Multiple Threat Actors Abuse Ngrok in Their Own Style

Cybercriminals have been using ngrok—a cross-platform application to expose local development servers to the internet, for malicious purposes for years now. Recently, an organization was targeted by a keylogger, where malicious actors installed a copy of the ngrok tool to obtain specific details about the environment.

What happened?

A recent analysis by Trend Micro provided some insights into how hackers may be using this tool in active malicious campaigns.
  • Recently, threats actors were seen using ngrok to expose several machines within the victim’s networks, making them visible to the outside world.
  • It is believed that the attackers had three requirements: ngrok installed on the internal machine; an administrator account; and the ngrok server domain and port, already in place.
  • Since the attacker had the knowledge of the ngrok-assigned public address, it could connect to the compromised system at any time.

Why do cybercriminals use it?

The service can be abused by threat actors to get unauthorized access to the targeted network, download payloads, exfiltrate credit card data, and crafting unique URLs. In addition, the tunneling service allows cybercriminals to evade detection. It can generate random URLs, making it harder to track, detect, or block.

Recent attacks using the ngrok tool

  • Recently, an Iran-based APT Pioneer Kitten was found selling network credentials of corporates on hacker forums. The group is known for its regular use of ngrok.
  • Last month, Fox Kitten was observed attacking the US private and government sector. The group is known for using ngrok to target on-premise BIG-IP devices.

What to do?

Organizations must be aware of ngrok and other tunneling services, as these services can be abused by hackers. Experts suggest that organizations using tunneling services should have a secure authorization mechanism for every access level, and its setup should include approval from security teams. In addition to this, the tunnel should be password-protected and IP whitelisting should be enabled.