discord

Domain Fronting

Domain Fronting [T1090.004]

Information

  • Name: Domain Fronting

  • ID: T1090.004

  • Tactics: TA0011

  • Technique: T1090

Introduction

Domain Fronting (T1090.004) is a sub-technique within the MITRE ATT&CK framework under the "Proxy" (T1090) technique. It involves attackers using legitimate, trusted domains as a front to mask or redirect malicious network traffic. By leveraging Content Delivery Networks (CDNs) or cloud service providers that host multiple domains behind shared IP addresses, attackers can route their malicious communication through benign infrastructure, effectively bypassing network security mechanisms and obscuring their true command-and-control (C2) infrastructure.

Deep Dive Into Technique

Domain Fronting works by manipulating the HTTP Host header and the TLS Server Name Indication (SNI) extension during the handshake process. Typically, this involves:

  • Establishing a secure TLS connection to a legitimate domain hosted by a CDN or cloud provider using a benign domain name in the TLS SNI field.

  • After the secure connection is established, sending HTTP requests with a different domain specified in the HTTP Host header. This second domain is the actual intended destination (often attacker-controlled), hidden behind the trusted infrastructure.

Technical execution details include:

  • TLS Handshake Manipulation: Attackers specify a legitimate, trusted domain in the TLS SNI extension, ensuring the connection is established through a trusted CDN or cloud provider.

  • Host Header Modification: Once the encrypted channel is established, attackers change the HTTP Host header to route traffic internally to a malicious backend domain hosted on the same CDN or cloud infrastructure.

  • Shared Infrastructure Exploitation: Attackers exploit the fact that many legitimate domains and malicious domains share the same IP addresses and infrastructure on popular CDN providers such as Amazon CloudFront, Azure CDN, Google Cloud Platform, and Akamai.

  • Encryption and Obfuscation: All traffic remains encrypted, making standard network inspection techniques ineffective without advanced TLS interception and inspection.

Real-world procedures often involve attackers deploying tools such as Tor, Cobalt Strike, or custom-built malware that supports Domain Fronting techniques to evade detection and attribution.

When this Technique is Usually Used

Domain Fronting is typically employed in various attack scenarios and stages, including:

  • Command and Control (C2) Communication: Attackers leverage Domain Fronting to mask malicious C2 traffic, making it appear as legitimate, trusted traffic.

  • Data Exfiltration: Attackers use Domain Fronting to transfer stolen data through benign domains, bypassing traditional network defenses.

  • Initial Access and Persistence: After initial compromise, attackers may establish persistent communication channels via Domain Fronting to maximize stealth.

  • Evasion of Network Security Controls: Attackers use Domain Fronting to bypass firewalls, proxies, intrusion detection systems (IDS), and intrusion prevention systems (IPS) that rely on domain-based or IP-based filtering.

How this Technique is Usually Detected

Detection of Domain Fronting can be challenging due to encryption and legitimate infrastructure usage. However, several detection methods and indicators of compromise (IoCs) include:

  • TLS Inspection and Analysis: Implementing deep packet inspection (DPI) and TLS interception can help identify mismatches between TLS SNI and HTTP Host headers.

  • Host Header and SNI Mismatch Detection: Monitoring and alerting on discrepancies between TLS SNI fields and HTTP Host headers can indicate Domain Fronting attempts.

  • Traffic Anomaly Detection: Using behavioral analytics and anomaly detection tools to identify unusual traffic patterns, such as sudden spikes in encrypted traffic to known CDN IP ranges.

  • Endpoint Detection and Response (EDR): Leveraging EDR solutions to detect suspicious processes or software communicating with known CDN or cloud IP addresses.

  • Threat Intelligence Integration: Incorporating threat intelligence feeds to identify known malicious domains and CDN infrastructure frequently abused by attackers.

  • Network Monitoring and Logging: Comprehensive network logging and analysis, particularly focusing on outbound encrypted traffic to CDN IP ranges.

Specific IoCs include:

  • Connections to CDN IP addresses combined with mismatched TLS SNI and HTTP Host headers.

  • Frequent encrypted traffic to CDN providers without clear business justification.

  • Unusual HTTP headers or User Agent strings indicative of common Domain Fronting tools (e.g., known malware or penetration testing frameworks).

Why it is Important to Detect This Technique

Early detection of Domain Fronting is critical due to several potential impacts on systems and networks:

  • Bypass of Security Controls: Domain Fronting allows attackers to evade traditional perimeter defenses, firewalls, IDS/IPS, and proxy-based filtering, significantly increasing the difficulty of detection.

  • Data Exfiltration Risk: Attackers can leverage Domain Fronting to exfiltrate sensitive data undetected, leading to severe data breaches and compliance violations.

  • Persistent and Stealthy Communication: Attackers can maintain long-term, stealthy communication channels with compromised systems, prolonging the dwell time and complicating response efforts.

  • Difficulty in Attribution: Domain Fronting complicates attribution efforts, as attackers utilize legitimate, trusted infrastructure, making it harder to identify the true source of malicious traffic.

  • Potential for Further Compromise: Undetected Domain Fronting can facilitate additional malicious activities, such as lateral movement, privilege escalation, and deployment of ransomware or advanced persistent threats (APTs).

Examples

Real-world examples of Domain Fronting usage include:

  • APT29 (Cozy Bear): Known for leveraging Domain Fronting techniques to conceal C2 traffic. They used legitimate cloud services such as Google App Engine and Amazon CloudFront to mask malicious communication during cyber espionage campaigns.

    • Tools Used: Custom malware, Cobalt Strike framework.

    • Impact: Compromise of sensitive government and private-sector information, prolonged dwell times, and significant challenges in attribution.

  • Tor Project Usage: Historically, the Tor network utilized Domain Fronting to bypass censorship and network filtering, routing traffic through legitimate CDN providers to evade detection.

    • Tools Used: Tor Browser, pluggable transports.

    • Impact: Allowed users in restrictive regions to access blocked content, but also demonstrated potential misuse by malicious actors.

  • Cobalt Strike Framework: Penetration testers and adversaries frequently use Cobalt Strike's built-in Domain Fronting capabilities to conduct stealthy command-and-control operations.

    • Tools Used: Cobalt Strike Beacon, Metasploit Framework.

    • Impact: Successful evasion of network detection, enabling persistence, lateral movement, and data exfiltration.

  • Phishing Campaigns: Attackers have leveraged Domain Fronting in phishing campaigns to deliver payloads and establish persistent communication channels, exploiting trusted CDN providers to bypass email security gateways.

    • Tools Used: Custom payloads, phishing kits.

    • Impact: Credential theft, malware infections, and unauthorized access to sensitive information.

These examples highlight the versatility and effectiveness of Domain Fronting as a technique, underscoring the importance of robust detection and mitigation strategies.

Last updated

Was this helpful?