A quick IT guide for conducting a vulnerability assessment.

Google Chrome, Adobe Acrobat Reader, TeamViewer, you name it—there’s no shortage of third-party apps that IT teams need to constantly check for vulnerabilities. But to get a better picture of the problem, let’s bust out some napkin math.  

The average company uses about 200 applications overall. Assuming at least 75% of these have a vulnerability at any given time, small security teams are tasked with finding and prioritizing over 150 vulnerabilities on a rolling basis.  

If you’re not using a comprehensive tool like ThreatDown Vulnerability Assessment (free for all ThreatDown users), it’s going to take a solid combo of resourcefulness and patience to do that much vulnerability assessment on your own. 

With that in mind, we’ve compiled this list of the five things IT teams need to do in order to find vulnerabilities in their environment.

****Vulnerability Assessment: A Step-by-Step Guide******1\. Cataloging Applications**

The crucial first step involves cataloging every application within the IT environment. This foundational task, akin to a thorough inventory check, is essential for identifying potential security issues.

**2\. Software Version Analysis**

It’s not just about identifying the applications but also understanding their versions. 

Why? Because you’re not just looking for vulnerabilities in one version of 7-Zip; to see if you’re truly affected, you’ll need to match your list of applications against vulnerabilities across different versions, such as 3.5 or 3.7.4. Not to mention that if your organization’s workforce doesn’t require regular updates of important software, then you might find countless versions of the same app dating back to the longest-term employees.  

**3\. Correlating with CVE Databases**

Matching the cataloged applications and their versions against entries in Common Vulnerabilities and Exposures (CVE) databases is the next critical step. This process helps in pinpointing specific vulnerabilities applicable to the software in use.

Here’s the play-by-play: 

1.  Go to https://cve.mitre.org/cve/search\_cve\_list.html  
2.  Type in the application you want vulnerability info on in the search bar. 
3.  Pinpoint whether the vulnerability impacts the specific version of the software that’s present throughout your network. 
4.  Rinse and repeat. 

**4\. Prioritizing Threats**

This type of repetitive, sometimes monotonous work isn’t just about identifying a CVE—it’s also about determining its severity. After identifying potential vulnerabilities, the next challenge is to prioritize them by CVSS and by asking questions that should inform you and your team about the best response. This includes questions like: 

*   Is the vulnerability being actively exploited in the wild?  
*   Is the CVE impacting critical tools or areas? 
*   How important is the affected asset in maintaining operational continuity? 

**5\. Routine Vulnerability Assessment**

Remember, this is not a one-time task. You don’t just run vulnerability assessment once a year, or even once a month; you should be doing this on a daily basis. Why? Because every day counts. New CVEs are constantly popping into existence left and right, and if you’re not on top of them, you could be the target of an attack.

For teams seeking a more streamlined approach, the ThreatDown Vulnerability Assessment tool offers a solution. 

**Single, Lightweight Agent**

To simplify security and reduce costs, Vulnerability Assessment deploys easily in minutes without a reboot, using the same agent and cloud-based console that powers all ThreatDown endpoint security technologies.

**Quick Vulnerability Scans**

Identifies vulnerabilities in modern and legacy applications in less than a minute.

**Accurate severity ratings**

Utilizes the Common Vulnerability Scoring System (CVSS) and Cybersecurity and Infrastructure Security Agency (CISA) recommendations to evaluate and rank vulnerabilities for proper prioritization.

**Security Advisor Integration**

Our Security Advisor tool to analyzes an organization’s cybersecurity health—such as by assessment of current inventory and which assets are vulnerable—and generates a score based off what it finds. To improve the endpoint security health score, Security Advisor delivers recommendations to address discovered vulnerabilities: patching, updates, or policy changes.

**Vulnerability Assessment Doesn’t Have To Be Hard**

While manually identifying vulnerabilities in third-party applications is a demanding task, following these structured steps can make the process more manageable. However, for ThreatDown customers, the ThreatDown Vulnerability Assessment tool is a valuable alternative.

The ThreatDown Vulnerability Assessment tool simplifies the process with features like a lightweight agent, quick vulnerability scans, accurate severity ratings based on CVSS and CISA guidelines, and integration with Security Advisor for tailored recommendations.

Try ThreatDown Vulnerability Assessment today.

Interested in adding Patch Management capabilities as well? Check out our Advanced, Ultimate, and Elite Bundles.

 How IT teams can conduct a vulnerability assessment for third-party applications 

Microsoft announced it will offer a similar extended security updates program for Windows 10 as it did for Windows 7

The day that Windows 10 machines will get their last security updates is set for October 14, 2025. So if you want to stay secure, you’d have to upgrade to a newer version. Either to Windows 11, which is not all that different, but more demanding when it comes to system requirements. Or to the rumored Windows 12 which might be out by then.

Despite the fact that Windows 11 has been around for a while, market share would have it that Windows 10 is still far more popular. Windows 11 shows a slight increase in usage, but not a very significant one.

Which is strange, since apart from the surprising Copilot introduction, Windows 10 hasn’t seen any major changes. But some people don’t like changes that much. Once they are used to something they want to keep it that way.

So, it makes sense that, similar to the extended security updates program Microsoft offered Windows 7 users years ago, it will now introduce a similar extension program for Windows 10.

The extended security update (ESU) program for Windows 10 is mentioned almost as a footnote in the options users have when end of support (EOS) for Windows 10 comes to light. The suggestions Microsoft offers first are:

*   Upgrade eligible PCs to Windows 11.
*   Purchase new Windows 11 machines.
*   Migrate to the cloud and subscribe to Windows 365.

But how much will the ESU program cost you? Microsoft says that pricing will be provided at a later date. But if the costs for Windows 7 were any indication, the first year came at $70 and doubled each consecutive year, so the third (and last) year was priced at $280. And that was just for security updates. ESUs do not include new features, customer-requested non-security updates, or design change requests.

What will be different this time is that home users will also be able to buy the ESU subscriptions.

Jason Leznek, Principal Product Manager for Windows Servicing and Delivery said:

> “Stay tuned for more ESU program updates as we approach availability, including an ESU program for individual consumers.”

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Windows 10 gets its own extended security updates program 

CISA has published an advisory about a vulnerability in Adobe Coldfusion used in two attacks against federal agencies.

The Cybersecurity and Infrastructure Security Agency (CISA) put out a Cybersecurity Advisory (CSA) to alert government agencies about cybercriminals using a vulnerability in Adobe Coldfusion to gain initial access to servers.

Adobe ColdFusion is a platform for building and deploying web and mobile applications. It can often be found on internet-facing servers.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The exploited vulnerability is listed as CVE-2023-26360, which affects Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier). The vulnerability is an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction.

A patch for this vulnerability has been available since March 14, 2023. As we reported at the time, Adobe stated it was aware  that CVE-2023-26360 had been exploited in the wild in very limited attacks.

The due date for patching the vulnerability set by CISA was April 5, 2023. The problem is that the vulnerability also affects ColdFusion 2016 and ColdFusion 11 installations, which have reached end-of-life (EOL) and are no longer supported with security patches.

According to the CSA, CISA now has confirmation that the vulnerability has been used in attacks on two Federal Civilian Executive Branch (FCEB). An analysis of network logs has reportedly confirmed the compromise of at least two public-facing servers within agencies’ environments between June and July 2023. Both servers were running outdated versions of the software that were vulnerable due to several unpatched flaws.

The investigation learned that it was a reconnaissance attack, and there was no evidence of data theft or lateral movement in the network. After initial access, the criminals started process enumeration to obtain currently running processes on the web server and performed a network connectivity check, likely to confirm their connection was successful.

In the CSA, CISA shares several indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) used in the two attacks. It is not clear whether they were done by the same threat actor.

**Mitigation**

CISA recommends organizations:

*   Upgrade all versions affected by this vulnerability.
*   Prioritize remediation of vulnerabilities on internet-facing systems.
*   Prioritize secure-by-default configurations, such as eliminating default passwords and implementing single sign-on (SSO) technology via modern open standards.
*   Employ proper network segmentation, to separate internet-facing servers from systems that are crucial or contain sensitive information.
*   Deploy application-aware network defenses to block improperly formed traffic and restrict content.

And a lot of other security measures that are less threat-specific.

From our end we’d like to add:

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 Adobe Coldfusion vulnerability used in attacks on government servers 

Accounting software provider Tivalti is investigating ALPHV/BlackCat claims it was breached. In a typical supply-chain attack ALPHV  is threatening some of their customers like Roblox and Twitch

Accounting software provider Tipalti says it is investigating a claim by ransomware group ALPHV that they have gained access to Tipalti’s systems.

Tipalti makes software for accounting and payment automation and has some big names among its customers. In what seems to be a typical supply chain attack, ALPHV aka BlackCat are now threatening some Tipalti customers, including Roblox and Twitch:

> “We are systematically reaching out to affected clients of Tipalti, the first batch (consisting of organizations with the most data exfiltrated), have been sent communications requesting initial contact.”

Organizations who share these file lists, samples or notes with Tipalti run the risk of having their data leaked immediately.

The ransomware group claim to have had access since September 8, 2023. Since then, they say they have stolen 265 GB of data, including data for Twitch and Roblox, who they say they will extort separately.

_Screenshot of the ALPHV leak site_

A Roblox spokesperson told BleepingComputer that the company is working with Tipalti to investigate the claims, but is currently unaware of any impact on its systems. The spokesperson stated they haven’t been contacted by anyone about the security incident, to which ALPHV responded on their leak site:

> “Re: statement by Roblox to BleepingComputer. Just because you haven’t been contacted yet, does not mean you are not affected.”

ALPHV is one of the most active ransomware-as-a-service (RaaS) operators and regularly appears in our monthly ransomware reviews as one of the top 5 most active groups. Recently they made headlines when one of their affiliates, known as Scattered Spider attacked MGM. They also last week filed a SEC complaint about one of their victims for failing to disclose a breach.

**How to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Roblox and Twitch provider Tipalti breached by ransomware 

23andMe has released new details about the credential stuffing attack that took place in October.

In October we reported that the data of as many as seven million 23andMe customers were for sale on criminal forums following a password attack against the genomics company.

Now, a filing with the US Securities and Exchange Commission (SEC) has provided some more insight into the data theft. The filed amendment supplements the original Form 8-K submitted by 23andMe.

The amendment says that an investigation showed that the attacker was able to directly access the accounts of roughly 0.1% of 23andMe’s users, which is about 14,000 of its 14 million customers. The attacker accessed the accounts using credential stuffing which is where someone tries existing username and password combinations to see if they can log in to a service. These combinations are usually stolen from another breach and then put up for sale on the dark web. Because people often reuse passwords across accounts, cybercriminals buy those combinations and then use them to login on other services and platforms.

With the breached accounts at their disposal, the attacker used 23andMe’s opt-in DNA Relatives (DNAR) feature—which matches users with their genetic relatives—to access information about millions of other users. According to a spokesperson the DNAR profiles of roughly 5.5 million customers could be accessed in this way, plus the Family Tree profile information of 1.4 million additional DNA Relative participants.

The 5.5 million DNAR Profiles contained sensitive details including self-reported information like display names and locations, as well as shared DNA percentages for DNA Relatives matches, family names, predicted relationships, and ancestry reports.

For a subset of these accounts, the stolen data might contain health-related information based upon the user’s genetics.

The 1.4 million Family Tree profiles contain display names and relationship labels, plus other information that a user may have added, including birth year and location.

23andMe is in the process of notifying users impacted by the incident. The company said it believes that the attacker activity is contained, and that it is working to have the publicly-posted information taken down.

When the breach was first announced, 23andMe urged its users to ensure they have strong passwords, to avoid reusing passwords from other sites, and to enable multi-factor authentication (MFA).

Our Mark Stockley noted at the time:

> “Respectfully, we would like to see 23andMe reach a different conclusion. Telling users to choose strong passwords and not to reuse them is great advice that just isn’t working. It’s good in theory but fails in practice. In a world where users have tens or even hundreds of logins to manage, password reuse and weak passwords that are easy to remember are inevitable.”

And it looks as if they listened to us. On the 23andMe blog the updated article about the breach now says:

> “We have taken steps to further protect customer data, including requiring all existing customers to reset their password and requiring two-step verification for all new and existing customers. The company will continue to invest in protecting our systems and data.”

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your and your family’s personal information by using Malwarebytes Identity Theft Protection.

 23andMe says, er, actually some genetic and health data might have been accessed in recent breach 

This week on the Lock and Code podcast, we speak with Allan Liska about why a ransomware group tattled on its own victim, and what to expect next year.

_This week on the Lock and Code podcast…_

Like the grade-school dweeb who reminds their teacher to assign tonight’s homework, or the power-tripping homeowner who threatens every neighbor with an HOA citation, the ransomware group ALPHV can now add itself to a shameful roster of pathetic, little tattle-tales.

In November, the ransomware gang ALPHV, which also goes by the name Black Cat, notified the US Securities and Exchange Commission about the Costa Mesa-based software company MeridianLink, alleging that the company had failed to notify the government about a data breach. Under newly announced rules by the US Securities and Exchange Commission (SEC), public companies will be expected to notify the government agency about “material cybersecurity incidents” within four days of determining whether such an incident could have impacted the company’s stock prices or any investment decisions from the public.

According to ALPHV, MeridianLink had violated that rule. But how did ALPHV know about this alleged breach?

Simple. They claimed to have done it.

“It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under Item 1.05 of Form 8-K within the stipulated four business days, as mandated by the new SEC rules,” wrote ALPHV in a complaint that the group claimed to have filed with the US government.

The victim, MeridianLink, refuted the claims. According to a MeridianLink spokesperson, while the company confirmed a cybersecurity incident, it denied the severity of the incident.

“Based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption,” a MeridianLink spokesperson said at the time. “If we determine that any consumer personal information was involved in this incident, we will provide notifications as required by law.”

This week on the Lock and Code podcast with host David Ruiz, we speak to Recorded Future intelligence analyst Allan Liska about what ALPHV could hope to accomplish with its SEC complaint, whether similar threats have been made in the past under other regulatory regime, and what organizations everywhere should know about ransomware attacks going into the new year. One big takeaway, Liska said, is that attacks are getting bigger, bolder, and brasher.

“There are no protections anymore,” Liska said. “For a while, some ransomware actors were like, ‘No, we won’t go after hospitals, or we won’t do this, or we won’t do that.’ Those protections all seem to have flown out the window, and they’ll go after anything and anyone that will make them money. It doesn’t matter how small they are or how big they are.”

Liska continued:

> “We’ve seen ransomware actors go after food banks. You’re not going to get a ransom from a food bank. Don’t do that.”

Tune in today to listen to the full conversation.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Why a ransomware gang tattled on its victim, with Allan Liska: Lock and Code S04E24 

Apple has released an emergency security update for two zero-day vulnerabilities which may have already been exploited.

Apple has released emergency security updates for iOS 17.1.2 and iPadOS 17.1.2 to patch for two zero-day vulnerabilities that may have been actively exploited.

Apple said both vulnerabilities were in the WebKit component, which is the engine that powers Safari browser on Macs as well as all browsers on iPhones and iPads. It is also the web browser engine used by Mail, App Store, and many other apps on macOS, iOS, and Linux.

The updates are available for the following:

*   iPhone XS and later
*   iPad Pro 12.9-inch 2nd generation and later
*   iPad Pro 10.5-inch
*   iPad Pro 11-inch 1st generation and later
*   iPad Air 3rd generation and later
*   iPad 6th generation and later
*   iPad mini 5th generation and later.
*   macOS Sonoma 14.1.2
*   Safari 17.1.2.

The updates may already have reached you if you automatically update, but it doesn’t hurt to check if your device is at the latest update level.

If a Safari update is available for your device, you can get it by updating your iPhone or iPad or updating your Mac.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Update your iPhones! Apple fixes two zero-days in iOS 

US senators issued subpoenas for the CEO’s of five social media giants to testify about their "failure to protect children online".

US senators have urgently invited the CEOs of five of the major social media giants to testify about their failure to protect children online. The Senate Judiciary Committee said it will hear from Meta CEO Mark Zuckerberg, X (formerly Twitter) CEO Linda Yaccarino, TikTok CEO Shou Zi Chew, Snap CEO Evan Spiegel, and Discord CEO Jason Citron.

In a press release, the US senate committee on the judiciary announced that the Committee’s previously announced hearing on online child sexual exploitation has been rescheduled for January 31, 2024 and will feature testimony from the CEOs. An earlier hearing on Tuesday, February 14, 2023, included only consumer advocates as witnesses, and no industry representatives.

The CEOs of X, Discord, and Snap will testify after subpoenas were issued by the Committee, following repeated refusals by the three leaders to testify. The CEOs of Meta and TikTok voluntarily agreed to testify at the hearing.

Senators Durbin and Graham commented:

> “Several companies initially refused to accept a subpoena. The US Marshals Service even attempted to serve the subpoena at Discord’s office. Both actions are remarkable departures from typical practice.”

The hearing comes as part of a bipartisan effort to protect children online. To that end, several online safety bills across multiple states have gone into effect. For example, Utah signed a bill in March that will require minors to obtain parental consent to sign up to social platforms, while both Louisiana and Mississippi now require age verification to view content considered harmful to children, like porn. On the other hand, a federal judge has blocked a Texas law requiring age verification and a health warning for viewing pornographic websites, a day before the law was set to take effect.

In May, we talked to Alec Muffet about the possible downsides of some of these bills.

During the “Protecting our children online” hearing in February, witnesses and senators mentioned requirements like parental controls, default settings, and audits as tools that could be used to promote online safety for teenagers.  They focused on the importance of holding platforms liable for failure to enforce their own terms, and discussed imposing a duty of care on online platforms.

So now seems to be the time that the CEOs of the major platforms will be forced to explain what they have done in the past and how they plan to do better in the future. You would expect they would like to bring their ideas and input voluntarily to the table, but nonetheless it took subpoenas to get them all there.

**Children and online safety**

The internet is both a good and bad place. A good approach is to spend little to no time on sites that do not give your child a positive and learning experience. And when it comes to internet safety for kids and teens, the best approach is for parents and carers to be involved in their child’s digital life.

If you don’t want to rely on the introduction of legislation and how the social media platforms will undoubtedly struggle to become compliant, we can recommend reading our blog titled “Internet safety tips for kids and teens: A comprehensive guide for the modern parent.”

I do expect some of the platforms to drag their feet, because it seems they always do. Meta is already facing a lawsuit, filed in a California federal court, which argues that Meta unlawfully misled the public about the harms its products, like Facebook and Instagram, could impose on children and teens.

In the UK, Bytedance’s TikTok is looking at a $28.91m fine related to how children are safeguarded on the app.

And Meta, ByteDance, Alphabet, and Snap, are facing another lawsuit alleging their social platforms have adverse mental health effects on children and for running platforms that are addictive to kids.

While it is clear that something needs to be done to protect our children, agreeing on the way in which we can achieve this is hard. Especially if we can’t rely on all the social media platforms to volunteer their cooperation.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Social media giants to testify over failing to protect kids 

A list of topics we covered in the week of November 27 to December 3 of 2023

December 1, 2023 - Domain fronting is a technique to hide the true origin of HTTPS requests by hiding the real domain name encrypted inside a legitimate TLS request.

November 30, 2023 - A fake antivirus alert may suddenly hijack your screen while browsing. This latest malvertising campaign hit top publishers.

November 29, 2023 - Google's released an update to Chrome which includes seven security fixes. Make sure you're using the latest version!

November 28, 2023 - A vulnerability in the ownCloud file sharing app could lead to the exposure of sensitive credentials like admin passwords.

November 23, 2023 - Google has set a date for the introduction of Manifest V3 which will hurt the capabilities of many ad blockers.

 A week in security (November 27 &#8211; December 3) 

Domain fronting is a technique to hide the true origin of HTTPS requests by hiding the real domain name encrypted inside a legitimate TLS request.

Domain fronting is a technique of using different domain names on the same HTTPS connection. Put simply, domain fronting hides your traffic when connecting to a specific website. It routes traffic through a larger platform, masking the true destination in the process.

The technique became popular in the early 2010s in the mobile app development ecosystem, where developers would configure their apps to connect to a “front” domain that would then forward the connections to the developer’s backend. This way, the developer could expand their backend to deal with growing traffic and new features without constantly having to release app updates.

But as is true or many good things, it also comes with a flipside. Domain fronting allows malicious actors to use legitimate or high-reputation domains which will typically be on the allow-lists of defenders. The legitimate domains often belong to Content Delivery Networks (CDNs), but in recent years a number of large CDNs have blocked the method. The list includes Amazon (banned in 2018), Google (2018),  Microsoft (2022), and Cloudflare (2015).

A CDN is basically a large network of proxy servers and data centers and it can be used to host multiple domains. They are also known as content distribution networks. It’s what companies like Netflix use to deliver the requested content from a server near you.

For a “normal” connection to a website, a Domian Name System (DNS) finds the IP address for the requested domain name. As I explained in the blog DNS hijacks: what to look for, DNS is the phonebook of the internet to the effect that the input is a name and the output is a number. The number that belongs to what or who you want to reach.

With two domains hosted on the same CDN, HTTPS can be used to make it seem as though the user is connecting via a website that is unrestricted. HTTPS protocols are encrypted, so it can be used to discreetly connect to a different target domain. So an attacker can hide an HTTPS request to a restricted site inside a TLS connection to an allowed site.

In domain fronting, the process is the same but it will make an HTTPS request that appears to be from a different domain. It does so by mimicking the secondary domain’s DNS and TLS requests which makes it seem as though the user has connected from another domain. This method is popular as a means to evade online censorship and bypass restrictions.

The technique was adopted by online services like Tor, Telegram, and Signal to bypass internet censorship attempts in oppressive countries. When both Amazon and Google blocked domain fronting on their platforms, some suspected the Russian government was behind it because at the time, the Russian government blocked 1.8 million AWS and Google Cloud IP addresses in an attempt to frustrate access to Telegram’s instant messenger.

Because of the ability to hide backend infrastructure, domain fronting has also gained popularity within malware operations. They can use domain fronting to set up a command and control (C2) channel on a seemingly legitimate domain to bypass defensive techniques. The owners of good reputation sites cannot prevent their hostnames being abused for this activity.

The best defense against domain fronting in an enterprise organization is a cloud-based SWG (Secure Web Gateway) service with unlimited TLS interception capacity. A secure web gateway (SWG) is a network security technology that sits between users and the internet to filter traffic and enforce acceptable use and security policies. With an SWG or other tools with similar functionality, you can detect mismatches between the TLS Server Name Indication (SNI) and the HTTPS host header, and get a warning about domain fronting.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Source

Malwarebytes