NAT Slipstreaming made an Easy Path for Remote Attackers

We disconnect our devices to protect them from cyberattacks but, from now, this is no longer a solid plan to protect them from remote attackers

Researchers have uncovered a new version of a known network-address translation(NAT) slipstreaming attack. With this remote attackers can reach multiple internal network devices, even if those devices don’t have access to the internet. 

Chief Security Officer and Co-founder of Openpath Security, Samy Kamkar and researchers from Armis said that attackers can execute an attack by simply convincing one target with internet access on the network to click on a malicious link. 

From there, they can gain access to non-exposed endpoints and without any further social engineering they can access unmanaged devices like industrial controllers. 

The process of connecting internal network devices to the outside internet is called NAT. To share a single public IP address, it allows a router to securely allow multiple devices to make a connection with it. To provide better perimeter cybersecurity, NAT functions are combined with firewalls. 

Overview of NAT Slipstreaming:-

In november, it is revealed in an original NAT Slipstreaming attack that via social engineering and other tactics, an attacker persuades a victim to visit a specially crafted website. When a victim within an internal network clicks on it, it takes him to the attacker’s website. 

After that, the website in turn fools the victim network’s NAT and opens an incoming path from the internet to the victim’s device.

Kamkar also said that Slipstreaming is entirely automated and works cross-browser, which is why it is easy to exploit. Other than visiting the victim site, it doesn’t require any user interaction. 

The victim’s device must also have an Application Level Gateway (ALG) connection-tracking mechanism enabled because it is necessary to launch an attack. It is usually built into NATs.  

Without including HTTP or other headers, this attack takes advantage of arbitrary control of the data portion of some TCP and UDP packets. Attackers use this new packet-technique across all modern and older browsers. 

In the attack, a Javascript code running in the victim’s browser sends out traffic to the attacker’s server. This traffic transverses through the network’s NAT/firewall. 

Researchers explained that attackers crafted this traffic to fool NAT. They crafted this traffic in such a way that NAT believed this traffic actually originated from an application that requires a second connection to take place. This second connection, directly from the internet can lead an attacker to access any service on the victim’s device.