A technique known as Domain Fronting was recently documented for circumventing censorship restrictions by Open Whisper Systems. The benefits of this technique for use in adversary simulations was recognised by several people, including Optiv and Raphael Mudge. If you are not familiar with this concept, these resources are recommended reading. However to summarise, the TLDR is many services and in particular CDN services, can act as redirectors for a c2 channel. The benefit of this is it provides a reputable domain for egress and can therefore be used to circumvent proxy categorisation and other network based monitoring.
In Raphael’s video, he describes how a trusted domain such as a0.awsstatic.com can be used for egress by specifying a Host header that points to an attacker controlled Cloudfront instance within the Malleable c2 profile. Our research expands on this idea to identify additional high reputation domains that can be used for egress.
Amazon customers who do not want to use a generic cloudfront.net domain are able to use an “alternate domain” by simply configuring the appropriate CNAME record to point to their Cloudfront instance. This process is described by Amazon here, as shown below:
As such, any domain with a CNAME record pointing to the Cloudfront CDN can be used as an egress channel. Identifying these domains is relatively trivial, many can be located through Google dorks such as “CNAME *.cloudfront.net”, or using DNS bruteforcing. One of the Google dork results returns cdn.bitnami.com as a possible CNAME. We can trivially confirm that the CNAME is set as shown below:
To validate that it’s possible to use cdn.bitnami.com as an egress domain, we can try and retrieve the “foo.txt” file that’s hosted on our c2 server and pointed to by our Cloudfront instance:
We identified many high reputation domains that can be used for fronting, including cdn.az.gov, media.tumblr.com, images.instagram.com, cdn.zendesk.com and cdn.atlassian.com to name but a few.
