An extraneous space in the HTTP responses of webservers run by a variety of malicious actors allowed Fox-IT researchers to identify them pretty easily for the past year and a half.
This was possible because attackers have been using Cobalt Strike, a commercial penetration testing tool “designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”, and the version they’ve been using sported the uncommon whitespace in its server responses.
Pinpointing attack servers
“Though Cobalt Strike is designed for adversary simulation, somewhat ironically the framework has been adopted by an ever increasing number of malicious threat actors: from financially motivated criminals such as Navigator/FIN7, to state-affiliated groups motivated by political espionage such as APT29,” Fox-IT researchers noted.
The tool has an implant component (beacon) and a server component (team server), and operators can connect to the latter to manage and interact with the Cobalt Strike beacons using a GUI.
“On top of collaboration, the team server also acts as a webserver where the beacons connect to for Command & Control, but it can also be configured to serve the beacon payload, landing pages and arbitrary files,” they explained.
“Communication to these servers can be fingerprinted with the use of Intrusion Detection System (IDS) signatures such as Snort, but with enough customization of the beacon, and/or usage of a custom TLS certificate, this becomes troublesome. However, by applying other fingerprinting techniques a more accurate picture of the Cobalt Strike team servers that are publicly reachable can be painted.”
The HTTP header anomaly allowed Fox-IT researchers to do just that, and to discover servers used by APT 10, the Cobalt Group, attackers leveraging the Bokbot Trojan, and so on.
The researchers have compiled a list of IP addresses of Cobalt Strike team servers that have been operational between 2015 and now – and some still are – so that organizations can verify whether they have been targeted.
“The IP addresses can be checked with e.g. firewall and proxy logs, or on aggregate against SIEM data,” they explained, but made sure to note that the list might contain IP addresses of legitimate NanoHTTPD servers (Cobalt Strike team servers are based on the open-source NanoHTTPD server).
“Fox-IT recognizes the merit of building and distributing offensive tooling, particularly for security testing purposes. In our opinion the benefits of publishing this list (allowing everyone to detect unwanted attacks retroactively) outweigh the downsides, which could include potentially affecting ongoing red team operations. We believe that we all have an interest in raising the bar of security operations, and therefore increasing visibility across the board will inform a higher level of operational security and awareness on all sides,” they noted.
They also advised red teamers to implement mitigations to make their Cobalt Strike team server difficult to fingerprint.
Since January 2019, the “extraneous space” bug has become less helpful for discovering attack servers because a new version of Cobalt Strike (v3.1.3) was released and the bug removed from HTTP status responses. This is also the reason why Fox-IT decided to publicly reveal their use of the bug for fingerprinting attack servers and keeping an eye on malicious actors’ activities.