Adversaries must communicate with victims to enable intrusions, but the means through which such communication takes place can vary widely. Many adversaries leverage “owned” infrastructure such as leased virtual private servers (VPSs) or other devices to serve as “hop” points between adversaries themselves and victim space. While this continues, more recent developments include the rapidly increasing use of complex proxy networks for tunneling adversary traffic to and from victims.
Proxy networks, also referred to as covert or “operational relay box” (ORB) networks, are an evolution of the classic botnet. Botnets are simply networks of compromised machines, but traditionally have featured relatively “flat” architectures: a botnet controller communicates to one or all infected “bots” to then interact with a victim, whether for command and control (C2) purposes or to deliver an effect such as distributed denial of service (DDoS). Proxy networks, however, are more complicated in that they consist of tiers of compromised devices allowing for traffic to route through multiple infected machines between the adversary and ultimate victim.
The complexity of proxy networks make them somewhat more difficult to manage and maintain, but at the significant advantage of greater flexibility and deniability in intrusion activity. As a result adversaries can rotate through hundreds or thousands of potential nodes to interact with victims, making traditional defensive actions such as indicator (primarily IP address) tracking and blocking extremely difficult, if not outright impossible.
Proxy networks are increasingly popular for a variety of threat actors, but have proven especially desirable for entities associated with the People’s Republic of China (PRC). Most notable among these are the KV Botnet associated with Volt Typhoon operations, and Flax Typhoon infrastructure. Notably, an entire ecosystem has developed surrounding proxy networks where dedicated organizations build and maintain the network, which is then leased to multiple threat actors for operational employment. For example, while Volt Typhoon used the KV Botnet, it is not the only entity associated with the network. This division of labor further complicates actions such as threat clustering and attribution linked to proxy network use.
Proxy network use in intrusions has undeniably made the work of defenders more difficult, but it has not rendered defense impossible. Rather, proxy network employment has more accurately highlighted shortcomings in existing, basic types of network defense. For example, indicator-driven defense like IP address blocking and filtering was already of dubious value given the largely ephemeral nature of IP address space—proxy network use thus serves to highlight this shortcoming. Instead of approaches based on simple binary propositions of allow or deny based on limited, atomic information (such as an IP address), more complex logic is needed to identify the ways in which proxy networks are used and the nature of the infrastructure employed.
For the former, proxy networks can be used to facilitate a variety of actions from scanning to credential stuffing to exploitation to C2. Indicator-centric defensive approaches would focus on the minimal information concerning endpoints involved in these actions, but more robust defensive measures emphasize the nature of these endpoints and the actual activity taking place between them.
For example, identifying a pattern of logon attempt activity from a single endpoint, network range, or similar to flag brute force attacks rather than simply adopting an IP banlist is a necessary step when adversaries can rapidly rotate among many exit nodes for the activity in question. Alternatively, determining the nature of a communicating endpoint (e.g., an IP address in a residential ISP that based on characteristics appears to be an IoT device) can allow defenders to rapidly disposition an authentication attempt as likely malicious.
Through understanding the composition and use of proxy networks, defenders and related decision makers can better position themselves to respond to intrusions leveraging such infrastructure. However, the most robust mechanism to defeat such networks resides in addressing their creation: reducing the scope for adversaries to compromise and incorporate vulnerable, end-of-life, or similar devices into malicious networks.
While addressing the root cause of the issue, such an action is exceptionally difficult to execute in practice. Nonetheless, attempts are emerging as observed in the KV Botnet attempted takedown and actions against the Cyclops Blink network associated with Russian threat actors. In these cases, we observe an increased willingness by law enforcement and related entities to engage and interact with compromised, “neutral” devices to disrupt adversary weaponization of such infrastructure. Unfortunately, such actions are often ephemeral in nature given the need to patch, modify, or outright replace devices for effective defensive response.
As a result, higher-level policy and similar decisions are necessary to truly address the proxy network problem, while defenders work to mitigate against their immediate application. By understanding how these networks are created and used, we can begin to glimpse the issue, but adequately addressing it will require significant investment and increased willingness to actively engage with compromised, otherwise innocent infrastructure.
Weaponizing the Neutral Web
For a more in depth review of this issue and potential responses, read our full whitepaper.
Download Whitepaper
