Attackers have for many years tried to find ways to get malicious code inside a victim’s network; Some new research by fidelis security has uncovered another, novel way to achieve those aims which your security systems might not pick up. The original research in pdf format can be found at the following link (http://vixra.org/pdf/1801.0016v1.pdf)
The attack exploits the fact that X.509 certificates have a number of fields which can contain arbitrary values. In their research, Fidelis proved that data can be transferred within the SubjectKeyIdentifier field of the X.509 certificate and is not limited to any size constraints other than the extents of device memory.
The SubjectKeyIdentifier field is supposed to hold a hash value that identifies the public key being certified. This value enables distinct keys used by the same subject to be differentiated.
In an attack using this approach this field can be used to pass through any form of data, including executable code.
In many cases, the SubjectKeyIdentifier value is not validated by either firewalls or IDS as they typically are set to look for data being transmitted in a protocol payload such as a TCP, UDP or SMTP packet.
In the case of the X.509 certificate the code is passed as a part of the handshake process, and as such no data payload is being transmitted.
Fidelis produced a proof of concept attack and included a Mimikatz payload in the X.509 certificate and transferred it to an already compromised device via the TLS negotiation phase.
There are ways to check to see if a certificate is being used in these ways. For example, the common hashes used in the SubjectKeyIdentifier field are MD5, SHA-1, SHA-256, SHA-384, or SHA-512. As such, if SHA-512 is used that would create the longest hash value at 128 characters long. Rules can be established (normally with the use of a Regex query) to look for values in this filed which are longer than 128 characters and flag them if they are.
But how many of you reading this have such rules?
How many of you reading this even contemplated someone using X.509 to attack your organisation?
How many of you are about to go check and update your firewall rules?
Cyber Security training from QA
We have uniquely positioned ourselves to help solve the Cyber skills gap, from our CyberFirst and Cyber Apprenticeship programmes and Cyber Academies to Cyber Challenges, Training and Certifications and Consultancy for Cyber Security.
They offer end-to-end Cyber training and certifications from Cyber Awareness to deep dive Cyber Programmes and solutions; from Cyber Investigations, Cyber Crisis Management, Proactive Security to Offensive Defence. QA only employ world-leading Cyber trainers who have the expertise to deliver bespoke Cyber solutions, GCHQ accredited courses and proudly the CyberFirst programme. This is all to support tackling the UK's National Cyber Security skills shortage.
QA also have state-of-the-art CyberLabs, where companies can simulate real-life Cyber-attacks on their infrastructure, helping them to prevent & combat breaches without risking their own network.
Visit cyber.qa.com for more information on how they can help solve the Cyber Security skills gap.
After leaving a career as a Mechanical and Electrical Engineer in 1998, Mark started out with a fresh career as an IT trainer. Spending the first few years as an applications trainer, Mark excelled in delivering Microsoft Office and Adobe products. In-line with his background as an Engineer, Mark soon shifted focus to more technical deliveries, including hardware and networking topics; a field he has remained in ever since. As a natural progression of his career saw Mark start to explore the security aspect of his existing competencies and since 2005 has specialised in the Cyber Security domain. Mark has been the author of a number of QA Cyber Security courses and was the design authority and author of the 2017 NCSC Cyber First Academy. Mark is a C|EH and is currently undergoing the process of becoming an NCSC Certified Cyber Professional.
More articles by Mark
Mac attack! Apple malware on the rise
How random is random?
Who you gonna call?
Denial of Service attack for iOS devices
Safer Internet Day 2019
The Invisible Attack