The Inside Story of How Malware Abused Sixt.com and Breitling.com for Covert Command & Control Communication
Command and Control Communication via Legitimate Websites
In the realm of cyber threats, the misuse of reputable websites such as Sixt.com and Breitling.com for Command and Control (C2) communication is a prominent issue. This exploitation is often realized through what is known as a "watering hole" attack, where malefactors inject malicious scripts into respected and frequented websites, thereby transforming them into quasi-C2 servers.
An explicit instance of this can be discerned through the analysis of the 50.19.48[.]59 attack chain. The violated PaperCut server established a link with Sixt.com, a widely used car rental platform, which was manipulated by the infiltrators as a C2 server. A parallel scenario unfolded in the 192.184.35[.]216 attack chain, where the compromised server initiated a connection with Breitling.com, an esteemed luxury watchmaker's website.
This strategy of employing legitimate websites for C2 communication is increasingly favored among Advanced Persistent Threat (APT) groups. It allows these malicious entities to camouflage their nefarious traffic within regular online traffic, thus complicating detection efforts. The reality that these websites employ HTTPS further intensifies the challenge, as the encrypted data can effectively conceal C2 communication.
Recommendations
In light of the continuously evolving sophistication of cyber threats, it is incumbent upon organizations to embrace a multi-faceted approach to cybersecurity. This approach should comprise the maintenance of current patches across all systems, the performance of regular security evaluations, the utilization of threat intelligence feeds, and the deployment of advanced detection tools.
When considering the specific risk of PaperCut exploitation, organizations must ensure that their print management systems are routinely updated with the latest patches. Additional protective measures could include reducing the Internet-facing nature of such services to limit the attack surface. The implementation of intrusion detection systems (IDS) and intrusion prevention systems (IPS) can also provide a significant boost to early detection and prevention efforts.
In regards to watering hole attacks, it is advisable for organizations to invest in sophisticated detection systems capable of identifying unusual connections to external endpoints and analyzing encrypted network traffic. Equally crucial is the education of end users about the potential risks of visiting untrusted websites and the indispensable role of credible security software.
Ultimately, the adoption of a proactive and comprehensive cybersecurity strategy is a crucial step in safeguarding organizations against the ever-shifting landscape of threats. While complete immunity to cyber-attacks is unattainable, the overarching objective ought to be to increase the difficulty of the attackers' task, thereby diminishing the probability and potential impact of successful infiltrations.