A co-worker of mine stumbled upon a fun exfiltration technique during an incident response. The miscreant pwned the website from a VPS somewhere in Russia, and then didn't accessed the server anymore; no traffic from Russia, nor Tor, nor Proxies, nor anything weird.
The trick used here was to create (ad add some lines of code to already existing ones) some dynamic pages, displaying the content of the database, and then ask the Google Bot to crawl them.
This has several advantages:
- No need to maintain connection to the website to exfiltrate the data.
- The victim doesn't know what the attacker recovered.
- Infinite mirroring capacity for free, available from everywhere.
- No illegitimate traffic in the log; I mean, the Google bot indexing a website is pretty legit.
- It's painful and time-consuming for the victim to remove the data from the internet.
Did anyone already encountered this exfiltration method before?