Researchers from Fidelis Cybersecurity have discovered a new method of abusing the X.509 public key certificates standard for covert channel data exchange following initial system compromise.
The standard is used in both Transport Layer Security (TLS) and Secure Sockets Layer (SSL) cryptographic Internet protocol implementations, but the manner in which the certificates are exchanged can be abused to hijack them for command and control (C&C) communication, the researchers say.
The X.509 extensions can be used for covert channel data transfer to bypass network protection methods that do not inspect certificate values, the researchers say. To date, no confirmed cases of this technique being abused have been observed, but the widespread use of certificates could put many organizations at risk, Fidelis researchers argue.
To demonstrate their theory, Fidelis Cybersecurity revealed a custom-built framework that serves as proof of concept. However, the researchers point out that detection is possible and that the community can implement protections to identify possible abuse of the covert channel data transfer mechanism.
Source: http://www.securityweek.com/tls-abusing-covert-data-channel-bypasses-network-defenses
(Score: 3, Interesting) by FatPhil on Wednesday February 07, @10:26AM (1 child)
Yeah, that's kind of implicit in the "permitted to communicate with each other" part of the setup. How's that news?
IP-over-TLS would have been a nerdier demonstration of the side channel. I have had to use IP-over-DNS in the past, that's a cool hack. (Until $EMPLOYER realised that in order to actually do my work I'd need to communicate with the outside world, that is. Big corporations are as dumb as they are big.)
(Score: 0) by Anonymous Coward on Wednesday February 07, @07:27PM
what makes it newsworthy is that your IDS/IPS would show no record of this transaction other than the failed TLS handshake. there's no way to spot this data leaving you network