External Proxy
External Proxy [T1090.002]
Last updated
External Proxy [T1090.002]
Last updated
Name: External Proxy
ID: T1090.002
Tactics:
Technique:
External Proxy (T1090.002) is a sub-technique within the MITRE ATT&CK framework, categorized under the broader technique of Proxy (T1090). Attackers leverage external proxies—servers or services outside the victim's internal network—to mask their true origins, maintain anonymity, evade detection, and bypass network defenses. By routing their network traffic through external proxy servers, adversaries obscure their IP addresses, complicating attribution and detection efforts by defenders.
External Proxy techniques involve attackers utilizing external servers or proxy services hosted outside the target organization's infrastructure. These proxies can be publicly available services, compromised third-party servers, or attacker-controlled dedicated infrastructure. Key technical details include:
Proxy Types:
HTTP/HTTPS proxies: Commonly used to route web traffic, providing anonymity and helping bypass URL filtering and web-based security controls.
SOCKS proxies: Generic proxy protocols capable of routing various types of network traffic, including SSH, FTP, and other TCP-based protocols.
VPN services: Attackers may use commercial or free VPN services to encrypt and anonymize their traffic, making detection and attribution more challenging.
Tor Network: Leveraged for anonymity, attackers use Tor as an external proxy to route traffic through multiple nodes, making tracing difficult.
Execution Methods:
Attackers configure tools and malware to connect directly through external proxies.
Malware or scripts may dynamically select proxies to avoid detection and blacklisting.
Adversaries can chain multiple proxies (proxy chaining) to further increase complexity of detection and attribution.
Mechanisms:
Proxy servers relay requests from the attacker to the victim system, masking the original source IP.
Encryption and encapsulation techniques (e.g., SSL/TLS) are often combined with external proxies to evade inspection by network security tools.
Attackers may frequently rotate or change proxies to avoid detection by IP-based blacklisting or reputation-based security solutions.
Real-world Procedures:
Attackers commonly deploy external proxies during reconnaissance, initial access, command-and-control (C2) communications, and data exfiltration phases.
Malware families and advanced persistent threat (APT) groups often embed proxy configurations or commands within their infrastructure to maintain operational security.
External Proxy usage is prevalent throughout multiple stages of the cyber-attack lifecycle:
Initial Reconnaissance:
Attackers hide their scanning and enumeration activities behind external proxies to evade detection.
Proxies allow attackers to perform extensive reconnaissance without directly exposing their infrastructure.
Initial Access and Exploitation:
Exploitation attempts, such as vulnerability scanning and brute-force attacks, often originate from external proxies to obscure attacker identity.
Command-and-Control (C2) Communications:
Malware commonly communicates through external proxies to mask attacker-controlled infrastructure.
Attackers use proxies to bypass network perimeter defenses and evade IP-based blocking mechanisms.
Lateral Movement and Persistence:
Attackers may route lateral movement activities through external proxies, especially when targeting cloud or hybrid environments, to evade internal monitoring.
Data Exfiltration:
Attackers utilize external proxies to exfiltrate sensitive data covertly, making attribution and detection significantly more challenging.
Detection of External Proxy techniques typically involves monitoring network traffic patterns, behavioral analysis, and threat intelligence:
Network Traffic Analysis:
Identify unusual outbound connections to known external proxy services or IP addresses.
Detect sudden spikes in encrypted traffic (HTTPS, SSH, VPN) to unknown external destinations.
Behavioral Analysis and Anomaly Detection:
Baseline normal network traffic patterns, then detect deviations indicative of proxy usage.
Analyze session durations, connection intervals, and bandwidth consumption anomalies.
Security Tools and Solutions:
Web proxies and firewall logs can detect connections to known proxy IP addresses or domains.
Intrusion Detection Systems (IDS)/Intrusion Prevention Systems (IPS) signatures detect known proxy protocols (SOCKS, HTTP CONNECT) and suspicious tunneling activities.
Endpoint Detection and Response (EDR) solutions can identify processes initiating unusual outbound connections indicative of external proxy usage.
Threat Intelligence and IoCs:
Utilize threat intelligence feeds to identify known malicious or suspicious proxy infrastructure.
Indicators of Compromise (IoCs) often include known proxy IP addresses, domains, URLs, and infrastructure fingerprints.
Early detection of External Proxy usage is crucial due to its significant impacts on organizational security:
Reduced Visibility and Attribution:
Attackers leveraging external proxies obscure their true location and identity, complicating attribution and response activities.
Proxy usage diminishes defenders' visibility into attacker infrastructure and tactics, techniques, and procedures (TTPs).
Bypassing Security Controls:
External proxies allow attackers to circumvent perimeter security measures, such as IP-based blocking, geolocation filtering, and blacklisting.
Encrypted proxy traffic limits the effectiveness of traditional inspection methods, increasing the difficulty of detection.
Data Exfiltration and Loss:
Attackers frequently use external proxies to covertly exfiltrate sensitive data, leading to significant financial, operational, and reputational damage.
Early detection mitigates potential data breaches and reduces the overall impact of cyber incidents.
Persistent Access and Lateral Movement:
Attackers using external proxies can maintain persistent access and conduct lateral movement undetected, extending dwell time within victim environments.
Early identification of proxy usage reduces attackers' operational capabilities and limits their ability to achieve objectives.
Real-world examples demonstrating the usage of External Proxy techniques include:
APT29 (Cozy Bear):
Known to leverage external proxies and VPN services to mask their command-and-control infrastructure.
Utilized external proxies during the SolarWinds supply chain compromise to evade detection and attribution.
FIN7 Cybercriminal Group:
Frequently used external proxy servers and VPN services to anonymize their reconnaissance, exploitation, and data exfiltration activities.
Employed SOCKS proxies to route malware command-and-control communications, complicating defender response.
Operation Cloud Hopper (APT10):
Leveraged external proxies and VPN infrastructure to conduct attacks against managed service providers (MSPs), obscuring attribution and evading detection.
Used external proxies extensively during reconnaissance and lateral movement phases.
Cobalt Strike Framework:
Attackers commonly configure Cobalt Strike beacon payloads to communicate via external proxies (HTTP/SOCKS), masking their infrastructure and activities.
Widely adopted by various threat actors, facilitating covert C2 communications and data exfiltration.
TrickBot Malware:
Routinely utilizes external proxy servers to relay command-and-control communications and exfiltrate sensitive information.
Employs dynamic proxy selection and rotation to evade detection and maintain operational security.
These examples illustrate the prevalence and versatility of External Proxy techniques across diverse threat actors, emphasizing the importance of robust detection and mitigation strategies.