Researchers Uncover ‘BYOTB’ Attack Using Trusted Binaries to Evade Detection

In a recent presentation at BSides London 2024, cybersecurity researchers shed light on a novel attack technique termed “Bring Your Own Trusted Binary” (BYOTB).

This method exploits trusted binaries software components signed by legitimate vendors or widely used in enterprise environments to bypass endpoint detection and response (EDR) systems and other security measures.

The approach exemplifies the growing sophistication of adversarial tactics aimed at evading detection while maintaining operational stealth.

The BYOTB attack leverages trusted binaries to fulfill critical goals, such as tunneling traffic, bypassing firewalls, and executing commands without triggering security alerts.

For instance, the “cloudflared” binary from Cloudflare has been demonstrated as a tool for tunneling SSH traffic over HTTPS, effectively bypassing traditional network defenses.

By using binaries signed by reputable vendors, attackers can exploit their inherent trustworthiness to evade signature-based and behavioral security mechanisms.

Technical Insights into the BYOTB Technique

The BYOTB method involves introducing trusted binaries into target systems and configuring them for malicious purposes.

A notable example discussed during the presentation is the use of cloudflared in conjunction with SSH’s ProxyCommand feature.

This setup allows attackers to encapsulate SSH traffic within HTTPS, making it indistinguishable from legitimate web traffic.

The process involves routing data through a Cloudflare-controlled hostname, which ultimately redirects traffic to an attacker-controlled SSH server.

Additionally, researchers highlighted how trusted binaries like OpenSSH can be deployed on systems lacking pre-installed SSH clients.

By bundling required dependencies such as libcrypto.dll, adversaries can execute SSH commands and establish reverse port forwarding or SOCKS proxies to maintain persistent access.

According to the Jumpsec Labs, the technique also extends to port forwarding for lateral movement or relay attacks.

For example, an attacker could coerce a web client to connect on port 8888 and forward the traffic back to a malicious server listening on port 80.

This capability underscores the versatility of BYOTB attacks in facilitating various stages of the cyber kill chain.

Defensive Strategies

The use of trusted binaries poses significant challenges for defenders due to their legitimate nature and widespread use in enterprise environments.

To mitigate the risks associated with BYOTB attacks, researchers recommend several defensive measures:

• Process Telemetry: Monitoring command-line arguments for keywords like “tunnel” or “access” can help detect suspicious activity involving trusted binaries.
• DNS Logging: Tracking queries to domains such as “argotunnel.com,” associated with Cloudflare’s services, may provide early indicators of compromise.
• Firewall Policies: Restricting outbound connections on non-essential ports (e.g., 7844) can limit the effectiveness of tunneling techniques.
• File Integrity Monitoring: Verifying the integrity of downloaded binaries against known hashes can prevent unauthorized usage of trusted software.

While these measures offer a starting point, defending against BYOTB attacks requires a layered approach that combines endpoint monitoring, network analysis, and proactive threat hunting.

The BYOTB attack underscores the evolving nature of cyber threats, where adversaries increasingly exploit legitimate tools to mask their activities.

As organizations continue to rely on trusted binaries for operational efficiency, it becomes imperative for security teams to adopt advanced detection strategies and stay vigilant against emerging attack vectors.

Also Read: