Despite some good news from the recently released CyberEdge 2023 Cyber Threat Defense Report (CDR), high-profile breaches continue to plague the industry. From Rackspace to Twitter to GitHub, businesses, organizations and government agencies around the world have fallen victim to sophisticated threat actors who are getting better at evading traditional security solutions.
The somewhat silver lining is that there is a clear pattern that illuminates these aspects Highly Evasive Adaptive Threats (HEAT). These HEAT attacks exploit vulnerabilities in web browsers, using a variety of evasive techniques to bypass detection-based security tools. These include multi-factor authentication (MFA) bypass, HTML smuggling, exploiting malicious password protection, and legacy URL reputation evasion (LURE). Needless to say, they serve as a wake-up call to security teams to strengthen their browser’s security.
While you may not be familiar with HEAT attacks before, we’ve compiled a list of five recent headline-grabbing cyber attacks that you may have read about in the news that fall under this threat category:
Researchers uncover the deceptive attack strategies of Chinese nation-state hackers
Evasive technique: Exploiting malicious password-protected files
Traditional security technology has been bypassed: Secure Web Gateway (SWG), sandbox, Secure Email Gateway
Attack Anatomy: The infamous Earth Preta hacker, long suspected of being backed by the Chinese government, continues to develop his evasive techniques to access computer networks around the world. In their latest attack, the group used a malicious password-protected file to deploy backdoor access and command-and-control tools used for data exfiltration. Messages are sent via spear phishing to intended victims with Google Drive or DropBox links hide malicious payloads in fake files which are disguised as legitimate documents. More recently, Earth Preta has embedded download links in password-protected files to prevent scanning by e-mail gateway or Secure Web Gateway (SWG) and sandbox solutions, tools that often have policies that allow that all password-protected files are downloaded through the browser to avoid inhibiting legitimate commercial use cases.
Prevention of an attack: Whether they are known or unknown, good or bad, Remote Browser Isolation (RBI) retrieves and executes all files in a remote cloud browser. Taking advantage of these solutions, documents are rendered on a secure and isolated web page, which is subjected to active scanning. Only after a document passes inspection can administrators download it. This results in providing maximum protection with minimal disruption to the user experience.
Malicious Google ads inject AWS phishing sites into search results
Evasive technique: Legacy Reputation Evasion Technique (LURE)
Traditional security technology has been bypassed: URL filtering, HTTP page/content inspection
Attack the anatomy: A recent phishing campaign uses Google Ads to enter fishing sites into Google searches in an attempt to steal the login credentials of Amazon Web Service (AWS) users. In fact, the attack ranks malicious results second only to Amazon’s paid search results. Once clicked, the links send the user to a fake food blog under the control of the attackers. Users are redirected to a fake AWS login page with seemingly authentic Amazon branding and messaging. Users who enter their credentials into the fake form are compromised.
Prevention of an attack: Establishing a good reputation in Google Ads for the fake food blog allows the threat actor to avoid categorization engines that block suspicious sites. Using dynamic policy enforcement in Isolation can help stop these attacks by automatically disabling login forms and making them read-only. These phishing defense tools are implemented at the browser level and not just in the email route, an approach that stops phishing attacks delivered through threat vectors other than email.
HTML smuggling campaigns impersonate well-known brands to deliver malware
Evasive technique: HTML smuggling
Traditional security technology has been bypassed: File-based inspection, HTTP/page content inspection
Attack the anatomy: An increase in HTML smuggling campaigns has been impersonating well-known brands like Adobe, Google and the US Postal Service to deliver malware, including Cobalt Strike, Qakbot, IcedID and Xworm RAT. HTML smuggling works by breaking down malicious files into small blobs of Javascript that don’t do anything suspicious on their own. However, after passing the inspection engines, the files are dynamically rebuilt at the browser level. These HTML smuggling techniques work by using HTML5 attributes that can work offline by storing payloads embedded within JavaScript code, which is then decoded and reassembled into file objects when opened by a web browser. Users often know to avoid suspicious file types, such as an unknown PDF, but HTML files are often considered safe, especially when they appear to be from a well-known brand.
prevention: Preventive technology like isolation acts as a surrogate browser in this case to monitor files that want to be reassembled and executed in the user’s local browser. These suspicious documents are isolated and subjected to inspection by an antivirus tool or test box. Phishing tools can also inspect images (such as a brand logo) after rendering and identify whether they have been tampered with at the file level.
Gootloader malware targets healthcare in ‘aggressive’ campaign.
Evasive technique: SEO poisoning
Traditional security technology has been bypassed: URL filtering, HTTP page/content inspection
Attack the anatomy: SEO poisoning allows malicious actors to take advantage of unsuspecting users by making their malicious content appear more relevant and trustworthy to users than it actually is. It works by inserting specific keywords and links into a site to access it rise to the top of search engine results. Users are tricked into visiting sites where malware is downloaded through the browser to their end device. Obfuscated Javascript loops that avoid detection by hiding the code in the page’s source files are used to deliver ZIP files for the first and second phase payloads that ultimately lead to further deployment of malware such as Gootloader and Cobalt Strike. This gives the threat actor the ability to control the victim’s device and collect sensitive information.
prevention: Advanced phishing defense tools implemented on the web path instead of the email path can discover obfuscated content at runtime within isolation. By using a surrogate browser within the isolation, the obfuscated content is unmasked at runtime within the isolation protecting the user from any malicious code that might have been executed in the user’s local browser at runtime, fully protecting the user.
Reddit confirmed a security breach following a “sophisticated” phishing attack.
Evasive technique: bypass MFA
Traditional security technology was circumvented: URL filtering, HTTP page/content inspection
Attack the anatomy: An unknown threat actor recently sent instructions to Reddit employees to visit a malicious website that looked and acted like the company’s intranet gateway. A single user fell for the phishing attack and gave up their credentials and two-factor authentication (aka MFA) tokens. The threat actor was able to access internal documents, business systems and advertising information.
prevention: New isolation-based behavior engines use advanced machine learning algorithms to analyze brand logos, page elements, input fields and URL links directly within the browser to determine in real time whether a requested page she is malicious Along with adaptive security controls, these anti-phishing tools can dynamically block access or render the page in read-only mode.
Web browsers take the spotlight
With Google reporting that 75% of knowledge work is being done within a web browser and Verizon sharing that 90% of breaches now occur through the browser, it’s safe to say that these productivity tools are in the focus of cyber security teams. Malicious actors are continually evolving their techniques to make it harder than ever for traditional security tools to detect ongoing browser evasive attacks. And once they make that initial access to an endpoint, it’s too late to stop the attack from spreading. Organizations need to focus more on a preventative and proactive browser security strategy to stop these sophisticated attacks. This can be achieved by focusing on technology that provides browser visibility and adaptive security controls that prevent zero-hour attacks from happening in the first place.
the mail Real-world examples of highly evasive adaptive threats (HEAT) in the news appeared first Menlo Security.
*** This is a syndicated blog of the Security Bloggers Network of Menlo Security written by Neko Papez. Read the original post at:
