Two Mnemonic researchers, Morten Marstander and Matteo Malvica, have discovered a method to exfiltrate bypassed information to devices that intercept and inspect TLS as web proxies, F5 Networks Appliances, Palo Alto Networks, Fortinet and other next-generation firewalls.
Normally these devices verify the SNI (Server Name Indication), this causes a URL or hostname to be blocked if it is categorized as malicious.
The lock is done once the TLS handshake has been completed, so that one-way stream can be leveraged to exfiltrate information ( TLS Client Hello package always arrives at its destination). In addition, many devices that mirror traffic to decrypt and inspect it with an IDS do not receive the TLS handshake.
Whenever the server presents a valid and reliable certificate during the TLS handshake, The security solution will always present an emulated version of that certificate to the customer, signed by the solution's built-in CA. This occurs even if the domain used is blacklisted. If the server certificate is untrusted self-signed, it usually returns a reset to the TCP session.
That logic (valid certificate = YES ; self-signed untrusted certificate = NO) has been used by the people of Mnemonic to implement communication with the C2 in their SNIcat tool that is divided into two components:
- A passive agent that must be put on the already compromised host. Its only goal is to reconnect to the C2 and execute the commands provided.
- A C2 server that controls the agent from anywhere on the Internet.
The passive agent is equipped with several commands, including the ability to upload files to the server. It constantly loops through all available commands and waits for the C2 server to select the desired one by leveraging the YES/NO binary capability mentioned above.