Serverless Workers can be custom payload delivery mechanisms.Serverless Workers can be redirectors instead of building server instances, Apache+mod_rewrite+.htaccess.Serverless Worker Routes enable unique targeted handling of requests.Firewall rules can prevent access based on geographic location, requested URI, user-agent strings, and more.Weaponize CNAME redirection and ease the categorization battle.Easily “hide” infrastructure behind CloudFlare shared SSL certificates and IP addresses using proxied DNS records.Here’s a quick list of capabilities I put together and then automated deployment with Terraform and Red-Baron: However, I see the value in CloudFlare differently. There have been several good write-ups on using CloudFlare for domain fronting (and debate), and for direct C2. While CloudFlare has since changed the way Worker previews are generated to prevent the random URL string staging Afrahim details, it quickly became apparent to me the value CloudFlare could serve for better attack infrastructure. Specifically, Renato Marinho of Morphus Labs posted his analysis of a variant using Facebook and YouTube profiles to dynamically adjust C2 addresses using trusted domains. This past fall (in 2019) a lot of great analysis surfaced for new variants of the fileless malware Astaroth. Malware who’s main purpose is to be a trojan horse for another actor’s ultimate payload and objectives. As a result, we’ve seen the evolution of malware like Emotet into MaaS (Malware as a Service) options. If all it takes is an A/V signature to kill either then it’s not going to be profitable. Threat actors put a lot of effort into protecting both delivery mechanisms and that ultimate payload to extend its value.
There’s an appreciation I have for one of the more difficult tasks for an attacker: reliably gaining a foothold on a network with a payload that works. I always find myself drawn to the deep analysis of malware and delivery techniques. Over the past couple of years I’ve worked closely with threat intel groups to understand emerging threats. The Threat Landscape: MaaS, Astaroth, and CloudFlare Workers When it comes to CloudFlare, you’ll see we can replace the middle redirector server layer, and in some cases even the payload hosting/delivery layer.
0 kommentar(er)
