Security Experts:

Attackers Place Command and Control Servers Inside Enterprise Walls

Stealthy Attacks Use Trusted Enterprise Systems and Trusted Networks, Making Detection Difficult

Skilled attackers are burrowing their command and control (C&C) servers inside the networks of compromised businesses in order to circumvent security measures, according to a security expert familiar with the innovative new attack method.

The tactic is the latest twist in attempts by botnet operators to launch advanced persistent threats (APTs) that can stay below the radar while compromising corporate resources.

“We’ve been seeing this for the last four or five months,” Tom Kellermann, vice president of cybersecurity at Trend Micro told SecurityWeek. “I think it’s really significant when you look at incident response techniques and how this can defeat most of those…everyone keeps assuming that nation states are the only ones launching APTs…but in fact we’re seeing tremendous innovation of this technology by criminal crews.”

Hidden Command and Control ServersAccording to Kellermann, Trend Micro has observed dozens of incidents were these tactics have been used. In many cases, the compromised servers being used for C&C were compromised in previous attacks and hackers were able to maintain access, he said. The technique helps attackers to stay stealthy as they exfiltrate data, as very little C&C traffic is leaving the network.

“The advantage here is that the internal C&C server can be configured to connect back to the attacker once per day, using standard Web traffic,” he said. “Every other C&C communication is on the internal network. The advantage of that is that none of that C&C traffic is passing through perimeter firewalls or intrusion detection systems - so it is very unlikely to be detected. While the attacker still needs to send that single communication per day with any stolen data / issuing new commands, this is trickier to detect. So what the attacker loses in ease of use and management he makes up for in stealth.”

Any machine can become the C&C, he added. The tactic adds two more steps to forensic investigation, as now investigators must conduct a penetration test from inside out in order and identify the service wherein a syscall proxy has been embedded in the memory space.

Also interesting, is that attackers conducting these types of attacks have been seen applying software patches to the compromised systems in an effort to ensure other attackers are kept out and that the systems are not potentially red-flagged. “The attackers have added another stage to the attack process,” Kellerman said. “In this case, the attackers have added a maintenance stage in an effort to further protect their work.”

Phillip Lin, director of marketing at security vendor FireEye, said the multi-tier architectural approach is not dissimilar to what was done by the operators of Waledac, a once formidable botnet that was taken down in an effort led by Microsoft in 2010.

“Waldec is an example that used a multi-tier structure - not exactly like the 'internal C&C' described, but (a) similar botnet chain of command structure,” Lin said, “In Waldec's example, some of the internal tiers of infected hosts served as internal DNS to bypass DNS analysis and HTTP proxies, etc.”

From a forensics or post-data breach investigation standpoint, the strategy may make life easier in one way – the compromised organization owns the C&C server, Lin said.

“The challenge in typical botnet scenarios is that the bot communications/data exfiltration is stored on a third-party C&C, so there are legal hoops to jump through before an organization (or) law enforcement can perform forensic investigations on the C&C.”

According to Kellermann, the growing sophistication of attackers means organizations need to operate under the assumption that hackers are going to get in, and plan their defenses around minimizing the damage they can do if a compromise occurs.

“I’m never going to be able to keep you out all the time,” he said.