This post was originally published on https://www.mdsec.co.uk/blog/ when I was under employment of MDSec Consulting Limited in the United Kingdom. This is mirrored on my own blog for archiving reasons.
These are not the domains you are looking for…
A technique known as Domain Fronting was recently documented for circumventing censorship restrictions by Open Whisper Systems. The benefits of this technique for use in adversary simulations was recognised by several people, including Optiv and Raphael Mudge. If you are not familiar with this concept, these resources are recommended reading. However to summarise, the TLDR is many services and in particular CDN services, can act as redirectors for a c2 channel. The benefit of this is it provides a reputable domain for egress and can therefore be used to circumvent proxy categorisation and other network based monitoring.
In Raphael’s video, he describes how a trusted domain such as a0.awsstatic.com can be used for egress by specifying a Host header that points to an attacker controlled Cloudfront instance within the Malleable c2 profile. Our research expands on this idea to identify additional high reputation domains that can be used for egress.
Amazon customers who do not want to use a generic cloudfront.net domain are able to use an “alternate domain” by simply configuring the appropriate CNAME record to point to their Cloudfront instance. This process is described by Amazon here, as shown below:
As such, any domain with a CNAME record pointing to the Cloudfront CDN can be used as an egress channel. Identifying these domains is relatively trivial, many can be located through Google dorks such as “*CNAME .cloudfront.net”, or using DNS bruteforcing. One of the Google dork results returns cdn.bitnami.com as a possible CNAME. We can trivially confirm that the CNAME is set as shown below:
To validate that it’s possible to use cdn.bitnami.com as an egress domain, we can try and retrieve the “foo.txt” file that’s hosted on our c2 server and pointed to by our Cloudfront instance:
We identified many high reputation domains that can be used for fronting, including cdn.az.gov, media.tumblr.com, images.instagram.com, cdn.zendesk.com andcdn.atlassian.com to name but a few.
The short video below demonstrates this further, showing how they can be used within Cobalt Strike beacons.
Raphael Mudge pointed in in his blog post that an RFC 2616 compliant proxy will rewrite the Host header making it impossible to do domain fronting over HTTP or where SSL/TLS interception is taking place.
However, having performed further research we noted that RFC compliance is not always consistently applied. The following video demonstrates how the Sophos Web Security gateway does not rewrite the Host header and can therefore be used for domain fronting. It also demonstrates why fronting a variety of high reputation domains can be a powerful technique for evading proxy categorisation: