Cybercriminals have been using ngrok—a cross-platform application to expose local development servers to the internet, for malicious purposes for years now.
An organization was targeted by a keylogger, where malicious actors installed a copy of the ngrok tool to obtain specific details about the environment.
Crispy Recent campaigns
- Recently, threats actors were seen using ngrok to expose several machines within the victim’s networks, making them visible to the outside world.
- It is believed that the attackers had three requirements: ngrok installed on the internal machine; an administrator account; and the ngrok server domain and port, already in place.
- Since the attacker had the knowledge of the ngrok-assigned public address, it could connect to the compromised system at any time.
How it’s been used
The service can be abused by threat actors to get unauthorized access to the targeted network, download payloads, exfilteration of data, and crafting unique URLs. In addition, the tunneling service allows cybercriminals to evade detection. It can generate random URLs, making it harder to track, detect, or block.
Recent attacks using the ngrok tool
- An Iran-based APT Pioneer Kitten was found selling network credentials of corporates on hacker forums. The group is known for its regular use of ngrok.
- Fox Kitten was observed attacking the US private and government sector. The group is known for using ngrok to target on-premise BIG-IP devices.
Way to mitigate
Organizations must be aware of ngrok and other tunneling services, as these services can be abused by hackers. Experts suggest that organizations using tunneling services should have a secure authorization mechanism for every access level, and its setup should include approval from security teams. In addition to this, the tunnel should be password-protected and IP whitelisting should be enabled.