T1041 Exfiltration Over C2 Channel Mappings

Intel Threat Detection Technology (TDT), combined with CrowdStrike Falcon Accelerated Memory Scanning (CAMS), enhances cybersecurity defenses by enabling faster, real-time detection of exfiltration over Command and Control (C2) channels. This integrated solution strengthens CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain, all while minimizing system performance impact. Exfiltration over C2 involves adversaries using a Command and Control (C2) infrastructure to stealthily send sensitive data from compromised systems to an external server. This type of data exfiltration is often encrypted or obfuscated to avoid detection, and it may occur through various C2 protocols such as HTTP, DNS, or custom protocols. Intel TDT plays a crucial role in identifying these threats by providing real-time telemetry on program execution, memory access, and control flow, enabling rapid detection of abnormal behaviors that could indicate data being siphoned through C2 channels. Additionally, CAMS offloads the memory scanning workload from the CPU to the Intel Integrated GPU, ensuring faster and more efficient detection of malicious activity without degrading system performance. CAMS helps identify suspicious behaviors such as unauthorized data transfers, unusual network connections, or attempts to evade security controls during data exfiltration via C2 channels, providing proactive defense against these covert data theft techniques.

CVE-2019-0604 is a vulnerability in an XML deserialization component within Microsoft SharePoint allowed remote attackers to typically install webshell malware to vulnerable hosts.

CVE 2019-18935 is a Insecure Deserialization vulnerability with the Telerik UI, which does not properly sanitize serialized data inputs from the user. This vulnerability leads to the application being vulnerable to RCE attacks that may lead to a full system compromise.

The exploitation technique for this vulnerability is based on a vulnerability in Client software. In the wild, this was seen to be exploited by a malicious excel file. The observed goals of this exploit from Group 123 are remote access and data exfiltration.

CVE-2023-2868 in the Barracuda Email Security Gateway (ESG) had been reportedly exploited for espionage and exfiltration efforts by UNC4841 attributed by Mandiant. Following the exploitation of CVE-2023-2868, malware SALTWATER, SEASPY, and SEASIDE were identified to be used in intrusions.

CVE-2023-1389 is a command injection vulnerability in one of the API components within the TP-Link Archer router’s web management interface. Public reports have reported that multiple botnet malware under the Mirai variants, including Condi, are targeting these vulnerable devices.

CVE-2023-38831 is a vulnerability within the crafred archive process of WinRAR that occurs when a user attempts to open a seemingly legitimate document within a compromised archive, the vulnerability allows the attacker to execute arbitrary code on the system via a specially prepared archive. There have been public reports on the FROZENLAKE spear-phishing campaign, FROZENBARENTS, and ISLANDDREAMS leveraging this vulnerability.

This vulnerability is exploited by an adversary via a malicious e-mail containing a crafted SVG document. When a user views the e-mail, the remote attacker can load arbitrary JavaScript code on the victim's machine. In recent campaign Winter Vivern group exploited this vulnerability. The attack chains typically start with a phishing mail sent containing a Base64-encoded payload embedded in the HTML source code. The payload gets decoded and injects a remote javascript, checkupdate.js, in current user session. The checkupdate.js script serves as a loader, enabling the execution of a final JavaScript payload which is designed to exfiltrate email messages. The attackers weaponized this XSS flaw to carry out their malicious activities, ultimately allowing them to harvest email messages from their victims' accounts to a C2 server. The attack chain requires minimal user interaction, the attack gets executed only in viewing the malicious email in a web browser.