C2: When Attackers Use Our Weapons Against Us
Super embarrassing when you’re hosting C2 infrastructure as a respectable enterprise, right? Or when the Red Team beats the Blue Team?
Thanks to the popularization of Threat Intelligence, most organizations are aware of needing to block external connections to C2 infrastructure, but what happens when you’re the one hosting it? Sure, you can wait for the FBI to notify you if you’re part of critical infrastructure, or you can read on to learn how Censys provides a chance to be proactive. Now let’s take a step back and look at the weapons, who they are intended for, and how the attackers are using our own weapons against us.
What is C2 infrastructure?
The term “C2” stands for Command and Control, also known as C&C. These are pieces of software used to control the servers on which they appear over the internet. Like any software, they have uniquely identifiable default settings and configurations. This can provide security professionals with tools to test their defenses, but they can also be leveraged for malicious actions.
Who uses C2 infrastructure?
Penetration Testers – Often called Pen Testers, Red Teamers, Ethical Hackers, or White Hat Hackers are cyber security professionals who test the security controls of organizations. They assume the mindset of an attacker to attempt to penetrate the organization by finding the gaps. Penetration testers often use C2 infrastructure to launch their testing activities.
… and the bad.
Attackers – External parties with malicious intent have a variety of custom and open source tools for conducting command and control activity. Attackers will use C2 infrastructure to issue commands to run malware, move laterally through the victims network, and exfiltrate data.
Attackers also use C2 infrastructure to command botnets. Botnets are often remembered for distributing spam, but they can also be leveraged for more nefarious activities such as Denial of Service attacks and siphoning data.
How did the Attackers get the jump on us?
The same tools penetration testers use to help keep your organization safe and secure can be weaponized by attackers to take command and control. A highly publicized example of this would be the Cobalt Strike Malware family. Cobalt Strike is a paid “[s]oftware for Adversary Simulations and Red Team Operations” as defined on the official Cobalt Strike’s website at the time of publishing. It leverages an agent called Beacon to conduct activities that evade traditional security controls by design. Beacon is entirely customizable, offering infinite ways to configure. This makes it nearly impossible to detect the attack with any one security tool due to the variety of ways it can manifest.The core principles of Cobalt Strike that make it a powerful tool to test your security controls are the same principles that make it so difficult to detect.
Further, it costs only $3,500 a year per user according to Cobalt Strike’s website, making the barrier for entry relatively low for attackers if they can get their hands on a legitimate license. Cobalt Strike does what they can to restrict sales to legitimate users, but like any software, it’s subject to piracy and illegal distribution of licenses in secondary markets such as the Dark Web. What’s worse, is that use of Cobalt Strike by attackers continues to rise according to a report from last year: “use of Cobalt Strike increased 161 percent from 2019 to 2020 and remains a high-volume threat in 2021.”
While Cobalt Strike may be one of the most notorious penetration testing tools used for malicious activities, it may soon be joined by good company. DarkReading recently reported that the newest open source tool from BishopFox, ‘Sliver’, is now emerging as a free alternative for attackers. “Defenders are now having more and more successes in detecting and mitigating against Cobalt Strike. So, the transition away from Cobalt Strike to frameworks like Sliver is to be expected”. With attackers starting to weaponize security tools against those intended to protect, we have to be more vigilant in having multiple ways to think about catching the attackers.
How can Censys help?
With that in mind, over here at Censys there has been a recent effort within our rapid-response organization to identify and fingerprint all of the interesting C2 services we could find. We did this using multiple methods, from information already available on the internet to downloading, running, and identifying the services ourselves. Thanks to these efforts, we’re able to fingerprint the most common C2 tools that are advertised as penetration testing tools:
The Censys Search queries provided above allow for ad-hoc research and investigation. Censys ASM takes it one step further to reduce the level of effort to catch C2. Out of the box Censys ASM can now identify when tools like this appear in your network with their default configuration leveraging our Risk framework. Either we help your blue team catch the red team (Go Defense!) or on the darker side, an advanced persistent threat in your network.
Want to learn more? Click here to contact Censys.