X.509

Researchers say that threat actors looking for a covert channel for stealing data from a firewalled network can abuse X.509 certificates to hide and extract data without being detected.

X.509 is just one of the many formats for public-key certificates. These certificates are used for establishing TLS/SSL connections needed to support encrypted HTTPS traffic.

But research published last year by Jason Reaves, a security researcher with Fidelis Cybersecurity, details how an attacker could abuse these benign elements of the HTTPS negotiation process to hide tiny bits of information.

Attackers can hide data in X.509 meta fields

This is possible because some X.509 certificate fields allow an attacker to place small chunks of binary data inside them.

"The fields include version, serial number, Issuer Name, validity period and so on," Reaves says. "The certificate abuse described in our research takes advantage of this fact to hide data transfer inside one of these fields."

"Since the certificate exchange happens before the TLS session is established there appears to never be data transfer, when in reality the data was transferred within the certificate exchange itself," Reaves adds, detailing why firewalls, even those with HTTPS MitM capabilities, can't detect an attacker abusing this technique.

PoC available on GitHub

Until now, threat actors have abused various other types of quirky data exfiltration channels, such as ICMP, DNS, images (steganography), and others. Reaves says that he did not find any evidence of malware authors abusing X.509 for data exfiltration in the real world, but says that detecting such methods is difficult to begin with.

X.509 being used as a covert data channel is also not a new idea, being first explored in 2008. Reaves' work just expands on this idea, presenting a new mechanism for carrying out such attacks.

The Fidelis researcher has published proof-of-concept code, a Go framework for transferring a file over X.509 certificate metadata fields.

Reaves X.509 research can be used for transferring files both in and out of a system. Our more technical readers can find more details about this technique in Reaves' research paper, entitled "Covert channel by abusing x509 extensions."