Circumventing the Guardians: How the Security Features in State-of-the-Art TLS Inspection Solutions can be Exploited for Covert Data Exfiltration presented at BlackHatEurope 2020

by Morten Malvica,

Summary : In this talk, we will reveal a new stealthy method of data exfiltration that specifically bypasses security solutions created to detect this attack scenario. By using our exfiltration method SNIcat, we will show how we can bypass a security perimeter solution performing TLS inspection, even when the Command & Control domain we use is blocked by threat prevention and reputation features.Generally speaking, the complexity of exfiltrating data is relatively low, especially when a security device is not present to attempt detecting it. One would expect that a SOC analyzing decrypted data on the wire, or data being mirrored to an IDS, would have the ability to detect exfiltration attempts.However, what if the aforementioned traffic never reaches the IDS in the first place? This is the case with almost every security solution we have tested SNIcat on, be it from solutions from F5 Networks, Palo Alto Networks to Fortinet. All of these products are designed to work as legitimate MiTM devices, in order to decrypt and inspect traffic, either by mirroring a copy of the traffic to other security devices (IDS), inspect the traffic themselves, or forward the traffic to in-line devices (IPS, NGFW, etc).In addition, for some products, the ability to create false negatives is possible, wherein traffic is logged as 'blocked' whilst being successfully exfiltrated.We will begin by presenting how the exfiltration method works, its consequences and most importantly; how it remains undetected and not blocked by security features in devices performing TLS inspection.Furthermore, we will talk about our disclosure process with a few vendors, their proposed workarounds and other ways to mitigate the issue.Finally, we will finish with a live demo of our exfiltration tool exchanging data with its C2 while bypassing an in-line security device, acting as a MiTM performing TLS inspection.