Information

• Name: Internal Proxy

• ID: T1090.001

• Tactics:

• Technique:

Introduction

Internal Proxy [T1090.001] is a sub-technique within the MITRE ATT&CK framework under the main technique Proxy (T1090). It involves adversaries leveraging internal proxy mechanisms to route communications through intermediary systems within the compromised environment. This method allows attackers to obscure malicious network traffic, evade detection, and maintain persistence by blending in with legitimate internal communications. Internal proxies can be existing infrastructure components or attacker-installed software that forwards traffic across internal assets.

Deep Dive Into Technique

Internal Proxy [T1090.001] focuses on adversaries' use of internal systems as proxies to redirect network traffic, masking their true source and destination. Attackers typically utilize the following mechanisms:

• Native Proxy Utilities:

  • Operating system-provided proxy tools or services such as Windows' built-in proxy settings or Linux-based proxy servers (e.g., Squid, SOCKS proxies).

  • Network appliances configured to relay traffic within the internal network.

• Attacker-Installed Proxy Software:

  • Custom-developed or open-source proxy tools (e.g., SOCKS proxy implementations like Dante, ProxyChains, or SSH dynamic port forwarding).

  • Malware modules explicitly designed to proxy internal communications.

• Network-Level Techniques:

  • Port forwarding via compromised hosts using SSH tunnels or netcat.

  • VPN pivoting techniques to route attacker traffic through compromised internal hosts, creating encrypted tunnels.

Attackers commonly leverage internal proxies to:

1. Conceal Command and Control (C2) traffic by routing it through legitimate internal hosts.

2. Access otherwise restricted internal network segments from a compromised host serving as a pivot.

3. Blend malicious network traffic with normal internal communications, complicating detection and attribution.

When this Technique is Usually Used

Internal Proxy [T1090.001] can appear at multiple stages of an attack lifecycle, notably:

• Initial Access and Reconnaissance:

  • Attackers establish internal proxies early to perform internal reconnaissance discreetly, mapping network architecture without raising suspicion.

• Lateral Movement:

  • Proxies facilitate lateral movement by allowing attackers to pivot through compromised hosts to reach isolated or segmented networks.

• Command and Control (C2) Communication:

  • Adversaries frequently route C2 traffic through internal proxies to obscure external connections and evade perimeter defenses.

• Data Exfiltration:

  • Internal proxies can relay stolen data to external hosts indirectly, bypassing direct outbound network monitoring and detection.

• Persistence and Defense Evasion:

  • Maintaining internal proxies enables attackers to persistently access compromised environments and evade detection by blending into legitimate internal network traffic patterns.

How this Technique is Usually Detected

Detection of Internal Proxy [T1090.001] relies on monitoring, analyzing, and correlating network and host-level activities. Effective detection methods include:

• Network Monitoring and Analysis:

  • Identifying unusual internal-to-internal network traffic patterns, especially between hosts that typically do not communicate.

  • Monitoring for unexpected proxy protocol usage (e.g., SOCKS, HTTP CONNECT) within the internal network.

• Endpoint Detection and Response (EDR) Tools:

  • Detecting unexpected usage of proxy-related command-line utilities or software installations.

  • Identifying processes that open unusual network ports or initiate unexpected connections.

• Behavioral Anomaly Detection:

  • Utilizing machine learning or anomaly detection systems to spot deviations from standard internal traffic baselines.

  • Observing abnormal data flows, connection durations, or unusual volume of internal traffic indicative of proxy activities.

• Log Analysis and SIEM Correlation:

  • Reviewing logs from hosts, firewalls, and network devices to detect suspicious proxy configurations or unexpected SSH tunnels.

  • Correlating internal communication patterns with known malicious indicators.

Specific Indicators of Compromise (IoCs) include:

• Unusual internal ports open for listening or forwarding traffic (e.g., port 1080 for SOCKS proxies).

• Presence of proxy software binaries or configurations not approved by IT or security teams.

• Logs indicating unexpected SSH tunneling or dynamic port forwarding activities.

• Endpoint logs showing processes initiating connections to multiple internal systems in atypical patterns.

Why it is Important to Detect This Technique

Detecting Internal Proxy [T1090.001] is critical due to its significant impact on cybersecurity posture and operational security. The importance of early detection includes:

• Preventing Lateral Movement:

  • Early detection can disrupt attackers' ability to pivot through internal networks, limiting the scope and severity of compromise.

• Reducing Data Exfiltration Risk:

  • Identifying internal proxies early can prevent attackers from exfiltrating sensitive data through internal relay points, protecting critical organizational assets.

• Minimizing Attack Persistence:

  • Disrupting proxy mechanisms reduces attackers' ability to maintain persistent, hidden access within the network.

• Improving Incident Response Efficiency:

  • Early detection and identification simplify incident response efforts by clearly delineating compromised assets and reducing the complexity of remediation.

• Maintaining Regulatory and Compliance Standards:

  • Timely detection ensures compliance with regulatory requirements and standards, preventing legal, financial, and reputational consequences.

Examples

Real-world examples of Internal Proxy [T1090.001] include:

• APT10 (MenuPass):

  • Utilized SOCKS proxies and SSH tunneling to route C2 communications internally, pivoting across compromised hosts to reach sensitive network segments. This tactic allowed APT10 to evade detection and maintain persistent access in targeted networks.

• FIN7 Cybercrime Group:

  • Leveraged internal proxies and SSH tunnels to facilitate lateral movement and exfiltration of payment card data from compromised retail and hospitality networks. FIN7 frequently used tools such as Cobalt Strike and custom scripts to establish internal proxy connections.

• Operation Cloud Hopper:

  • Attackers extensively utilized internal proxies to navigate compromised Managed Service Providers (MSPs) networks, pivoting into customer environments and exfiltrating sensitive intellectual property and confidential data. SSH tunnels and SOCKS proxies were instrumental in obfuscating attacker activities.

• NotPetya Malware Attack:

  • Incorporated internal proxy techniques through compromised hosts, facilitating lateral movement and rapid propagation within affected networks. Attackers used built-in tools and scripts to relay commands and malware payloads internally, amplifying the attack's impact.

Tools commonly associated with Internal Proxy [T1090.001] include:

• ProxyChains: A Linux-based tool used to route TCP connections through SOCKS proxies.

• Plink (PuTTY Link): An SSH client utility often utilized by attackers to establish SSH tunnels and dynamic port forwarding.

• Ngrok and similar tunneling services: Used to expose internal proxy endpoints externally, bypassing firewall restrictions.

These examples highlight the significant operational and security impacts posed by internal proxies, underscoring the importance of proactive monitoring and detection efforts.