Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

Information

• Name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

• ID: T1048.002

• Tactics: TA0010

• Technique: T1048

Introduction

Exfiltration Over Asymmetric Encrypted Non-C2 Protocol (T1048.002) is a sub-technique within the MITRE ATT&CK framework that describes adversaries leveraging asymmetric encryption methods over non-command and control (non-C2) protocols to secretly exfiltrate sensitive information from compromised networks. Unlike symmetric encryption, asymmetric encryption uses separate keys for encryption and decryption, making detection and interception significantly more challenging. Adversaries often exploit legitimate, encrypted communication channels not typically associated with command and control traffic, such as secure email (PGP/GPG), HTTPS web services, or encrypted file transfers, to conceal their data exfiltration efforts.

Deep Dive Into Technique

This sub-technique involves adversaries employing asymmetric cryptographic methods to securely exfiltrate data without relying on traditional C2 channels. The core mechanism relies on using a public-private key pair:

• The adversary generates a public-private key pair and deploys the public key onto the compromised host.

• Sensitive data collected from victim systems is encrypted using the public key.

• The encrypted data is then exfiltrated through legitimate, encrypted communication channels that are not typically flagged as malicious—such as secure email (SMTP with PGP encryption), HTTPS-based file upload/download services, or encrypted cloud storage services.

• Once outside the victim network, adversaries decrypt the exfiltrated data using the private key, which remains securely in their possession.

Key technical details and execution methods include:

• Encryption Algorithms: Common algorithms include RSA, ECC (Elliptic Curve Cryptography), and ElGamal.

• Communication Channels: Leveraging non-C2 protocols such as secure email (SMTP with PGP), HTTPS-based web applications, secure FTP (SFTP), or cloud storage APIs (e.g., Dropbox, Box, Google Drive).

• Encryption Tools: Adversaries may utilize open-source encryption tools such as GPG, OpenSSL, or custom-built encryption utilities.

• Steganography and Obfuscation: Attackers may further obfuscate encrypted data by embedding it into legitimate files or communications, making detection even more challenging.

When this Technique is Usually Used

Adversaries commonly employ this sub-technique at various stages of their intrusion lifecycle, particularly during the data exfiltration phase. Typical scenarios include:

• Advanced Persistent Threat (APT) Operations: Nation-state or sophisticated threat actors commonly use asymmetric encryption to evade detection and attribution.

• Espionage Campaigns: Attackers targeting intellectual property, classified information, or sensitive business data leverage encrypted non-C2 channels to securely exfiltrate stolen information.

• Financially Motivated Cybercriminals: Attackers targeting financial institutions or payment card data may use asymmetric encryption to securely exfiltrate sensitive financial details.

• Insider Threat Scenarios: Malicious insiders may use asymmetric encryption to securely transfer sensitive data outside the corporate network, avoiding detection by traditional monitoring solutions.

• Post-Compromise Exfiltration: Following initial access and data collection, adversaries often use asymmetric encryption techniques to securely exfiltrate data without triggering alerts based on known malicious C2 traffic signatures.

How this Technique is Usually Detected

Detection of asymmetric encrypted exfiltration over non-C2 protocols can be challenging but can be accomplished through various methods:

• Network Traffic Analysis and Anomaly Detection:

  • Monitor and analyze encrypted traffic patterns, volume anomalies, and unusual data flows to external destinations.

  • Detect unusual usage of secure communication protocols (SMTP, HTTPS, SFTP) or cloud storage services.

  • Identify unusual or unexpected outbound connections to unknown or unauthorized external hosts.

• Endpoint Detection and Response (EDR):

  • Monitor endpoint processes and file system activities for suspicious encryption utilities (e.g., GPG, OpenSSL, custom encryption scripts).

  • Detect execution of encryption tools or scripts on endpoints that typically do not handle such operations.

  • Detect creation of large encrypted files or archives indicative of exfiltration preparation.

• Email Security Gateways and Content Inspection:

  • Inspect email attachments and content for encrypted files (PGP/GPG encrypted attachments).

  • Flag unusual email traffic patterns, particularly involving external recipients and large encrypted attachments.

• Cloud Access Security Brokers (CASB):

  • Monitor and analyze usage of cloud storage services, identifying unexpected upload/download of encrypted archives or files.

  • Detect anomalous user behavior when accessing cloud services, including unusual geographic locations or times.

• Indicators of Compromise (IoCs):

  • Presence of unexpected encryption tools or scripts on endpoints.

  • Unusual outbound network traffic patterns or large encrypted data transfers.

  • Suspicious email attachments or encrypted files sent to external addresses.

  • Logs showing repeated access or uploads to external encrypted file-sharing or cloud storage services.

Why it is Important to Detect This Technique

Detecting asymmetric encrypted exfiltration over non-C2 protocols is critical due to the severe impacts and potential damage to organizations:

• Sensitive Data Loss: Undetected exfiltration can lead to loss of intellectual property, trade secrets, classified information, personal identifiable information (PII), or financial records.

• Compliance and Regulatory Impact: Failure to detect and prevent unauthorized data exfiltration may result in significant compliance violations, regulatory fines, or legal consequences (e.g., GDPR, HIPAA, PCI DSS).

• Operational Disruption: Successful data exfiltration can lead to operational disruptions, loss of competitive advantage, and potential reputational damage.

• Difficulty in Attribution and Remediation: Encrypted exfiltration complicates incident response, forensic analysis, and attribution, increasing the cost and complexity of remediation efforts.

• Escalation of Intrusion: Early detection prevents adversaries from further expanding their foothold within the environment and limits potential lateral movement or privilege escalation activities.

Early detection enables organizations to implement timely containment and response measures, minimizing potential damage and protecting critical assets and sensitive information.

Examples

Real-world examples and scenarios involving exfiltration over asymmetric encrypted non-C2 protocols include:

• APT28 (Fancy Bear/Sofacy):

  • Utilized encrypted email (PGP/GPG) to exfiltrate sensitive data from targeted organizations, particularly in espionage campaigns against government and military entities.

  • Leveraged asymmetric encryption to securely transfer stolen documents, avoiding detection by traditional security mechanisms.

• APT29 (Cozy Bear):

  • Known for leveraging encrypted cloud services and secure web-based communication channels to exfiltrate encrypted data.

  • Employed asymmetric encryption tools to conceal sensitive information during exfiltration operations, making detection challenging.

• FIN7 Cybercrime Group:

  • Targeted financial institutions and retail organizations, using encrypted file transfer protocols (SFTP) and cloud storage services to exfiltrate payment card data and financial records.

  • Utilized asymmetric encryption to secure exfiltrated data, complicating detection and investigation.

• Operation Cloud Hopper (APT10):

  • Conducted cyber espionage operations against managed service providers (MSPs) and their clients.

  • Employed asymmetric encryption and secure web-based protocols (HTTPS) to securely exfiltrate sensitive intellectual property and confidential business information.

These real-world examples highlight the diverse range of attack scenarios, adversaries, tools, and methods associated with asymmetric encrypted exfiltration over non-C2 protocols, underscoring the critical importance of detection and mitigation strategies.