HTTP Smuggling Attack


HTTP Request Smuggling Attacks
A new research has identified four new variants of HTTP request smuggling attacks that work against various commercial off-the-shelf web servers and HTTP proxy servers.

What is HTTP Request Smuggling?

HTTP request smuggling (or HTTP Desyncing) is a technique employed to interfere with the way a website processes sequences of HTTP requests that are received from one or more users.
Vulnerabilities related to HTTP request smuggling typically arise when the front-end (a load balancer or proxy) and the back-end servers interpret the boundary of an HTTP request differently, thereby allowing a bad actor to send (or “smuggle”) an ambiguous request that gets prepended to the next legitimate user request.
cybersecurity

This desynchronization of requests can be exploited to hijack credentials, inject responses to users, and even steal data from a victim’s request and exfiltrate the information to an attacker-controlled server.

What’s in New variants?

The new variants using various proxy-server combinations, including Aprelium’s Abyss, Microsoft IIS, Apache, and Tomcat in the web-server mode, and Nginx, Squid, HAProxy, Caddy, and Traefik in the HTTP proxy mode.

The list of all new four new variants is as below, including an old one that the researcher successfully exploited in his experiments.
Variant 1: “Header SP/CR junk: …”
Variant 2 – “Wait for It”
Variant 3 – HTTP/1.2 to bypass mod_security-like defense
Variant 4 – a plain solution
Variant 5 – “CR header”

When handling HTTP requests containing two Content-Length header fields, Abyss, for example, was found to accept the second header as valid, whereas Squid used the first Content-Length header, thus leading the two servers to interpret the requests differently and achieve request smuggling.

In situations where Abyss gets an HTTP request with a body whose length is less than the specified Content-Length value, it waits for 30 seconds to fulfill the request, but not before ignoring the remaining body of the request.

This also results in discrepancies between Squid and Abyss, with the latter interpreting portions of the outbound HTTP request as a second request.

A third variant of the attack uses HTTP/1.2 to circumvent WAF defense as defined in OWASP ModSecurity Core Rule Set (CRS) for preventing HTTP request smuggling attacks craft a malicious payload that triggers the behavior.

Lastly,using the “Content-Type: text/plain” header field was sufficient to bypass paranoia level checks 1 and 2 specified in CRS and yield an HTTP Request Smuggling vulnerability.

What Are the Possible Defenses?

After the findings were disclosed to Aprelium, Squid, and OWASP CRS, the issues were fixed in Abyss X1 v2.14, Squid versions 4.12, and 5.0.3 and CRS v3.3.0.

Calling for normalization of outbound HTTP Requests from proxy servers,the need for an open source, robust web application firewall solution that’s capable of handling HTTP Request Smuggling attacks.

Wasted locker Evasion Technique

As time goes … One after another Ransomware come and goes. Like we say it’s summer.. winter.. Rainy.. Spring seasons.. Once released it’s been a talk of town and one after another big organisation gets the hit.. paying ransoms getting the decryptors is regular now a days. But the difference is each one is getting better sophisticated than other… The teahniques used for evasion varies..

Here we see how Wasted locker used the Technique to evade security systems

WastedLocker, a ransomware strain that reportedly shut down Garmin’s operations for several days in July, is designed to avoid security tools within infected devices, according to a technical analysis from Sophos.

The ransomware abuses the Microsoft Windows memory management feature to evade detection by security software. They also found other tools within the malware designed to make it difficult to detect.

“WastedLocker … is cleverly constructed in a sequence of maneuvers meant to confuse and evade behavior-based anti-ransomware solutions,”.

Evading Security

WastedLocker and other newer strains of ransomware are increasingly being designed to avoid detection and security tools. These so-called “survival skills” allow the malware to live in the network long enough to encrypt files.

“Survival demands that static and dynamic endpoint protection struggle to make a determination about a file based on the appearance of its code, and that behavioral detection tools are thwarted in their efforts to determine the root cause of the malicious behavior,”.

WastedLocker appears to have adopted a technique similar to one used by a ransomware strain called Bitpaymer. This method of avoidance targets the Windows API functions within the memory, according to the report.

“This technique adds an additional layer of obfuscation by doing the entire thing in memory, where it’s harder for a behavioral detection to catch it,” .

In memory evasion

WastedLocker also makes it harder for behavior-based anti-ransomware tools to keep track of what is going on by using memory-mapped I/O to encrypt a file, Sophos reports. This involves transparently encrypting cached documents in memory without causing disruptions to the disk I/O, which shields it from behavior monitoring software.

The Windows memory management feature is used to increase performance by using files or applications that are read and stored in the operating system’s cached memory. To trick anti-ransomware tools, WastedLocker opens a file, caches it in memory and then closes it.

WastedLocker closes the file once it has mapped a file in memory, and the victim might mistake it as an error. But the trick works because the Windows Cache Manager also opens a handle to the file once a file is mapped into memory.

Once the data is stored in the Windows Cache Manager, WastedLocker encrypts the file’s content stored in the cache.When the data stored in the cache is modified, it will be become “dirty” so that, eventually, Windows will write the encrypted cached data back to their original files and anti-ransomware software will not detect any illegitimate process.

Iran APT34 poisoned DOH for exploit

An Iranian hacking group known as Oilrig has become the first publicly known threat actor to incorporate the DNS-over-HTTPS (DoH) protocol in its attacks.

Oilrig operators began using a new utility called DNSExfiltrator as part of their intrusions into hacked networks.

DNSExfiltrator is an open-source project available on GitHub that creates covert communication channels by funneling data and hiding it inside non-standard protocols.

As its name hints, the tool can transfer data between two points using classic DNS requests, but it can also use the newer DoH protocol.

Oilrig, also known as APT34, has been using DNSExfiltrator to move data laterally across internal networks, and then exfiltrate it to an outside point.

Oilrig is most likely using DoH as an exfiltration channel to avoid having its activities detected or monitored while moving stolen data.

This is because the DoH protocol is currently an ideal exfiltration channel for two primary reasons. First, it’s a new protocol that not all security products are capable of monitoring. Second, it’s encrypted by default, while DNS is cleartext.

Historically, the group has dabbled with DNS-based exfiltration techniques. Before adopting the open-source DNSExfiltrator toolkit in May, the group had been using a custom-built tool named DNSpionage since at least 2018, per reports by Talos, NSFOCUS, and Palo Alto Networks.

A spear-phishing campaign orchestrated by unidentified Iranian hackers, who targeted the staff pharma giant Gilead, which at the time announced it began working on a treatment for the COVID-19 virus. It is, however, unclear if these are the same incidents.

Previous reporting has linked most Iranian APTs as working as members or working as contractors for the Islamic Revolutionary Guard Corps, Iran’s top military entity.

Defender hijacks host files now ..

The native antivirus client of the Windows 10 operating system, Microsoft Defender, has started to flag the hosts file on the system as malicious if it contains redirects for certain Microsoft servers.

The hosts file is a simple plain text designed to redirect connections. Users find it under C:\Windows\System32\drivers\etc\hosts on any system and it is easy enough to redirect requests. It has been used for ages to block known malicious sites or advertisement sites.

All you have to do is add redirects in the form of 127.0.0.1 http://www.microsoft.com to the hosts file to redirect requests to the site “www.microsoft.com” in this case to the local computer. The effect is simple: the request is blocked.

With the release of Windows 10 came an increased Telemetry server blocking usage. Privacy tools would add known Telemetry servers to the hosts file to block connections and thus the transmission of Telemetry data to Microsoft.

Antimalware-Clientversion: 4.18.2006.10
Modulversion: 1.1.17300.4
Antiviren-Version: 1.321.144.0
Antispyware-Version: 1.321.144.0

Microsoft Defender Antivirus flags certain hosts file changes as a threat. An attempt to add telemetry.microsoft.com and microsoft.com redirects to 127.0.0.1 to the hosts file resulted in Microsoft Defender flagging the file and restoring the original version.

Attempts to save the file may display the following notification by Microsoft Defender:

Operation did not complete successfully because the file contains a virus or potentially unwanted software.

It is possible that other servers will also be seen as a threat by Microsoft Defender. Windows 10 users may allow the threat in Microsoft Defender, at least for now, to add these redirects to the file again. The problem with the approach is that it will allow all modifications, even those by malicious software. Another option is to turn off Microsoft Defender and to start using a different security solution for Windows.

A false positive seems unlikely considering that the list of servers includes mostly Telemetry servers.

Windows 10 tools that add entries to the hosts file may be affected by this negatively. Most privacy tools that manipulate the hosts file to block Telemetry will certainly fail to add the entries to the hosts file if Microsoft Defender is the resident antivirus solution.