C2 over NTP (goMESA)
Summary:
This article investigates Network Time Protocol (NTP), which typically operates over UDP port 123. While this might seem like a simple utility for keeping computer clocks synchronized, its fundamental role in network operations creates unique opportunities for covert communication.
The researchers look at NTP and how it can be used for covert Command and Control (C2) after a primary HTTPS channel is disabled. Attacker may choose to exploit less monitored protocols like NTP to maintain persistence.
NTP C2 provides attackers with a stealthy and persistent communication channel that leverages a trusted and often overlooked protocol, increasing their chances of maintaining a foothold within a compromised network.
Attackers embed small, custom data payloads within normal-looking time updates. They achieve this by manipulating specific fields within the NTP packets, such as extension fields or even parts of the timestamp fields.
To further disguise the malicious activity, the attacker's NTP server, used for command and control, is often configured to respond with valid time information. This makes the malicious traffic blend seamlessly with legitimate NTP activity, making it difficult to detect using standard monitoring tools.
Suggested Corrections:
To avoid techniques like these, defenders will need to increase their scrutiny of traffic patterns beyond the usual protocols.
https://www.activecountermeasures.com/malware-of-the-day-c2-over-ntp-gomesa/
This article investigates Network Time Protocol (NTP), which typically operates over UDP port 123. While this might seem like a simple utility for keeping computer clocks synchronized, its fundamental role in network operations creates unique opportunities for covert communication.
The researchers look at NTP and how it can be used for covert Command and Control (C2) after a primary HTTPS channel is disabled. Attacker may choose to exploit less monitored protocols like NTP to maintain persistence.
NTP C2 provides attackers with a stealthy and persistent communication channel that leverages a trusted and often overlooked protocol, increasing their chances of maintaining a foothold within a compromised network.
- Evasion of Traditional Security Controls: NTP traffic is often considered benign and is less scrutinized by firewalls and intrusion detection systems compared to protocols like HTTP/HTTPS. This allows attackers to establish a covert communication channel that can easily bypass standard security monitoring.
- Persistence: If the primary C2 channel is detected and blocked, the attacker can continue to communicate with the compromised host via NTP, maintaining control and the ability to issue further commands or exfiltrate data. This makes complete eradication more challenging.
- Low Detection Probability: Because the malicious data is embedded within legitimate-looking NTP packets and often mimics normal time synchronization behavior (like responding with valid time), it can be very difficult for automated systems and security analysts to identify the anomalous traffic.
- Subtle Data Transfer: While the bandwidth might be limited compared to other protocols, attackers can still use NTP to relay small but critical commands, configuration updates, or even exfiltrated data in small increments over time, making it harder to notice large data transfers.
- Blending with Normal Network Activity: NTP is a fundamental protocol for network operations, ensuring accurate timekeeping. The constant background noise of NTP traffic makes it easier for malicious C2 communications to blend in and go unnoticed.
Attackers embed small, custom data payloads within normal-looking time updates. They achieve this by manipulating specific fields within the NTP packets, such as extension fields or even parts of the timestamp fields.
To further disguise the malicious activity, the attacker's NTP server, used for command and control, is often configured to respond with valid time information. This makes the malicious traffic blend seamlessly with legitimate NTP activity, making it difficult to detect using standard monitoring tools.
Suggested Corrections:
To avoid techniques like these, defenders will need to increase their scrutiny of traffic patterns beyond the usual protocols.
- NTP Server Hardening: Secure and properly configure NTP servers.
- Disable or restrict access to the monlist command, as it can be abused in amplification attacks.
- Implement access control measures to allow only trusted clients to query the server.
- Upgrade NTP server software to the latest version (4.2.7 or later) to disable monlist by default. If upgrading isn't possible, manually disable the command.
- Traffic Filtering and Rate Limiting: Control the flow of NTP traffic.
- Implement rate limiting mechanisms at network boundaries.
- Configure firewalls or intrusion prevention systems (IPS) to filter and block suspicious or amplified NTP packets.
- Use ingress filtering to prevent malicious NTP requests from entering your network.
- Network Monitoring and Anomaly Detection: Detect unusual traffic patterns.
- Deploy robust network monitoring tools.
- Establish baseline metrics for normal NTP traffic behavior.
- Use anomaly detection techniques to trigger alerts when deviations occur.
- Closely monitor all incoming traffic patterns for sudden increases or spikes from outside sources.
- Source IP Verification: Validate the authenticity of requests.
- Implement source IP verification mechanisms.
- Use IP filtering techniques to block or restrict traffic from suspicious or known malicious IP addresses.
https://www.activecountermeasures.com/malware-of-the-day-c2-over-ntp-gomesa/