By rssfeeds-admin 
This feature, originally designed to enable legitimate system administration, has been exploited by attackers as a covert Command and Control (C2)
The ability to manipulate Cortex XDR’s Live Terminal poses a severe risk to enterprises, compromising the security of their network infrastructure.
A Covert Command and Control Channel
Cortex XDR’s Live Terminal feature is rich with functionalities, including command execution, file exploration, and PowerShell support.
It also allows attackers to execute Python scripts and explore processes on compromised systems.
Attackers can use this built-in feature to communicate with their C2 server undetected by bypassing traditional network traffic monitoring methods.
This technique, often referred to as “Living off the Land” (LotL), requires minimal effort and is often overlooked by network defenses due to its native integration into enterprise traffic flows.
One significant risk of this vulnerability is that it does not require advanced development skills. Attackers can exploit this feature using basic tools and configurations, making it a popular choice for malicious actors.
Furthermore, Cortex XDR’s built-in security features, such as TLS interception and certificate enforcement, can be bypassed with minor tweaks, allowing attackers to use WebSockets for direct communication with their C2 servers.
Research and Methods Of Exploitation
Research by cybersecurity experts revealed that attackers can easily exploit the Live Terminal feature for C2 communication.
They identified that Cortex XDR’s agent does not employ certificate or CA pinning, which leaves the door open for attackers to intercept network traffic.
This means attackers can send WebSocket messages from the Live Terminal session to any malicious server they control.
The exploitation process can be done in two main ways: Cross-Tenant and Custom Server Creation. In the first method, an attacker with their own Cortex tenant can generate a WebSocket message containing the victim’s host details, thereby intercepting the victim’s connection.
The second method allows attackers to replicate the WebSocket communication on their own server, bypassing the need for a legitimate Cortex XDR tenant.
This method requires minimal development effort and can be achieved by modifying the Cortex agent’s configuration to accept a custom server host.
While this vulnerability requires local administrator privileges to exploit, there are detection methods to identify unusual activities.
For instance, defenders can monitor for suspicious parent process values in process creation events. If a non-standard parent process executes Cortex XDR’s payload, it should trigger an alert.
Unfortunately, this detection method is reactive, and an attacker could still potentially evade detection if they bypass prevention rules.
To fully mitigate this risk, a more secure-by-design approach is necessary. One key improvement would be implementing mutual authentication and cryptographic command signing to ensure the integrity of the communication.
Currently, there are no inherent mitigations within the Live Terminal feature’s architecture to prevent such abuse, highlighting a significant security design gap in the product.
According to Infoguard, this research underscores the need for enhanced security in EDR tools such as Cortex XDR.
While these tools are designed to protect against attacks, they can also be used by attackers to infiltrate networks.
Vendors need to adopt more robust security measures, such as cryptographic protections and secure communication protocols, to prevent such vulnerabilities from being exploited in the future.
Enterprises should stay vigilant, monitor for suspicious activity, and ensure their security tools are up to date with the latest protections.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Hackers Exploit Cortex XDR Live Terminal For C2 Communications, Compromising Enterprise Security appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.