Security researchers at Fidelis have published a proof-of-concept framework for a new covert channel for data exchange using the Transport Layer Security (TLS) protocol. The method leverages the public key certificate standard X.509 and could allow for post-intrusion C2 communication and data exfiltration without alerting network perimeter protections. Justin Jett, Director of Audit and Compliance at Plixer commented below.
Justin Jett, Director of Audit and Compliance at Plixer:
“By taking advantage of TLS x.509 extensions, malicious actors will try to steal data similarly to how they have done using DNS TXT. By collecting and analyzing certificate details in IPFIX metadata from devices like Gigamon, etc. security and network professionals can detect when anomalous data values are sent over TLS extensions. The data also will reveal connections that use self-signed certificates (the certificates that are likely to be used for such exchanges). This can provide quick remediation of an otherwise hidden data leak.”