Callbacks to command-and-control (C2) servers can be indicators of an early stage breach, or evidence of data exfiltration already in process. While callbacks to botnets can be very stealthy, advanced persistent threats (APTs) mean business! They usually begin with a phishing attack that installs malicious code onto an unsuspecting employee’s device through a browser extension, weaponized document or rogue software. The attacks are often extremely targeted toward employees that handle an organization’s critical information, such as financial data – typically in human resources or accounts payable departments. Once a machine is compromised, the hacker will ping the infected device for a callback to test the new connection and determine if the transmission will go undetected by the organization’s security. We often see these callback attempts in the form of zero-byte FTP file transfers or IRC communications. The majority of the time, these test transmissions go undetected over prolonged period or even indefinitely.
Boldened with success, the hackers carefully and slowly exfiltrate corporate data – credentials, financial data, employee records, and other sensitive information. Bad actors use these attacks to look for back-door access to corporate networks and are going beyond the typical fake log-in pages that attacks traditionally employ. The threat research team here at SlashNext detect a multitude of new attacks that do not involve fake logins every day. They include malicious browser extensions, rogue apps, social engineering scams, subsequent post-infection C2s, and tech support scams that lead to this remote backdoor access. C2 attacks are very hard to defend against with traditional network security solutions because of the stealthy and persistent nature of the hackers using these methods. Even popular data loss prevention (DLP) tools that are specifically designed to detect data leaks and exfiltration have severe limitations and therefore can’t prevent all data losses before they occur. In addition, DLP solutions are notoriously high maintenance, ineffective at stopping insider threats, hinder communications, and can slow systems down.
Just how prevalent are these C2 infections? In every client install we have performed – 100 percent! – we have detected C2 infections and callback threats. We’ve found, they simply are not being detected with the network security software organizations are utilizing – despite the wide-range of protection our customers use. The implications of these C2 infections is tremendous. Today, a bad actor can go to the dark web to buy access to an infected machine belonging to the organization they want to target. Every organization has employees and devices that have been infected. Information is often compromised and readily available for the buyers. All hackers have to do is pay a middleman for access. They don’t have to go to great lengths to try to scam you, because the compromised machines, often with malicious browser extensions installed, are already available for sale.
Much of the security industry tries to prevent phishing by examining URLs and domains. That technology is often neither accurate nor quick enough to detect new and fast-moving attacks. Our approach for detecting threats centers on the behavioral analysis of the web page content. If something looks suspicious, it’s loaded into a virtual browser session and renders the whole page, so our Session Emulation and Environment Reconnaissance (SEER™) threat detection technology can detect threats missed by URL inspection and domain reputation analysis.
SlashNext’s Real-Time Phishing Threat Intelligence is very easy to integrate, it’s generated in real-time and available through a REST API, covering all six major categories of phishing and social engineering threats:
- Credential Stealing
- Scareware
- Rogue Software
- Phishing Exploits
- Social Engineering Scams
- Phishing Callbacks (C2s)
The threat feed from this product is available in multi-formats (JSON, CSV, plaintext). It can be fed it to your SIEM for correlation, or firewalls to see how many infected machines exist in your organization. It can be used in your blocking infrastructure and integrated into a Threat Intelligence Platform (TIP) to become part of a unified blocking feed.
Remember, every new client that has used our products found out they were infected! 100 percent! Is your organization infected with a callback? There’s one easy way to find out… contact us!