Abstract
A novel data exfiltration / C2 technique exploiting implicit characteristics of TLS Client Hello (CHLO) packets to effectively evade Next-Generation Firewalls (NGFWs) with advanced security features.
Present day NGFWs apply proven countermeasures against covert channels in different layers. When it comes to TLS CHLO, there are ongoing compliance efforts to ensure that NGFWs do not excessively alter TLS handshake packets during deep-inspection and adhere to relevant RFC standards. Leveraging this evolving landscape, we’ve developed a novel covert channel technique called “Helol tunnel”. We demonstrate how an attacker can leverage it to exfiltrate a sensitive file and establish a C2 channel while hardly leaving any trace in the compromised infrastructure. We conclude by discussing the potential remediation strategies and their impact in the context of TLS compliance.