In the world of cybersecurity, understanding adversary infrastructure is critical for defenders and researchers tracking adversary operations. We use the term “adversary infrastructure” to refer to any infrastructure that is established by or commandeered by adversaries to support their operations. This includes command and control (C2) servers, open web directories hosting malicious files, and residential and IoT devices recruited into botnets or used to route malicious traffic while obfuscating its true origins.
Much threat research is and has historically been focused on malware analysis and reverse engineering, concentrating on actor behavior and attack mechanics. This is useful for understanding the actor’s objectives and tradecraft, but in addition to this “micro” view of adversary activity, a broader, more “macro” view provided by infrastructure tracking can also be incredibly helpful. It offers a complementary perspective that sheds additional light on actor tactics and often provides pivot points for researchers seeking to enumerate related infrastructure. It can also aid defenders hoping to stay at the forefront of detection to protect their organizations.
Evolved Attack Surface and Vectors
C2 Infrastructure
C2 servers enable threat actors to remotely monitor, issue commands, and exfiltrate data across compromised devices. In some ways, they are an IT endpoint management tool, but with nefarious intent. C2 infrastructure is also a popular research topic, offering insight into different campaigns and enabling analysts and defenders to identify potentially related infrastructure.
Cobalt Strike is the most commonly observed C2 variant globally. Cobalt Strike was first introduced over 10 years ago as a tool for threat emulation and red teaming. While it’s a commercial tool now owned by Fortra with official licenses starting at upwards of $3,500 USD per user per year, pirated versions abound and can be found online.
These illegally pirated versions of Cobalt Strike have been the subject of multiple takedown efforts over the last several years, including a 2023 joint effort between Microsoft, Fortra, and the Health Information Sharing and Analysis Center (Health ISAC). This effort reportedly resulted in a 25% decrease (roughly 1,000 servers) in the number of cracked versions of Cobalt Strike online at the time.
In June 2024, the UK National Crime Agency led an effort to reduce the number of cracked Cobalt Strike instances online, dubbed Operation Morpheus. This effort claimed a staggering 85% success rate, with action taken against 690 cracked instances and takedowns of 593.
While these takedowns and disruptions may be fruitful in the moment, there’s often a rebound effect as actors recover and reestablish their infrastructure. Despite multiple takedown efforts, Cobalt Strike remains popular, and two newer C2 tools, Viper and Sliver, are also gaining popularity. As relatively new, open-source tools available on GitHub, they are easy to access and straightforward to deploy.
Understanding trends in online footprints of various C2s can help defenders tailor their monitoring, and researchers stay vigilant for newer and emerging C2 threats as the landscape continues to evolve.
Open Web Directories & Their Lifespans
Beyond C2 servers, threat actors continue to leverage additional infrastructure, such as open directories, to aid in their operations.
Open web directories are essentially filesystems exposed directly to the Internet. In some cases, this is entirely unintentional and results in sensitive data being available to anyone exploring open directories. In some cases, they’re set up as a form of file sharing, allowing others to download games and other media from the exposed open directory. However, the open directories we’re most interested in are more nefarious in nature–specifically, those that host malware or threat actor tooling.
Using open directories as a virtual toolbox of sorts isn’t a new technique, but understanding their lifespans–how long they remain online–can be useful for researchers hoping to track an actor or even a specific campaign.
We can break “lifespan” into two buckets: content lifespan and network lifespan. Content lifespans refer to how long an open directory’s contents remain the same, while network lifespan measures how long a given open directory remains online. Open directories have relatively short network lifespans, a median of 1 day. However, studying the content of open directories reveals that the median lifespan is closer to 3 days.
This suggests that even if an open directory is volatile in terms of network visibility, the same content may be served from the directory over a slightly longer period of time. Understanding the lifespan of an open directory is key to uncovering more about an actor’s behavior, as it enables researchers to track changes to its contents over time.
Conclusion: Creating a Safer Internet
The dynamic and ephemeral nature of adversary infrastructure, from Cobalt Strike takedown rebounds to lifespans of malicious open directories, emphasizes the importance of careful tracking and analysis of such infrastructure. To most effectively leverage Internet-wide scan data for these purposes, defenders and researchers can:
- Document infrastructure-related TTPs specific to actors of interest–perhaps those that target your industry or a specific technology in your tech stack–and regularly search for infrastructure that matches identified patterns.
- Use interesting or unusual infrastructure patterns to identify useful pivots for enumerating additional related adversary infrastructure.
- Implement monitoring for infrastructure that matches patterns of interest. This ensures data about even the most ephemeral services and infrastructure is captured for analysis.
As actors continue to evolve their tactics and tooling in response to disruption efforts, access to the most accurate, up-to-date map of the Internet is crucial for researchers and defenders investigating malicious activity. Executives desiring to empower their security and research teams should look to internet scanning as a key source of information that enables their teams to most effectively track and measure adversary infrastructure across the Internet.
Emily is a Principal Security Researcher at Censys, where she studies security threats and other interesting Internet phenomena. Previously, she was a security engineer focused on threat hunting, detection, and incident response. Emily is interested in the application of data science and analytics techniques to problems in security, and in the past has worked on projects related to anti-abuse, fraud, and malicious web app traffic detection.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.