Backdoor Via XFF - Mysterious Threat Actor Under Radar
Updated: Dec 7, 2022
Our incident response team caught a strange-looking Webshell activity on a server that was running an internal web application. It raised many questions such as how the malicious code was uploaded to the service if it is not exposed to the public internet and what was the vulnerability which allowed attackers to enter the server.
With assistance from our Red Team, we found that the attackers used a known bypass technique abusing the X-FORWARDED-FOR (XFF) HTTP header to manipulate Cloudflare barriers, escape detection, and access a forbidden service that was supposed to be exposed only to a selected ranges of IP addresses. READ FULL REPORT