We continue to share stories from our practice related to non-standard methods of remote access used by attackers.
In one of the incidents, the attacker modified the configuration of the Apache web server so that all requests to the URL https://[domain name]/proxy/tunnel were proxied to the internal address 127.0.0.1:8080, using the WebSocket Secure protocol. This protocol provides bidirectional encrypted communication between the client (attacker) and the server. The contents of the Apache web server configuration file looked like this:
<VirtualHost *:443>
...
<Location "/proxy/tunnel">
ProxyPass "wss://127.0.0.1:8080"
</Location>
</VirtualHost>And on port 8080, to create a communication channel, the attacker launched the chisel utility as a server, waiting for incoming connections, with the --reverse parameter.
These actions allowed the attacker to create a tunnel and gain access to the internal infrastructure, masking network activity as legitimate encrypted HTTPS traffic.
How to detect:
To detect such tunnel creation methods, it is necessary:
- to monitor changes in Apache web server configuration files and check them for the presence of “ProxyPass” and “wss://” strings,
- to monitor process launches with suspicious arguments (e.g.
--reverse,--socks5), - to monitor web application logs for anomalous numbers of requests to URLs not provided in the web application logic.
It is also recommended to place publicly accessible servers in a separate segment (DMZ) and monitor activity on them using EDR tools.
