Getty Images

DHS Shares Insights on Network Tunneling, Obfuscating Cyberattacks

Threat actors leverage obfuscation, network tunneling, and spoofing techniques to mislead incident responders. New DHS CISA insights shed light on these cyberattack methods.

Recent insights from the Department of Homeland Security Cybersecurity and Infrastructure Security Agency shed light on recent cyberattacks that leverage network tunneling and spoofing techniques to obfuscate geolocation and attribution. 

The threat overview comes on the heels of a joint alert from the FBI and CISA warning of cyberattacks originating from Tor (The Onion Router), which allows hackers to anonymously launch cyberattacks and other malicious cyber activities. 

Cyberattacks that use network tunneling and spoofing techniques makes it difficult for security leaders to attribute malicious cyber activity, as it requires the analysis of location and other variables. 

An IP address’s geolocation is typically obtained through publicly available information, although the precision of this data varies across sources: “some provide country and locality details, while others provide neighborhood-level detail.” 

CISA officials warned that even with accurate geolocation information, a hacker may not actually be physically located near and may be hiding their true location using these obfuscation techniques. 

“Because threat actors can use these techniques to obfuscate their location, it is not possible to identify the true physical location of malicious activity based solely on the geolocation of Internet Protocol (IP),” they added. 

Much like with website spoofing tactics – where hackers create sites that mimic legitimate sources, threat actors can spoof packets with an arbitrary IP source and geolocate to a specific country. In reality, the actor may be at another location altogether, before launching into their nefarious activity. 

The technique is most commonly used for connectionless activities, including endpoint denial of service and network denial of service attacks, such as DNS amplification cyberattacks. These attacks exploit a disparity in bandwidth consumption between a threat actor and the targeted system and amplified through multiple request to boost traffic volume and disrupt network infrastructure. 

Hackers are also leveraging network tunnels in these obfuscated attacks. 

“A network tunnel encapsulates network traffic between two points,” officials explained. “Often network tunnels are used for legitimate purposes, such as secure remote administration or creating virtual private networks (VPNs).” 

“However, a malicious cyber actor can use this technique to mask their true source IP address and, therefore, their physical location,” they added. “The threat actor accomplishes masking by using virtual private servers (VPSs), which can be purchased through commercial providers.” 

Next, the hacker initiates a remote network tunnel from their computer to the VPS, which is then leveraged to launch the malicious activities. CISA explained that administrators will see the IP address and VPS geolocation data, but attempts to identify the physical location through this information will be inaccurate. 

The obfuscation technique is commonly used in connection proxy activities, used by hackers to direct network traffic between systems or to act as a middle-man for “network communications to a command-and-control server to avoid direct connections to their infrastructure.” 

In light of these attacks, CISA is urging organizations to review obfuscation techniques to strengthen overall security posture across their systems and review CISA-provided recommendations to bolster their defenses. 

Antivirus signatures and engines must be routinely maintained and up to date to protect against malicious code, while administrators should ensure systems have the latest security updates and patches applied. 

As noted in recent alerts, there are several critical vulnerabilities found in commonly used platforms, such as Windows DNS ServersOpenClinic GA, Palo Alto PAN-OS, Microsoft Exchange Servers, and TCP/IP communication stack, just to name a few. 

Administrators should disable file and printing services, if possible. When those services are required by the enterprise, strong passwords or an Active Directory authentication should be employed. And user permissions should be restricted from installing and running unwanted software applications. 

Users should also not be added to the local administrator’s group unless it’s required. Further, administrators must enforce a strong password policy, while urging employees to exercise caution when opening email attachments – “even if the attachment is expected and the sender appears to be known.” 

Further, admins will need to monitor users’ web browsing habits and sites with unfavorable content are restricted from user access. All software downloaded from the internet should be scanned prior to execution.” 

“Enable a personal firewall on agency workstations that is configured to deny unsolicited connection requests,” CISA recommended. “Disable unnecessary services on agency workstations and servers. Scan for and remove suspicious email attachments [and] ensure the scanned attachment is its ‘true file type’ (i.e., the extension matches the file header).” 

“Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs),” they concluded.

Next Steps

Dig Deeper on Cybersecurity strategies