Domain fronting is a technique of using different domain names on the same HTTPS connection.
Put simply, domain fronting hides your traffic when connecting to a specific website.
The technique became popular in the early 2010s in the mobile app development ecosystem, where developers would configure their apps to connect to a "Front" domain that would then forward the connections to the developer's backend.
Domain fronting allows malicious actors to use legitimate or high-reputation domains which will typically be on the allow-lists of defenders.
The legitimate domains often belong to Content Delivery Networks, but in recent years a number of large CDNs have blocked the method.
A CDN is basically a large network of proxy servers and data centers and it can be used to host multiple domains.
It's what companies like Netflix use to deliver the requested content from a server near you.
For a "Normal" connection to a website, a Domian Name System finds the IP address for the requested domain name.
As I explained in the blog DNS hijacks: what to look for, DNS is the phonebook of the internet to the effect that the input is a name and the output is a number.
With two domains hosted on the same CDN, HTTPS can be used to make it seem as though the user is connecting via a website that is unrestricted.
HTTPS protocols are encrypted, so it can be used to discreetly connect to a different target domain.
So an attacker can hide an HTTPS request to a restricted site inside a TLS connection to an allowed site.
In domain fronting, the process is the same but it will make an HTTPS request that appears to be from a different domain.
It does so by mimicking the secondary domain's DNS and TLS requests which makes it seem as though the user has connected from another domain.
When both Amazon and Google blocked domain fronting on their platforms, some suspected the Russian government was behind it because at the time, the Russian government blocked 1.8 million AWS and Google Cloud IP addresses in an attempt to frustrate access to Telegram's instant messenger.
Because of the ability to hide backend infrastructure, domain fronting has also gained popularity within malware operations.
They can use domain fronting to set up a command and control channel on a seemingly legitimate domain to bypass defensive techniques.
The best defense against domain fronting in an enterprise organization is a cloud-based SWG service with unlimited TLS interception capacity.
A secure web gateway is a network security technology that sits between users and the internet to filter traffic and enforce acceptable use and security policies.
With an SWG or other tools with similar functionality, you can detect mismatches between the TLS Server Name Indication and the HTTPS host header, and get a warning about domain fronting.
This Cyber News was published on www.malwarebytes.com. Publication date: Fri, 01 Dec 2023 23:06:57 +0000