Detection: Cloud Snooper

Hi all: here’s a quick detection for Cloud Snooper activity. Bind it to your HTTP servers.

The method used here is very simple: for an inbound HTTP/S request, check the source ports from the IOCs found here.

Trigger code is below. Bind the trigger to the FLOW_CLASSIFY event. You can validate it trivially by using curl with the --local-port option to spoof one of the ports listed in the “suspicious_ports” array in the trigger. If you find errors or improvements I am happy for input.


/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Reference for IOC: 
https://news.sophos.com/en-us/2020/02/25/cloud-snooper-attack-bypasses-firewall-security-measures/

Note 1: It's almost certain that this will need to be modified later on because they (source ports)
can change so easliy.

Note 2: The confidence of the detection can be incresed further by looking for C2 in the E->W corridor.

That said, the initial approach is this: binding this detection to HTTP servers listening from the edge, then
looking for ANY combination of dest port [80, 443] from any source of [1010, 2020, 6060, 7070, 8080, 9999]. 
Given that source ports this low are rare, this is a very simple approach, but warrants investigation in all cases.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/

// Source port list. Subject to change, be prepared to modify this to reflect new variants.
const suspicious_sources = [1010, 2020, 6060, 7070, 8080, 9999];

// End IOCs.


if (event === "FLOW_CLASSIFY") {
    
    // We'll capture all of our info to get started.
    let ipproto = Flow.ipproto;
    let src_port = Flow.client.port;
    let dst_port = Flow.server.port;
    let actor = Flow.client.ipaddr;
    let server_ip = Flow.server.ipaddr;

    if (!actor.isExternal) { 
        return; // Bail. Not an external source.
    }
       
    if ( suspicious_sources.indexOf(src_port) ==  -1 ) {
        return; // Bail - no source port IOCs present.
        }

    let lookups = {
        'arin': `https://search.arin.net/rdap/?query=${actor.toString()}`,
        'talos': `https://talosintelligence.com/reputation_center/lookup?search=${actor.toString()}`,
    }

    // Check for inbound to 80 or 443 from one of our suspicious sources.
    if ( [80,443].indexOf(dst_port) > -1) {
        // Fire the detection, this looks suspicious
        let description = "Suspected CloudSnooper attempt. Check HTTP and SSL flows from the victim device below." + "\n";
        description += `- [ARIN Database](${lookups.arin})` + "\n"
        description += `- [Cisco Talos](${lookups.talos})` + "\n"

        commitDetection('CloudSnooper', {
        'title': 'Possible Cloud Snooper Request',
        'description': description,
        'categories': ['sec.exploit'],
        'riskScore': 80,
        'participants': [ { object: Flow.server.device, role: "victim"}, {object: actor, role: "offender"}],
        //'identityKey': `v1:${actor.toString()}:${server_ip.toString()}`
        "identityKey": null
        });
    }
}
2 Likes