Traffic Duplication

Information

• Name: Traffic Duplication

• ID: T1020.001

• Tactics: TA0010

• Technique: T1020

Introduction

Traffic Duplication (T1020.001) is a sub-technique categorized under MITRE ATT&CK's "Automated Exfiltration" (T1020). This technique involves adversaries duplicating network traffic from compromised systems or devices and forwarding copies of this traffic to attacker-controlled infrastructure. Attackers typically leverage this method to collect sensitive information, monitor network activity, or conduct reconnaissance without directly interacting with the victim's infrastructure, thus reducing their detection footprint and maintaining persistence.

Deep Dive Into Technique

Traffic duplication can be executed through multiple technical methods and mechanisms, including:

• Network Device Configuration:

  • Attackers may compromise network devices (routers, switches, firewalls) and modify their configurations to enable port mirroring or traffic duplication features.

  • Common network device features exploited include SPAN (Switched Port Analyzer), RSPAN (Remote SPAN), and ERSPAN (Encapsulated Remote SPAN).

• Host-Based Traffic Duplication:

  • Attackers may deploy malware or scripts on compromised hosts to duplicate incoming and outgoing network traffic.

  • Host-level duplication can be accomplished using packet capture tools (e.g., tcpdump, Wireshark command-line utilities), custom scripts, or kernel-level rootkits.

• In-Line Network Tap Devices:

  • Physical or virtual network taps may be installed by attackers with physical or privileged virtual access, duplicating traffic transparently to attacker-controlled endpoints.

• Software-Defined Networking (SDN) Exploitation:

  • Attackers may exploit SDN controllers or virtual switches to programmatically duplicate and forward network flows to attacker-controlled destinations.

Technical mechanisms typically involve:

• Packet duplication and encapsulation methods (e.g., GRE tunnels, VXLAN encapsulation).

• Use of encrypted channels (TLS/SSL tunnels, SSH tunnels) to securely forward duplicated data, making detection and analysis more challenging.

• Automation scripts or malware specifically designed to continuously capture and forward traffic, maintaining stealth and persistence.

When this Technique is Usually Used

Traffic duplication is typically employed during multiple phases of an attack lifecycle, including:

• Reconnaissance and Intelligence Gathering:

  • Attackers duplicate traffic to passively monitor network communications, identifying valuable targets, sensitive information, and network topology.

• Credential Harvesting:

  • Duplicated traffic containing authentication credentials or session tokens can be intercepted and analyzed to compromise additional systems or accounts.

• Data Exfiltration:

  • Attackers continuously duplicate and forward traffic containing sensitive documents, intellectual property, or personally identifiable information (PII) to external infrastructure.

• Persistence and Long-Term Espionage:

  • Attackers leverage traffic duplication to maintain persistent visibility into victim networks without direct interaction, reducing the likelihood of detection.

• Preparation for Further Attacks:

  • Traffic duplication provides attackers with insights into network defenses, user behavior, and internal communications, aiding in planning subsequent attack stages.

How this Technique is Usually Detected

Detection of traffic duplication typically involves a combination of network monitoring, anomaly detection, and configuration auditing:

• Network Monitoring and Traffic Analysis:

  • Deploying IDS/IPS systems, network flow analyzers, and packet capture solutions to identify abnormal traffic patterns or unexplained traffic duplication.

  • Monitoring for unusual outbound traffic flows, especially large volumes of duplicated packets directed toward suspicious or unknown external IP addresses.

• Anomaly Detection and Behavioral Analysis:

  • Using machine learning and behavioral analytics tools to detect deviations from baseline network behavior, such as sudden increases in traffic volume or anomalous traffic mirroring activities.

• Configuration Audits and Integrity Checks:

  • Regular audits of network device configurations (routers, switches, firewalls) to identify unauthorized configuration changes enabling traffic mirroring or duplication.

  • Implementing configuration management systems and change detection tools to alert on unauthorized modifications.

• Host-Based Detection:

  • Endpoint detection and response (EDR) solutions monitoring for suspicious processes or tools (e.g., tcpdump, Wireshark command-line utilities) executing unauthorized packet captures or traffic duplication.

  • File integrity monitoring (FIM) and kernel-level monitoring to detect unauthorized kernel modules or rootkits designed for traffic duplication.

Indicators of Compromise (IoCs) specific to this technique may include:

• Unexplained network configuration changes enabling SPAN, RSPAN, or ERSPAN.

• Unknown or unauthorized network tunnels (GRE, VXLAN, SSH tunnels) originating from internal devices.

• Presence of unauthorized packet capture tools or scripts on endpoint devices.

• High volumes of duplicated packets or data streams sent to external IP addresses or domains.

• Suspicious encrypted channels established from internal network devices to external infrastructure.

Why it is Important to Detect This Technique

Early detection and mitigation of traffic duplication are crucial due to the severe potential impacts on organizations, including:

• Sensitive Data Exposure:

  • Unauthorized duplication and exfiltration of sensitive information (PII, intellectual property, financial data, credentials) can lead to compliance violations, regulatory fines, and loss of customer trust.

• Credential Theft and Account Compromise:

  • Attackers capturing authentication credentials from duplicated traffic can escalate privileges, compromise additional systems, and extend their foothold within the network.

• Operational Disruption:

  • Persistent traffic duplication may negatively impact network performance, causing latency, congestion, and potential disruptions to critical business processes.

• Reduced Security Visibility:

  • Attackers passively duplicating traffic reduce their direct interaction footprint, making detection and attribution challenging if not actively monitored.

• Preparation for Advanced Persistent Threats (APT):

  • Traffic duplication is often an early-stage tactic employed by sophisticated threat actors to gather intelligence, plan future attacks, and maintain long-term espionage operations.

Detecting traffic duplication early allows organizations to respond swiftly, contain potential breaches, minimize data loss, and prevent further escalation of attacks.

Examples

Real-world examples of traffic duplication attacks include:

• APT41 Campaign (Operation ShadowHammer):

  • Attackers compromised network infrastructure, exploiting routers and switches to enable ERSPAN and duplicate traffic containing sensitive data.

  • Duplicated traffic was encapsulated in GRE tunnels and forwarded to attacker-controlled infrastructure, allowing persistent espionage and credential harvesting.

• VPNFilter Malware:

  • VPNFilter malware targeted routers and network devices, enabling passive traffic duplication and forwarding encrypted copies of network traffic to external command-and-control servers.

  • Attackers leveraged duplicated traffic for reconnaissance, credential theft, and intelligence gathering, impacting thousands of compromised devices globally.

• FIN7 Financial Cybercrime Group:

  • FIN7 attackers deployed custom malware and scripts on compromised hosts within financial institutions, capturing and duplicating sensitive transactional and authentication traffic.

  • Duplicated traffic was exfiltrated to attacker-controlled infrastructure, resulting in significant financial losses and compromised customer data.

• DarkHotel APT:

  • DarkHotel attackers compromised hotel network infrastructure to duplicate and intercept guest network traffic, gathering sensitive business intelligence and credentials from high-value targets.

  • Attackers utilized duplicated traffic to gain unauthorized access to corporate networks and conduct targeted espionage operations.

These examples highlight the diverse scenarios and significant impacts associated with traffic duplication attacks, underscoring the importance of proactive detection and mitigation strategies.