The PatternEx ThreatEx team found an ICMP exfiltration at a client deployment. In this post, we will detail how we did the investigation and how we used the product and its AI enabled analysis to accelerate our conclusions.
The Internet Control Message Protocol (ICMP) is an error-reporting protocol used in network devices such as routers and servers. ICMP creates and sends error messages to the source IP address, notifying the source that the host cannot be reached for packet delivery. Transport-layer protocols such as TCP are able to recognize that packets aren’t getting through, but ICMP provides a method for discovering more catastrophic problems such as “TTL exceeded” and “need more fragments”.
ICMP is a fundamental protocol used throughout the Internet and has been part of the Internet protocol suite since 1981. This means that every IP network device has the capability to send, receive, and process ICMP messages. Although ICMP is not designed to send data between systems, ICMP messages are transmitted as datagrams and do contain a section for data (with a generous maximum size of 65507 bytes per packet).
The variable size of the ICMP packet data section has been exploited and used in a variety of attacks such as Denial of Service (DOS), as well as defense evasion via establishing covert connections over ICMP (called ICMP Tunneling). ICMP attacks are difficult to detect and mitigate because:
- ICMP is used legitimately in a variety of ways so it cannot be disabled;
- is not multiplexed via port numbers so it cannot be easily restricted via firewall;
- and can be exploited by any device with networking capabilities.
PatternEx Virtual Analyst Platform
The PatternEx Virtual Analyst Platform results from one of our clients detected a set of suspicious ICMP traffic between an internal source IP address and 7 unique destination IP addresses throughout a duration of 3 seemingly unrelated days within a 7 day period.
The Virtual Analyst Platform predicted the ICMP traffic to be malicious due to:
- High number of bytes sent in ICMP connections per hour - 254Kb on average
- High average number of bytes sent in ICMP connections - 9Kb on average
- Maximum length of packets sent in ICMP connections was high - 1.4Kb on average
The prediction piqued interest as the number of bytes sent was abnormally high for an error protocol such as ICMP. In addition, the Virtual Analyst Platform showed that the destination IP addresses resolve to servers hosted via two different services (Amazon Web Services and Alibaba Cloud) across several countries (USA, China, Singapore, Japan and France).
Suspicious ICMP connections are particularly difficult to determine to be malicious because there is very little information about the host left behind. There is no URL to reference, no website to investigate, and no process to run in a sandbox environment.
We look for any suspicious characteristics pertaining to the information we do have -- the destination IP addresses. A quick port scan revealed some interesting discoveries:
It seems like all destination IPs have a common open port (8090). Using the Virtual Analyst Platform, we quickly investigated the entity using third party sources such as VirusTotal. After checking with VirusTotal, the 6 destination IP address themselves didn’t resolve to anything malicious; however, running the VirusTotal scan again with port 8090 revealed a downloaded file:
After further investigation of the SHA-256, we found the file name for this hash is known to be:
According to VirusTotal, this file communicates with a known Trojan, which contacts 10+ unique URLs, 3 IP addresses, and 6 unique domains. Given that many of the contacted entities are already known to be malicious, it’s safe to assume that the ICMP activity detected by the PatternEx Virtual Analyst Platform is malicious as well.
The best practice to stop ICMP attacks is to block ICMP activity entirely. If blocking ICMP activity cannot be done (the case for the majority of enterprises), the next solution is to monitor ICMP activity via an IDS. A typical rule would be something like EverNote’s Zeek/Bro IDS rule:
Essentially, the IDS will produce an alarm when a host transmits at least 120 ICMP packets within 2 minutes. Due to the wide range of tools that utilize ICMP this will produce a ton of false positives. In fact, researchers found that similar ICMP alerts went off after simply running the ping utility.
In addition to the high failure rate, the ICMP rules also fail to detect data exfiltration attacks that utilize obfuscation techniques such as the use of multiple destinations (similar to the attack we investigated) or multiple complementary mediums. A favorite example of mine is the Data Exfiltration Toolkit (DET). This tool can exfiltrate data by sending snippets of a single file through multiple mediums such as ICMP, SMTP, Twitter DM, Google Docs etc.
The PatternEx Virtual Analyst Platform in this investigation used artificial intelligence to detect outliers in network traffic such as ICMP. Instead of rules that produce false positives, the software examined characteristics of the activity, as well as behavior analytics and correlation, to determine if an entity was malicious. Without creating a single rule, our client was able to confidently detect the stealthy ICMP attack and confirm it was malicious. In addition, by using the software to label the entity as a malicious exfiltration attempt, the Virtual Analyst Platform will detect attacks like this faster and more accurately in the future.