very difficult to sort of police the use of your tools and services? Certainly, I think we see this, for example, with social media, right, like it- oftentimes it can be very much abused, a lot of disinformation, and things can be rapidly spread very, very quickly and metastasized, and it can be hard to sort of just bring the ban hammer down diligently and very effectively. So it's an ongoing conversation, and I think it's also, you know, part of the conversation of like, for example, there are services and platforms that host "Red team tools" that are almost exclusively abused by threat actors.
Dave Bittner: Right, right.
Selena Larson: And you can pretty much post anything, as long as you say, this is for educational purposes only. And, you know, within a few days, a few weeks, it's going to be showing up in threat actor abuse. So, you know, it's kind of that conversation of like, okay, we're providing these tools for security practitioners. We're providing these tools to the greater community to enable information sharing and, you know, existence on the internet, or red teaming and security, but they're also very, very, very often abused by threat actors. And I think that that's- I think that's an ongoing conversation. I think it used to be very much like a free for all, everything's allowed, you know. But I think- I feel like the InfoSec community is kind of shifting their mindset a little bit on that, and we're having more of these conversations as- to talk about, you know, how can we maybe restrict the use of things? Or is it ethical to be, you know, providing and sharing these tools? And et cetera, et cetera. [ Music ]
Rick Howard: To defend the service providers like Google, you know, is it legitimate to blame them because some bad guy purchased their software and used it for bad purposes? It's kind of like, you know, we would blame the phone company for social engineers using their telephones, you know, to get credit card information. So I agree that at some level, the service providers could find some obvious things, but I think most of this falls on the practitioner to protect their own environments.
Dave Bittner: I tend to err on the other side, just from the point of view that, like this is something that drives me to distraction over on our Hacking Humans Podcast, is this whole notion of the big tech companies saying, "Well, we can't do that at scale." And to me, I'm like, "Well, if you can't do that at scale, then maybe you shouldn't do that at all."
Rick Howard: You forget the very pressing concern on their part, Dave is that they need to make money, right. [ Laughter ] At scale.
Dave Bittner: But maybe they don't need to- you're right, exactly. That's the thing. They don't- maybe they don't need to make all of the money, you know, maybe just a normal amount of money but, you know, this is where then you find you get policy pushbacks and you get regulations placed on you. If you're not going to do it yourself, then somebody's going to swoop in and say, "All right, you're not going to take care of consumers, watch this," and you know, that's the back and forth. That's the- that's the dance.
Selena Larson: I mean, I do have to say too, though, like, just because you're using- if you're a threat actor, just because you're using a legitimate service or abusing it doesn't mean that if your attack is going to be effective, right? So let's say, yes, I use our clicked on a malicious Google Drive link going back to Rick's point, do you have restrictions on, can I download JavaScript and open it in anything but a text file? If yes, then that should be something that could be addressed.
Rick Howard: There are bigger problems there, yeah, there are bigger problems.
Selena Larson: Yeah, yeah. So it's really going back to defense-in-depth, like yes, companies can do more, I think, to better police and restrict the abuse of their platforms and services. But also, within enterprises, there are layers, and you really want to make sure that you practice defense-in-depth. And it kind of goes back to, you know, the human layer, right? Human beings are going to make mistakes and making sure that you are doing whatever you can to prevent the mistake from becoming a catastrophe. So whether that's, you know, blocking JavaScript, or, you know, making sure that only your developers are installing Python, or making sure that you're restricting connections to only safe listed servers, if we're talking about any sort of virtual command and control or file shares, it's important to the enterprise as well to put their shields up to close this up. But I do think that there are many, many opportunities for detection and defense when you have even if it's the abuse of legitimate services. [ Music ] We'll be right back. [ Music ]
Dave Bittner: All right. Well, it's interesting stuff here. And Selena, thank you for sharing all of this. It's fascinating. It's a shame we have to run so quickly, but I know Rick has scheduled his entire afternoon to be playing with his CB radio. [ Laughter ] [inaudible 00:28:55]
Rick Howard: To be immediately followed by a long nap. All right, so that's- that's on the schedule.
Dave Bittner: I will be joining you, but not together. [ Laughter ]
Rick Howard: Not that there's anything wrong with that, all right.
Dave Bittner: No, no, it's just- it's the snoring. That's all. [ Laughter ]
Selena Larson: I have to get on Dave's dips. However, I am much more interested in hot sauce. So next time for the next podcast, I'll bring a list of my favorite hot sauces, because we just did the Hot Ones Challenge. And let me tell you, it was pretty spicy.
Dave Bittner: You did the Hot Ones Challenge?
Selena Larson: I did. I did. I had a whole- a whole party. A bunch of friends came over. We all did the Hot Ones Challenge.
Dave Bittner: Wow. Okay.
Selena Larson: Yeah, let's just say it wasn't quite the same mouthfeel as a truffle parmesan dip.
Dave Bittner: No, I wouldn't think so. I think after that, you'd have no feeling in your mouth.
Selena Larson: Honestly, yeah, I think that's what happens.
Dave Bittner: Right. All right. Well, thank you, Selena, and Thank you, Rick, this was great fun as always.
Selena Larson: Thank you.
Rick Howard: See you, guys.
Selena Larson: And that's Only Malware in the Building, brought to you by N2K CyberWire. In a digital world where malware lurks in the shadows, we bring you the stories and strategies to stay one step ahead of the game. As your trustee digital flukes, we're unravelling the mysteries of cybersecurity, always keeping the bad guys one step behind. We'd love to know what you think of this podcast, your feedback ensures we deliver the insights that keep you ahead an ever-evolving world of cybersecurity. If you like the show, please share a rating and review in your podcast app. This episode was produced by Liz Stokes, mixing and sound design by Tre Hester with original music by Elliott Peltzman, our executive producer is Jennifer Eiben, our executive editor is Brandon Karpf, Simone Petrella is our president, Peter Kilpe is our publisher.
Dave Bittner: I'm Dave Bittner.
Rick Howard: And I'm Rick Howard.
Selena Larson: And I'm Selena Larson. Thanks for listening. [ Music ]