Multi-hop Proxy (T1090.003)

Information

• Name: Multi-hop Proxy

• ID: T1090.003

• Tactics:

• Technique:

Introduction

Multi-hop Proxy (T1090.003) is a sub-technique within the MITRE ATT&CK framework under the "Proxy" technique (T1090). It involves adversaries routing their network traffic through multiple intermediary proxies or nodes to obscure their source IP address and hide their true origin. By leveraging multiple hops, attackers significantly complicate attribution efforts, evade detection, and maintain anonymity throughout their malicious activities.

Deep Dive Into Technique

Multi-hop proxying involves routing network traffic through a series of intermediate proxies or nodes, each adding another layer of complexity and obfuscation. Attackers typically chain together multiple proxy servers or compromised hosts, creating a multi-layered connection path that makes tracing back to the original source extremely challenging.

Technical execution methods and mechanisms include:

• Proxy Chains:

  • Attackers configure proxy chains by connecting sequentially through multiple proxy servers.

  • Each proxy forwards traffic to the next proxy in the chain, masking the original IP address.

  • Tools such as ProxyChains, Tor, and custom scripts are commonly used to establish these chains.

• Compromised Hosts as Intermediaries:

  • Attackers may exploit and compromise legitimate hosts to serve as intermediary nodes.

  • Compromised hosts relay attacker traffic, making attribution difficult and increasing the complexity of forensic investigations.

• Tor Network Usage:

  • The Tor network provides built-in multi-hop routing, encryption, and anonymity.

  • Attackers leverage Tor to hide their identity and location, making detection and attribution more difficult.

• VPN Chaining:

  • Attackers may use multiple VPN services sequentially, creating layered VPN tunnels.

  • Each VPN adds another layer of encryption and IP obfuscation.

• SSH Tunneling and Port Forwarding:

  • Attackers utilize SSH tunnels and port forwarding through multiple compromised hosts.

  • SSH-based multi-hop connections provide encrypted channels that obscure attacker activity.

Real-world procedures attackers follow include:

1. Identifying and compromising vulnerable hosts or servers to serve as proxies.

2. Configuring proxy chains or tunnels through multiple compromised devices.

3. Routing malicious traffic through these chains to hide their true origin.

4. Rotating proxies frequently to complicate detection and attribution efforts.

When this Technique is Usually Used

Attackers commonly employ multi-hop proxying in various attack scenarios and stages, including:

• Initial Access and Reconnaissance:

  • Attackers hide their identity and location while scanning networks and probing for vulnerabilities.

• Command and Control (C2) Communications:

  • Attackers obscure their C2 infrastructure by routing communications through multiple proxies, making detection and takedown difficult.

• Exfiltration of Data:

  • Attackers route stolen data through multiple proxies, complicating efforts to track data exfiltration paths.

• Persistent Access and Lateral Movement:

  • Attackers maintain persistent access by communicating through proxy chains, evading monitoring systems.

• Advanced Persistent Threat (APT) Operations:

  • Sophisticated threat actors commonly use multi-hop proxies to mask their identity and complicate attribution.

• Cybercrime Operations:

  • Cybercriminals conducting ransomware attacks, financial fraud, or espionage frequently use proxy chains to hide their infrastructure.

How this Technique is Usually Detected

Detecting multi-hop proxy usage is challenging but achievable through multiple approaches, including:

• Network Traffic Analysis:

  • Identify unusual network traffic patterns, such as repeated and sequential connections through unusual or geographically dispersed IP addresses.

  • Detect abnormal latency or packet delays indicative of multiple proxy hops.

• Endpoint Detection and Response (EDR):

  • Monitor endpoints for suspicious proxy configurations, unusual SSH connections, or VPN client installations.

  • Detect tools commonly associated with multi-hop proxying (e.g., ProxyChains, Tor clients).

• Behavioral Analytics and Anomaly Detection:

  • Utilize analytics and machine learning to detect deviations from normal network behavior, such as unusual traffic flows or unexpected encrypted tunnels.

  • Alert on anomalous user or system behaviors associated with proxy usage.

• Log Analysis and Correlation:

  • Correlate logs from firewalls, proxies, VPN servers, and endpoints to identify repeated patterns indicative of multi-hop proxy chains.

  • Detect repeated failed connections or frequent IP rotation, which may suggest proxy chaining.

• Threat Intelligence and Indicators of Compromise (IoCs):

  • Incorporate threat intelligence feeds to identify known malicious proxy IP addresses.

  • Monitor for known proxy tools, unusual SSH keys, or VPN client artifacts on endpoints.

Specific Indicators of Compromise (IoCs) include:

• Unusual outbound traffic to known proxy or anonymizing services.

• Presence of tools such as ProxyChains, Tor binaries, or VPN software on compromised hosts.

• SSH sessions with multiple sequential hops or unusual port forwarding configurations.

• Frequent changes in IP addresses or geographical locations within short periods.

Why it is Important to Detect This Technique

Early detection of multi-hop proxy usage is critical due to the following potential impacts:

• Attribution Difficulty:

  • Multi-hop proxies significantly complicate attribution, making it challenging to identify the true source of attacks and respond effectively.

• Prolonged Attacker Presence:

  • Undetected proxy chains allow attackers to maintain persistent and stealthy access, enabling extended reconnaissance, lateral movement, and data exfiltration.

• Data Exfiltration Risk:

  • Attackers using multi-hop proxies can exfiltrate sensitive data undetected, leading to severe data breaches and regulatory consequences.

• Increased Incident Response Complexity:

  • Incident response and forensic investigations become more complex and resource-intensive when attackers leverage multi-hop proxies, requiring extensive analysis to trace attack paths.

• Reduced Effectiveness of Security Controls:

  • Traditional security controls may be bypassed or rendered ineffective, as proxy chains obscure malicious traffic and evade detection by perimeter defenses.

Detecting multi-hop proxies early allows security teams to:

• Mitigate threats promptly and reduce potential damage.

• Improve incident response efficiency and effectiveness.

• Enhance attribution capabilities, aiding law enforcement and threat intelligence efforts.

• Strengthen overall security posture by identifying infrastructure vulnerabilities and improving defenses.

Examples

Real-world examples demonstrating the use of multi-hop proxies include:

• APT29 (Cozy Bear):

  • Known to use extensive proxy chains and compromised hosts to route C2 communications, complicating attribution efforts during espionage operations.

  • Leveraged Tor and VPN services to obscure attacker infrastructure during targeted campaigns.

• APT28 (Fancy Bear):

  • Frequently employed multi-hop proxies and VPN services to hide their true location and evade detection during political espionage and targeted phishing campaigns.

• FIN7 Cybercrime Group:

  • Utilized multi-hop SSH tunnels and compromised infrastructure to route malicious traffic and exfiltrate stolen financial data from targeted organizations.

• Operation Cloud Hopper:

  • Attackers used multi-hop proxy chains and compromised cloud service providers to infiltrate managed service providers (MSPs), ultimately targeting multiple end-customer networks.

• Ransomware Operators (e.g., REvil, Conti):

  • Routinely utilized Tor and VPN chaining to anonymize their ransomware infrastructure, complicating law enforcement efforts and incident response.

Tools commonly associated with multi-hop proxy usage in real-world scenarios:

• ProxyChains: A widely used Linux tool for routing traffic through multiple proxies.

• Tor Network: Provides built-in multi-hop anonymous routing capability.

• SSH Dynamic Port Forwarding: Attackers use SSH tunnels through compromised hosts to establish encrypted multi-hop proxy connections.

• Multiple VPN Services: Attackers chain VPN services sequentially to obfuscate their IP addresses and locations.

Impacts observed in these real-world examples included:

• Significant delays in incident response and attribution.

• Successful exfiltration of sensitive data and intellectual property.

• Long-term persistent access and lateral movement within compromised environments.

• High-profile breaches causing reputational damage, financial loss, and regulatory penalties.