Disconnecting devices from the internet is no longer a solid plan for protecting them from remote attackers. A new version of a known network-address translation (NAT) slipstreaming attack has been uncovered, which would allow remote attackers to reach multiple internal network devices, even if those devices donât have access to the internet.
According to researchers from Armis and Samy Kamkar, chief security officer and co-founder at Openpath Security, attackers can execute an attack by simply convincing one target with internet access on the network to click on a malicious link. From there, cybercriminals can gain access to other, non-exposed endpoints, including unmanaged devices like industrial controllers, with no further social engineering needed.
NAT is the process of connecting internal network devices to the outside internet; it essentially allows a router to securely allow multiple devices connected to it to share a single public IP address. In enterprise environments, NAT functions are combined with firewalls to provide better perimeter cybersecurity; products from Fortinet, Cisco and HPE all take this approach.
In the original NAT slipstreaming attack, revealed and mitigated in November, an attacker persuades a victim to visit a specially crafted website (via social engineering and other tactics); a victim within an internal network that clicks on it is then taken to an attackerâs website. The website in turn will fool the victim networkâs NAT into opening an incoming path (of either a TCP or UDP port) from the internet to the victim device.
âSlipstreaming is easy to exploit as itâs essentially entirely automated and works cross-browser and cross-platform, and it doesnât require any user interaction other than visiting the victim site,â Kamkar told Threatpost last fall.
In order to launch an attack, the victimâs device must also have an Application-Level Gateway (ALG) connection-tracking mechanism enabled, which is usually built into NATs. NAT slipstreaming exploits the userâs browser in conjunction with ALG.
âThis attack takes advantage of arbitrary control of the data portion of some TCP and UDP packets without including HTTP or other headers; the attack performs this new packet-injection technique across all major modern (and older) browsers,â explained Kamkar.
In the attack, when a victim device visits an attacker-controlled website, JavaScript code running in the victimâs browser sends out additional traffic to the attackerâs server, which traverses through the networkâs NAT/firewall.
âThis second-phase traffic is crafted in such a way that the NAT is fooled to believe this traffic actually originated from an application that requires a second connection to take place, from the internet to the victim device, and to an internal port that the attacker can choose,â researchers explained. âThis second connection can thus lead the attacker to access any service (TCP/UDP) on the victimâs device, directly from the internet.â
If, for example, the victimâs device is a Windows device vulnerable to EternalBlue, the attacker can access the SMB port on the victim device using this technique, from the internet, exploit the vulnerability, and take over the device.
âThe only thing required for this attack to take place, is that the victim clicks on link, or visits a web page of which the attacker has implanted some JavaScript code,â researchers noted.
The just-discovered approach variant simply extends the attack, researchers said.
Now, âattackers [can] fool the NAT in such a way that it will create incoming paths to any device on the internal network, and not only to the victim device that clicked on the link,â they explained, in a blog posting on Tuesday.
The issue lies in the H.323 ALG, where supported. Unlike most other ALGs, H.323 enables an attacker to create a pinhole in the NAT/firewall to any internal IP, rather than just the IP of the victim that clicks on the malicious link.
Meanwhile, WebRTC TURN connections can be established by browsers over TCP to any destination port. The browsers restricted-ports list was not consulted by this logic, and was therefore bypassed.
âThis allows the attacker to reach additional ALGs, such as the FTP and IRC ALGs (ports 21, 6667) that were previously unreachable due to the restricted-ports list,â researchers said. âThe FTP ALG is widely used in NATs/firewalls.â
A full proof-of-concept demonstration can be seen here:
The ability to reach devices without human interaction means that attackers can reach not only desktops but also other devices that donât typically have human operators â unmanaged devices like printers, industrial controllers, Bluetooth accessories, IP cameras, sensors, smart lighting and more. The impact of attack on these can be severe, ranging from denial-of-service (DoS) to a full-blown ransomware attack, researchers noted.
âUnmanaged devices [often] donât have inherent security capabilities, and often offer interfaces for controlling them and accessing their data with little-to-no authentication, within the internal network,â researchers explained. âExposing these interfaces directly to the internet is a serious security risk.â
Researchers gave the example of an office printer that can be controlled through its default printing protocol, or through its internal web server. Using NAT slipstreaming, an attacker could knock it offline or cause it to print arbitrary documents. Depending on the printerâs features, cybercriminals could also access stored documents.
The researchers added that in order to carry those types of actions out, the newly exposed interface would itself need to be insecure, as is the case for other targets. Thus, once attackers form a web connection to the target, they would then need to access that target. Many unmanaged devices not connected to the internet donât require passwords, researchers noted, or often remain unpatched.
âIn addition to interfaces that are unauthenticated by design, many unmanaged devices may also be vulnerable to vulnerabilities that are publicly known, that can be exploited if an attacker is able to bypass the NAT/firewall, and initiate network traffic that can trigger them,â they wrote.
An example of this risk includes the 97 percent of industrial controllers recently found to remain vulnerable to the URGENT/11 group of security bugs. In many industrial scenarios, regular patching of unmanaged devices is a challenge since they often canât be taken offline thanks to production requirements, researchers explained. Thus, âmany organizations rely on perimeter security (firewalls and NATs) to keep their unpatched devices from being accessed by potential attackers on the internet.â
Once the perimeter is breached, attackers are free to exploit and take over vulnerable and open devices, and install remote access tools for further attacks.
Like the original attack, the new version has been mitigated with browser patches, for Chrome, Safari, Firefox and Edge. Chromium is tracking the new variant via CVE-2020-16043, while Firefox is tracking it via CVE-2021-23961.
âWhile the underlying issue of this attack is the way NATs are implemented (in various ways in routers and firewalls, throughout numerous vendors and applications), the easiest and fastest way to mitigate was through a patch to browsers,â according to the advisory.
The updates are Chrome v87.0.4280.141, Firefox v85.0 and Safari v14.0.3, and Microsoftâs Edge browser is also now patched, since it relies on the Chromium source code.
Download our exclusiveFREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story andDOWNLOAD the eBook now** â on us!**
threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_eBook
threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=FEATURE&utm_medium=FEATURE&utm_campaign=Nov_eBook
threatpost.com/google-chrome-87-nat-slipstreaming-flaw/161344/
threatpost.com/newsletter-sign/
threatpost.com/scanner-shows-eternalblue-vulnerability-unpatched-on-thousands-of-machines/126818/
threatpost.com/unpatched-iot-ot-devices-threaten-critical-infrastructure/162275/
www.armis.com/resources/iot-security-blog/nat-slipstreaming-v2-0-new-attack-variant-can-expose-all-internal-network-devices-to-the-internet/