Mark Amory | 14 March 2018
Attackers have for many years tried to find ways to get malicious code inside a victim’s network; Some new research by fidelis security has uncovered another, novel way to achieve those aims which your security systems might not pick up. The original research in pdf format can be found at the following link (http://vixra.org/pdf/1801.0016v1.pdf)
The attack exploits the fact that X.509 certificates have a number of fields which can contain arbitrary values. In their research, Fidelis proved that data can be transferred within the SubjectKeyIdentifier field of the X.509 certificate and is not limited to any size constraints other than the extents of device memory.
The SubjectKeyIdentifier field is supposed to hold a hash value that identifies the public key being certified. This value enables distinct keys used by the same subject to be differentiated.
In an attack using this approach this field can be used to pass through any form of data, including executable code.
In many cases, the SubjectKeyIdentifier value is not validated by either firewalls or IDS as they typically are set to look for data being transmitted in a protocol payload such as a TCP, UDP or SMTP packet.
In the case of the X.509 certificate the code is passed as a part of the handshake process, and as such no data payload is being transmitted.
Fidelis produced a proof of concept attack and included a Mimikatz payload in the X.509 certificate and transferred it to an already compromised device via the TLS negotiation phase.
There are ways to check to see if a certificate is being used in these ways. For example, the common hashes used in the SubjectKeyIdentifier field are MD5, SHA-1, SHA-256, SHA-384, or SHA-512. As such, if SHA-512 is used that would create the longest hash value at 128 characters long. Rules can be established (normally with the use of a Regex query) to look for values in this filed which are longer than 128 characters and flag them if they are.
But how many of you reading this have such rules?
How many of you reading this even contemplated someone using X.509 to attack your organisation?
How many of you are about to go check and update your firewall rules?
Cyber Security training from QA
We have uniquely positioned ourselves to help solve the Cyber skills gap, from our CyberFirst and Cyber Apprenticeship programmes and Cyber Academies to Cyber Challenges, Training and Certifications and Consultancy for Cyber Security.
They offer end-to-end Cyber training and certifications from Cyber Awareness to deep dive Cyber Programmes and solutions; from Cyber Investigations, Cyber Crisis Management, Proactive Security to Offensive Defence. QA only employ world-leading Cyber trainers who have the expertise to deliver bespoke Cyber solutions, GCHQ accredited courses and proudly the CyberFirst programme. This is all to support tackling the UK's National Cyber Security skills shortage.
QA also have state-of-the-art CyberLabs, where companies can simulate real-life Cyber-attacks on their infrastructure, helping them to prevent & combat breaches without risking their own network.
Visit cyber.qa.com for more information on how they can help solve the Cyber Security skills gap.