Command and Control Attacks
What is Command and Control Attacks?
More than a billion malware programs exist, with over 300,000 being discovered each day. This rising specter of cyberattacks is not just the concern of governments and large corporations; 80% of malware attacks target small and midsize businesses (SMBs).
For cybercriminals, a successful attack goes beyond unauthorized entry or malware installation. To profit from stolen data, a hacker typically must remain in the system or network undetected to carry out criminal activities. To do this, they use a command-and-control (C&C) server.
What is a command-and-control server and how does it work? What network resources are vulnerable to attacks, and how can you detect the presence of a command-and-control attack?
What is a Command-and-Control Attack (C2)?
What is C2? A C2 attack is a type of attack that involves tools to communicate with and control an infected machine or network. To profit for as long as possible from a malware attack, a hacker needs a covert channel or backdoor between their server and the compromised network or machine. The cybercriminal’s server, whether a single machine or a botnet of machines, is referred to as the command-and-control server (C&C) server or C2 server.
C2 servers mimic trusted or unmonitored traffic to avoid detection for as long as possible. The backdoor channel they establish becomes a means to take control of the victim’s computer or network for criminal activities, such as data exfiltration, hijacking computers for cryptocurrency mining, or shutting down entire networks.
How Do Command-and-Control Attacks Work?
For a command-and-control attack to work, the perpetrator must first infect the targeted machine or network with malware via a specific form of cyberattack, such as phishing, social engineering, or malvertising.
An infected computer or device is called a zombie; and once compromised, the malware establishes communication with the C2 server to acknowledge it is ready to receive commands from the controlling server. Through the established channel, the criminal host can install additional malicious software, extract data, and spread the infection to additional network resources. If able to compromise entire portions of the network, the command-and-control server will essentially control a botnet of infected machines.
So what is C&C? It is the hub of a communications system hackers use to control their victims' computers.
Most Vulnerable Devices for C2 Attacks
Most organizations are protected from external attacks, so the challenge for hackers is to find a computer or network vulnerable to infection. If they gain access to the system, internal network security defenses are naturally less robust; so while the device first infected may not be the primary target, it is the doorway into the system. A hacker may target the following devices:
- Edge devices, such as routers and switches
- Internet-of-Things (IoT) devices, such as hand-held scanners
Server Architecture Used in C2 Attacks
There is no single architecture used for C&C attacks, but hackers employ certain models.
The centralized model is very similar to a traditional client-server model. The malware installed on the infected device(s) acts as the client, phoning home to the server for instruction at regular or random intervals. Centralized architecture is the easiest to detect and remove because it has a single-source IP address. To evade detection, hackers have to design servers that are more complex than traditional servers. In the context of this command-and-control definition, hackers may use load balancers, redirectors, and other defense measures. Additionally, it is common for them to use well-known websites and public cloud services to host their server.
P2P is basically a decentralized server, one that uses a botnet without a master or centralized module. It is a two-edged sword in that it is harder to detect, but it is also harder for the attacker to provide instructions for the entire botnet. One strategy used by malicious parties is to set up a centralized C2 server with a P2P server model as a backup in case the centralized C2 is detected and removed.
The random C2 architecture is the hardest to detect and block. This is because the commands come from various, random sources, such as content delivery networks (CDNs), emails, social media images and comments, and so on. The danger is that not only are these sources random, but they are generally trusted, unblocked, and unsuspected.
Dangers of and Potential Damages from C2 Attacks
Regardless of the model followed, a malware infection that opens up a channel for command-and-control can compromise an organization in numerous costly ways. And while the damage from some attacks is limited to one machine or portion of the network, other infections can spread extensively before detection. Here are some of the dangers and damages caused by C2 attacks:
The C&C channel can be used to exfiltrate data and copy it to the C2 server. This may include sensitive company or client information, financial documents, proprietary property, and other data that can be leveraged or sold.
Repeated, random shutdowns initiated by the infected machine can disrupt operations and require duplication of efforts by personnel. The cost of downtime and reduced productivity can be difficult to measure but definitely impacts the bottom line.
One malware infection on the network can cascade into multiple infections. Additionally, the compromised network can be left open to other types of attacks, such as ransomware, which locks up data or accounts with encryption until the organization pays the perpetrator a “ransom” of money, cryptocurrency, or sensitive data.
The criminal in control of network resources could cause a complete system shutdown or hold the organization at ransom to prevent a shutdown. The cost may be directly financial or a result of downtime and lost resources.
Distributed Denial-of-Service Attacks (DDoS)
If infection spreads throughout the network, the infected machines could be used to form a botnet at the disposal of malicious parties. This means that potential dangers can spread to other organizational resources, or even additional organizations, because botnets are traditionally used for DDoS attacks where servers or networks are flooded with traffic to overwhelm them or even take them offline.
How To Detect C&C Traffic
Your organization can stay vigilant and detect C&C activity by taking the following steps:
- Monitor data traffic. This can be labor-intensive and time-consuming, but it is necessary. While you may not be able to analyze all data traffic as part of your data security strategy, you can be on the lookout for uncharacteristically large data exchanges or unapproved traffic.
- Log and review DNS inquiries. Because C2 channels often disguise themselves by blending in with legitimate domain name system (DNS) traffic, checking DNS inquiries for abnormalities may also uncover malicious traffic.
- Look for abnormalities. Abnormalities in network traffic might indicate an infected machine or the actions of malware.
- Check for encryption. Malware may use encryption to disguise data exfiltration; so if you set up checks to monitor the unauthorized use of encryption in network traffic, you may uncover a C&C attack.
- Leverage boycotting. Boycotting known malicious hosts can ensure that no internal device can be redirected to communicate with such hosts. While it will not protect against all C&C activity, it is a useful layer in your security.
How Fortinet Can Help
Because C&C attacks can easily go undetected, it can require extensive resources to monitor your organization’s system for unauthorized activity. As part of the Fortinet Security Fabric, FortiSOAR provides innovative case management, automation, and orchestration to help enterprises adapt and optimize their security processes.
What is a command-and-control attack?
A command-and-control attack refers to methods and tools used to communicate with and control an infected machine or network. To profit for as long as possible from a malware attack, a hacker needs a covert channel or backdoor between their server and the compromised network or machine. The cybercriminal’s server, whether a single machine or a botnet of machines, is referred to as the command-and-control server, C2 server, or C&C server.
What is an example of command and control?
There is no single architecture used for C&C attacks, but one example is the centralized model. It is very similar to a traditional client-server model. The malware installed on the infected device(s) acts as the client, phoning home to the server for instruction at regular or random intervals.