Command and control attacks, also referred to as C2 and C&C, are a type of attack in which a malicious actor uses a malicious server to command and control already compromised machines over a network. The malicious server (the command and control server) is also used to receive the desired payload from the compromised network.
In this post, we’ll be going over what a command and control attack is in detail, how the attack works, and what can be done to defend against it.
How command and control attacks work
As mentioned above, command and control attacks control infected machines from a malicious remote server. But how do the attackers infect those machines in the first place?
This is done through the typical “compromise channels”:
- Phishing emails or instant messages
- Vulnerable web browser plugins
- Direct installation of malware (if the attacker is able to gain physical access to the machine)
Once the machine is successfully compromised, it will establish communication with the malicious command and control server, indicating that it’s ready to receive instructions.
The infected device will execute the commands coming from the attacker’s C2 server, which typically leads to the installation of further malware. This gives the attacker complete control of the victim’s computer.
As more and more users within the organization fall for the phishing scheme or are otherwise compromised, the malicious code typically spreads to more and more computers, creating a botnet – a network of infected machines. Within a matter of time, the attacker gains complete control over that network.
Devices that can be targeted with command and control attacks
Essentially any computing device can be targeted with a command and control attack. That means:
- IoT devices
That last entry on the list is particularly worrisome because these devices tend to be rather insecure. They may not get updated with security patches very often, and tend to share a lot of data over the internet.
They also tend to come with default login credentials, such as “admin, admin,” which the consumer is expected to change. This is difficult, as IoT devices usually have extremely limited user interfaces that make them difficult to control.
The UK government’s Code of Practice for Consumer IoT Security suggests that device manufactures ensure that all IoT device passwords are unique and not resettable to universal factory default values. In the meantime, you may want to limit the number of IoT devices on your network.
What are the risks of command and control attacks?
- Data theft – Sensitive company data, like financial documents or proprietary information, could be copied or transferred to the command and control server.
- Shutdown – An attacker could shut down any number of compromised machines. In a large-scale command and control attack, they could even bring down the entire network.
- Reboot – Infected machines may suddenly and repeatedly shut down and reboot, disrupting business operations.
- Malware/ransomware attacks – Once the attacker has compromised a machine on your network, they’ve got access to your network. Depending on the permissions they managed to obtain, they could do things like trigger the download of malware or encrypt sensitive data and demand a ransom for the decryption key. The FBI’s Internet Crime Complaint Center said that it investigated 2,385 cases of ransomware in 2022, with adjusted losses of more than $34.3 million.
- Distributed denial of service Botnet – With enough compromised machines on the network, the attacker will have access to a botnet: a network of infected computers ready to receive malicious commands. A common use of botnets is to mount DDoS attacks. DDoS attacks take down servers or networks by flooding them with traffic. Once the attackers have established a botnet, they can instruct each machine to send a request to the targeted server/network, which, with enough requests, can overwhelm the server/network to the point of taking it offline. This is suspected to have been the reason North Korea’s internet briefly failed in 2022. One analyst, quoted by Reuters, said that the network stress from the attack was so great that North Korea’s “Domain Name System (DNS) servers have been taken offline and eventually the key routers allowing traffic in and out of the country entirely.”
Different command and control architectures
Different command and control server/client architectures are used in command and control attacks. The architecture determines how the infected machine communicates with the command and control server. Different architectures have been developed over time to avoid detection as much as possible. There are three different command and control architectures.
The centralized architecture is probably the most common. It’s the classic client/server scheme, in which all infected computers communicate with one central server that manages all of the responses. However, this model is the easiest to detect and block because all the commands come from a single source. Because of that, the command and control server’s IP address can quite readily be detected and blocked. To try and mitigate this, some attackers use proxy servers, redirectors, and load balancers in their C&C server configuration.
The peer-to-peer model works exactly like BitTorrent file transfers, in which there is no central server. In this architecture, each infected computer acts as a node in the botnet, passing messages (i.e. commands) to any other node in the botnet. In this architecture model, the need for a central server is eliminated. However, this architecture is often used in a hybrid setup. The peer-to-peer architecture is used as a fallback in a hybrid configuration, should the central server be taken down or otherwise compromised.
The peer-to-peer architecture model is much more difficult to detect than the centralized architecture model. And, even if detected, there’s a good chance you’ll only be able to take one node down at a time — which will still cause you a substantial headache.
The random architecture model is the most difficult to detect. That’s also the reason why it came to be: so that security staff can’t detect the chain of command of a botnet or trace and shut down the C&C server. This architecture model works by sending commands to the infected host or botnet from different random sources. Those sources could be links in social media comments, CDNs, email, IRC chat rooms, etc. Attackers tend to choose trusted and frequently used sources to send the malicious commands — heightening their chances of success.
Possible attack flow of a command and control attack
The following represents a typical attack flow in a command and control attack.
- Malicious actors infect a system within an organization (often behind a firewall) with malware. This is achieved through phishing emails, malvertising, vulnerable browser plugins, or direct installation of malicious software through a USB stick or disc drive (this requires physical access).
- Once the first machine is infected, the C&C channel is created, and the compromised system pings the C&C server, letting it know that it’s waiting to receive commands. This communication between the hosts and the C&C server is typically achieved over trusted traffic channels, such as DNS.
- Now that the C&C channel has been established, the infected system can receive further instructions from the C&C server — so long as the malware isn’t detected. The C&C server will likely use this channel to instruct the compromised host to do things like installing more malicious software, encrypting data, and even recursively extracting data from the infected host.
- If the attackers are ambitious, they could use the C&C server to instruct the infected host to scan for vulnerabilities on other hosts in an attempt to move laterally through the network. That can lead to the creation of a network of compromised hosts (i.e., a botnet) and can compromise an organization’s entire IT infrastructure.
Real-world examples of command and control attacks
In February 2013, Twitter detected a sophisticated attack on its corporate network. It was a command and control attack perpetrated by hacker group Wild Neutron or Morpho (it goes by both names). This group would use the same attack on Facebook, Apple, and Microsoft in the weeks ahead. The attack on Twitter compromised approximately 250,000 user accounts, giving the attackers access to their user names and email addresses, among other things.
A few weeks after the Twitter hack, Facebook was hit with essentially the same command and control attack as Twitter. However, perhaps because of foresight after having learned of the Twitter hack, the attack failed to expose any customer data, and the malware did not spread through the network. It was contained on a small number of laptops belonging to Facebook engineers.
Apple wasn’t left behind in this 2013 hackathon. Like Facebook and Twitter, Apple was hit with the same attack in February. According to Apple, at the time, only a small number of computers on its Cupertino campus were successfully attacked by the same group.
The hack exploited a Java vulnerability to compromise the machines (as with the other companies affected). Apple issued a statement saying that “[t]here is no evidence that any data left Apple.” It may not have left, but it may have been viewed… Apple released an update to Java to mitigate the exploit a few days later.
Again, a few weeks after the Twitter attack, Microsoft was similarly attacked by the same group. The attackers managed to compromise Microsoft’s unfixed vulnerabilities database. Needless to say, the attack could have been devastating.
Microsoft issued a statement saying, “We have no evidence of customer data being affected, and our investigation is ongoing.” However, according to Reuters, Microsoft was very concerned that the compromised information would lead to follow-up attacks. And that may well have happened.
Defending against command and control attacks
As is so often the case, the way to defend against command and control attacks depends on whether you’re a user or an administrator. Different mitigation measures apply to each. We’ll provide both.
For system administrators
Provide security awareness training
You want your staff to be aware of the online threats they may be facing. Security training for your staff will not only help you mitigate command and control attacks but many other types of malicious activities as well.
Security training promotes more secure habits within your organization and will lessen the risk level of many of the online threats you face every day – specifically phishing attempts. On top of that, your entire organization will be better prepared to deal with security events. You simply cannot lose with this one.
Monitor your networks
You’re going to need visibility into the traffic flowing over your network. Specifically, you want to be on the lookout for suspicious activities occurring over your network. Some of the signs that may point to an attack (command and control or otherwise) would be filename mismatches with their corresponding hashes, properly named files being stored in odd locations, and user logins at unusual times and unusual network locations being accessed.
Use an AI-based Intrusion Detection System (IDS)
It’s typically difficult for traditional IT defenses to identify suspicious behavior. That’s because they tend to be binary in nature. They refer to the account’s permissions or an ACL and choose between “yes” and “no” or “grant access” or “deny access.”
However, there is tech available today that can efficiently scan for and detect unordinary events. AI-powered tech is being used across many industries today. And IT security is not being left out. With an AI-based IDS, you can “teach” it via machine learning to identify “normal” behavior patterns over your network. From that baseline, and with a bit of training, it will be able to detect outlier behavior and thus help you negate cyber threats.
Limit user permissions as much as possible
The principle of least privileges should be implemented in your organization. Assign each user with the least amount of permissions required to do their work and nothing beyond that.
Set up Two-factor authentication (2FA) on all accounts that support it
2FA is a robust way to make it more difficult for malicious actors to abuse your credentials. Not only that, but it may discourage many of them from trying.
Implement digital code-signing
Digital signing prevents unauthorized software from being executed unless it is signed by a trusted entity. Don’t leave the door wide open by allowing any application from anywhere to be installed on devices on your network. Put a whitelist in place through digital code-signing.
These are primarily common-sense tips that can help you avoid various online threats. However, the first four points are directly related to mitigating C2 attacks.
- Don’t open attachments in emails unless you’re sure you know who the sender is and you’ve confirmed with that person that they really did send you the email in question. You should also make sure they’re aware the email contains an attachment and know what the attachment is.
- Don’t click links (URLs) in emails unless you can confirm who sent you the link, what its destination is, and that the sender is not being impersonated. Once you’ve done that, you should scrutinize the link. Is it an HTTP or an HTTPS link? The vast majority of the legitimate internet uses HTTPS today. Also, check the link for incorrect spelling (faceboook instead of facebook or goggle instead of google)? If you can get to the destination without using the link, do that instead.
- Use a firewall – All major operating systems have a built-in incoming firewall, and all commercial routers on the market provide a built-in NAT firewall. You want to make sure these are enabled. They could well be your first line of defense if you click a malicious link.
- Log out and reboot your computer – When you’re done working on your computer, log out of your session and reboot the machine. That will clear things from memory that could be used to compromise your computer.
- Use strong and complex passwords – The more complex your passwords are, the less likely you are to fall victim to credential-based attacks. Depending on the attacker’s chosen methodology, a successful command and control attack may well start off as a credential-based attack. Use our password generator for creating secure passwords, and then a password manager to more easily keep track of them.
- Use an antivirus program – Only purchase genuine and well-reviewed antivirus software from legitimate vendors — there is plenty of malicious fake anti-virus software out there. Keep your antivirus updated and configure it to run frequent scans.
- Keep your operating system updated – You want the latest OS updates, as they contain the latest security patches. Make sure you install them installed as soon as they’re available.
- Never click on pop-ups. Ever. Regardless of where they take you, pop-ups are just bad news.
- Don’t give in to “warning fatigue” if your browser displays yet another warning about a website you are trying to access. With web browsers becoming more and more secure, the number of security prompts they display has gone up somewhat. You should still take your browser’s warning seriously, and if your browser displays a security prompt about a URL you’re trying to visit, listen to your browser and get your information elsewhere. That’s especially true if you clicked a link you received by email or SMS – it could be sending you to a malicious site. Don’t disregard your computer’s warning prompts, and don’t be tempted to disable your browser’s phishing and malware detection.
So that’s essentially the deal with command and control attacks. They can definitely be nasty insofar as they could lead to complete network takeovers. But, as is the case with many other online attacks, putting the security measures above into practice and promoting security awareness within your organization is a good bet towards lowering the odds of falling prey to online attacks in general and command and control attacks, specifically.