The below blog from the guys at Fox IT show you how hard it gets to exfiltrate data and command and conquer something that is properly segmented. It is a very creative way but as you can read in the article, it requires a lot of creativity and energy to actually orchestrate the host that is properly segmented.
The idea is fascinating however, make use of a common thing both networks are connected to and use that as a communication channel to send data from a segmented network to the next. It sounds easy in the beginning, but what the authors realized in the middle of doing this was that they needed to properly implement a communication protocol again over the covert channel (LDAP).
This means that despite the fact that the attackers can still communicate, that it is really hard and error prone to establish communications and remote control over this channel and will slow down attackers significantly to deal with:
- Message feedback
- Auto-Discovery of users in the LDAP tree
The article has some nice remediation advice, i believe this attack will unlikely be used in general attacks, but may find it's way into tailored operations.
Another challenge that we needed to overcome is that the maximum length of the attribute will probably be smaller than the length of the message that is going to be sent over LDAP. Therefore, messages that exceed the maximum length of the attribute need to be fragmented.