Explained: Domain fronting

Domain fronting is a technique of using different domain names on the same HTTPS connection.
Put simply, domain fronting hides your traffic when connecting to a specific website.
The technique became popular in the early 2010s in the mobile app development ecosystem, where developers would configure their apps to connect to a "Front" domain that would then forward the connections to the developer's backend.
Domain fronting allows malicious actors to use legitimate or high-reputation domains which will typically be on the allow-lists of defenders.
The legitimate domains often belong to Content Delivery Networks, but in recent years a number of large CDNs have blocked the method.
A CDN is basically a large network of proxy servers and data centers and it can be used to host multiple domains.
It's what companies like Netflix use to deliver the requested content from a server near you.
For a "Normal" connection to a website, a Domian Name System finds the IP address for the requested domain name.
As I explained in the blog DNS hijacks: what to look for, DNS is the phonebook of the internet to the effect that the input is a name and the output is a number.
With two domains hosted on the same CDN, HTTPS can be used to make it seem as though the user is connecting via a website that is unrestricted.
HTTPS protocols are encrypted, so it can be used to discreetly connect to a different target domain.
So an attacker can hide an HTTPS request to a restricted site inside a TLS connection to an allowed site.
In domain fronting, the process is the same but it will make an HTTPS request that appears to be from a different domain.
It does so by mimicking the secondary domain's DNS and TLS requests which makes it seem as though the user has connected from another domain.
When both Amazon and Google blocked domain fronting on their platforms, some suspected the Russian government was behind it because at the time, the Russian government blocked 1.8 million AWS and Google Cloud IP addresses in an attempt to frustrate access to Telegram's instant messenger.
Because of the ability to hide backend infrastructure, domain fronting has also gained popularity within malware operations.
They can use domain fronting to set up a command and control channel on a seemingly legitimate domain to bypass defensive techniques.
The best defense against domain fronting in an enterprise organization is a cloud-based SWG service with unlimited TLS interception capacity.
A secure web gateway is a network security technology that sits between users and the internet to filter traffic and enforce acceptable use and security policies.
With an SWG or other tools with similar functionality, you can detect mismatches between the TLS Server Name Indication and the HTTPS host header, and get a warning about domain fronting.


This Cyber News was published on www.malwarebytes.com. Publication date: Fri, 01 Dec 2023 23:06:57 +0000


Cyber News related to Explained: Domain fronting

Explained: Domain fronting - Domain fronting is a technique of using different domain names on the same HTTPS connection. Put simply, domain fronting hides your traffic when connecting to a specific website. The technique became popular in the early 2010s in the mobile app ...
11 months ago Malwarebytes.com
Cypher Queries in BloodHound Enterprise - Our first use case is identifying Domain Trusts that exist within an environment. Our specific query here, Map Domain Trusts can be selected which automatically populates the search window with the built-in query. Selecting Search will then return a ...
10 months ago Securityboulevard.com
Toward Ending the Domain Wars: Early Detection of Malicious Stockpiled Domains - The two main advantages of detecting stockpiled domains are expanding coverage of malicious domains and providing patient-zero detections as attackers stock up on domains for future use. As of July 2023, our detection pipeline has found 1,114,499 ...
11 months ago Unit42.paloaltonetworks.com
Researchers Claim Design Flaw in Google Workspace Puts Organizations at Risk - Google is disputing a security vendor's report this week about an apparent design weakness in Google Workspace that puts users at risk of data theft and other potential security issues. According to Hunters Security, a flaw in Google Workspace's ...
11 months ago Darkreading.com
47 Years Later: Serious Security – How Deliberate Typos Might Improve DNS Security - The Domain Name System (DNS) is an internet infrastructure that has been around since the early 80s and still plays an integral part in how websites and online services are accessed. Although it has been in use for almost 47 years, security issues of ...
1 year ago Nakedsecurity.sophos.com
CVE-2018-1227 - Pivotal Concourse after 2018-03-05 might allow remote attackers to have an unspecified impact, if a customer obtained the Concourse software from a DNS domain that is no longer controlled by Pivotal. The original domain for the Concourse CI ...
5 years ago
Understanding DNS Zones: A Comprehensive Guide - DNS stands for Domain Name System, and it is one of the most important components of the Internet. It is a network of servers that coordinates the registration, updating and resolution of domain names, so that users can easily access websites and ...
1 year ago Heimdalsecurity.com
Criminal IP and Quad9 Collaborate to Exchange Domain and IP Threat Intelligence - Criminal IP, a renowned Cyber Threat Intelligence search engine developed by AI SPERA, has recently signed a technology partnership to exchange threat intelligence data based on domains and potentially on the IP address to protect users by blocking ...
6 months ago Hackread.com
DNSFilter Malicious Domain Protection identifies risky domains - DNSFilter announced the addition of a new Malicious Domain Protection feature to its protective DNS software, building on its machine learning capabilities. This feature bolsters DNSFilter's defenses providing better visibility and protection against ...
11 months ago Helpnetsecurity.com
CVE-2024-26620 - In the Linux kernel, the following vulnerability has been resolved: s390/vfio-ap: always filter entire AP matrix The vfio_ap_mdev_filter_matrix function is called whenever a new adapter or domain is assigned to the mdev. The purpose of the function ...
8 months ago Tenable.com
Cloudflare loses 22% of its domains in Freenom.tk shutdown - A staggering 12.6 million domains on TLDs controlled by Freenom have been shut down and no longer resolve, leading to a significant reduction in the number of websites hosted by Cloudflare. The disappearance of these websites was spotted during our ...
8 months ago Netcraft.com
CVE-2022-42320 - Xenstore: Guests can get access to Xenstore nodes of deleted domains Access rights of Xenstore nodes are per domid. When a domain is gone, there might be Xenstore nodes left with access rights containing the domid of the removed domain. This is ...
9 months ago
Active Directory Infiltration Methods Employed by Cybercriminals - Active Directory infiltration methods exploit vulnerabilities or weaknesses in Microsoft's Active Directory to gain unauthorized access. Active Directory is a central component in many organizations, making it a valuable target for attackers seeking ...
10 months ago Gbhackers.com
AsyncRAT Loader Delivers Malware via JavaScript - For at least 11 months, this threat actor has been working on delivering the Remote Access Trojan through an initial JavaScript file, embedded in a phishing page. After more than 300 samples and over 100 domains later, the threat actor is persistent ...
9 months ago Cybersecurity-insiders.com
Why you might not be done with your January Microsoft security patches - The January patching window for your firm has probably come and gone. Has it? While January included a huge release of patches, several releases in other months have provided more than one headache for the patch management community. These are the ...
1 year ago Csoonline.com
InfectedSlurs Botnet Spreads Mirai via Zero-Days - The payload targets routers and network video recorder devices with default admin credentials and installs Mirai variants when successful. Until November 9, 2023, the vulnerable devices being targeted were unknown. Since both the name and the version ...
1 year ago Akamai.com
CVE-2019-15006 - There was a man-in-the-middle (MITM) vulnerability present in the Confluence Previews plugin in Confluence Server and Confluence Data Center. This plugin was used to facilitate communication with the Atlassian Companion application. The Confluence ...
2 years ago
ICANN Launches Service to Help With WHOIS Lookups - More than five years after domain name registrars started redacting personal data from all public domain registration records, the non-profit organization overseeing the domain industry has introduced a centralized online service designed to make it ...
11 months ago Krebsonsecurity.com
CVE-2017-14385 - An issue was discovered in EMC Data Domain DD OS 5.7 family, versions prior to 5.7.5.6; EMC Data Domain DD OS 6.0 family, versions prior to 6.0.2.9; EMC Data Domain DD OS 6.1 family, versions prior to 6.1.0.21; EMC Data Domain Virtual Edition 2.0 ...
6 years ago
CVE-2020-29483 - An issue was discovered in Xen through 4.14.x. Xenstored and guests communicate via a shared memory page using a specific protocol. When a guest violates this protocol, xenstored will drop the connection to that guest. Unfortunately, this is done by ...
3 years ago
Security Boulevard - With the rising volume of fraudulent emails and AI-enhanced phishing scams, industry giants such as Google, Yahoo, and Microsoft have doubled their email security efforts. DMARC builds on two existing email authentication technologies: Sender Policy ...
9 months ago Securityboulevard.com
CVE-2018-12395 - By rewriting the Host: request headers using the webRequest API, a WebExtension can bypass domain restrictions through domain fronting. This would allow access to domains that share a host that are otherwise restricted. This vulnerability affects ...
5 years ago
CVE-2002-0018 - In Microsoft Windows NT and Windows 2000, a trusting domain that receives authorization information from a trusted domain does not verify that the trusted domain is authoritative for all listed SIDs, which allows remote attackers to gain Domain ...
6 years ago
CVE-2022-26357 - race in VT-d domain ID cleanup Xen domain IDs are up to 15 bits wide. VT-d hardware may allow for only less than 15 bits to hold a domain ID associating a physical device with a particular domain. Therefore internally Xen domain IDs are mapped to the ...
2 years ago
Star Blizzard increases sophistication and evasion in ongoing attacks - Microsoft Threat Intelligence continues to track and disrupt malicious activity attributed to a Russian state-sponsored actor we track as Star Blizzard. Star Blizzard has improved their detection evasion capabilities since 2022 while remaining ...
11 months ago Microsoft.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)