Cybersecurity researchers have discovered a new attack method known as BYOTB (Bring Your Own Trusted Binary), which allows hackers to use legitimate files to bypass threat detection systems. The technique was presented by expert David Kennedy at the BSides London 2024 conference and has already attracted the attention of security services around the world.
The BYOTB attack exploits the trust in widely used binaries such as *Cloudflare cloudflared* and *OpenSSH*, creating hidden communication channels. One attack method involves tunneling SSH traffic over HTTPS to port 443, which allows it to avoid blocking the traditional SSH port 22. This is achieved by using *cloudflared* as a proxy for SSH connections, making the traffic look like regular web traffic and allowing it to avoid detection by security monitoring systems. This method allows attackers to bypass Endpoint Detection and Response (EDR) systems and firewalls that usually block unusual activity.
Using trusted binaries in cyberattacks is not a new strategy, but BYOTB makes it much harder to detect malicious activity. Many organizations rely on programs like Cloudflared for their legitimate operations, so traditional defenses often miss their use for malicious purposes. Similar attacks have previously been used in campaigns by state-sponsored hacking groups such as APTs.
To protect against BYOTB attacks, organizations should closely monitor telemetry, analyzing command lines with the keywords “tunnel” or “access”, monitor DNS queries to *argotunnel.com*, and block unnecessary outbound traffic to port 7844. Additionally, it is worth implementing control over downloads of Cloudflared binaries and checking their hashes.
114 
111 
138 