Threat Research: Beat the Heat

Overview:

Highly Evasive Adaptive Threats, or HEAT attacks, are a new form of existing browser exploit techniques that leverage features and tools to bypass traditional security controls and then attack from within, compromising credentials or deploying ransomware. HEAT attacks go beyond traditional phishing methods and target web-based tools critical to productivity, frequently exploiting SaaS (Software as a Service) applications.

A HEAT attack is a type of browser exploit that targets web browsers and leverages features and tools to bypass traditional security controls and attack from within. These attacks typically use known tactics such as phishing messages, HTML (HyperText Markup Language) smuggling, and dynamic drive-by downloads to target web-based tools and services critical to productivity, often in SaaS environments.

HEAT attacks are designed to evade detection by using legitimate-looking URLs and techniques that go beyond traditional phishing methods. Once a victim clicks on a malicious link, the attacker gains access to the victim’s browser and can deploy malware, compromise credentials, and steal sensitive data.

HEAT attacks can bypass typical security controls like Secure Web Gateways and anti-malware capabilities, making them highly effective and dangerous. They are also difficult to detect and prevent because they often use legitimate browser features and tools, making it challenging to distinguish between malicious and benign activity.

Unfortunately, the ability to bypass typical cybersecurity controls means victims assume malicious links to be safe. Conventional security tools are far less likely to identify and prevent a HEAT attack, which goes out of its way to disguise itself as a traditional threat. Once HEAT tactics bypass traditional security controls, the attacker can compromise credentials, deliver ransomware, and access sensitive data.

Threat Landscape:

The threat landscape for cyberattacks has drastically increased, especially with the rising trend of highly evasive adaptive threats. HEAT attacks are a new class of attack methods that act as beachheads for data theft, stealth monitoring, account takeovers, and the deployment of ransomware payloads, with web browsers being the attack vector.

Since March 2020, remote and hybrid working models have resulted in the average employee spending over 75% of their working day in a web browser. The shift has expanded the attack surfaces of businesses, exposing new vulnerabilities in data, applications, and the cloud. Despite this, many of the solutions we have in place to protect our networks, including antivirus software and URL filtering techniques, have not changed for almost a decade, providing attackers with more than enough time to understand our defense mechanisms and find ways to get around them.

HEAT attacks leverage web browsers and various techniques to evade detection by multiple layers in current security stacks, bypassing traditional web security measures and leveraging web browser features to deliver malware or compromise credentials. Nobelium, the Russian state-sanctioned group behind the SolarWinds supply chain attack, is one example of an entity that uses HEAT attacks.

Technical Details:

To be categorized as a highly evasive adaptive threat, an attack must leverage at least one of four evasive techniques that successfully bypass legacy network security defenses:

Content Inspection Evasion: HTML smuggling and JavaScript deception are deployed to bypass static and dynamic content inspection engines and deliver malicious payloads to target endpoints.
Malicious Link Analysis Evasion: Attackers combine phishing methods with HTML smuggling to blind sandbox engines built to analyze files and content downloaded from the risks. This ensures that these sandboxes cannot see the dynamic generation of a file within the browser after it passes network security controls.
Offline Categorization and Threat Detection Evasion: Attackers leverage ‘Good2Bad’ websites – sites that can be temporarily manipulated and mobilized to serve malicious payloads for brief periods before being reverted to a benign state.
HTTP (Hypertext Transfer Protocol) Traffic Inspection Evasion: HEAT attacks will often work to evade HTTP traffic inspection engines that have been installed to detect various forms of malicious content created using JavaScript in the browser by its rendering engine.

HEAT Attack Campaigns:

HEAT attacks have been observed in various campaigns, including the Gootloader campaign leveraging SEO (Search Engine Optimization) poisoning to generate high-level page rankings for compromised websites, often to deliver REvil ransomware, and the Astaroth trojan, which uses HTML smuggling to sneak malicious payloads past network-based detection solutions. As cyberattacks become more prevalent and sophisticated, cybercriminals are targeting web browsers as an increasingly popular means of compromising endpoints to gain access to networks. The increased use of browsers for remote work on networks lacking perimeter security infrastructure has made them easier to exploit. Recent data breaches caused by browser-related security incidents have increased, including the Dropbox phishing attack and the CircleCi breach, both resulting in information-stealing malware infections.

Mitigation:

Organizations must prioritize preventative measures, applying Zero Trust principles of strong authentication, continuous reauthorization, least privilege access, and network segmentation to protect against HEAT attacks. The browser is the most preventative tool an organization can implement to avoid HEAT attacks. Strong browser security solutions must be autonomous and monitor runtime telemetry to successfully thwart HEAT attacks.

As browsers become more complex with new features and uses, threat actors will continue to leverage browser vulnerabilities in 2023 to breach organizations and access sensitive data through highly evasive and adaptive threats. It is critical that organizations and security teams have a proper understanding of how HEAT attacks operate and implement proactive security approaches to stay ahead of attackers and better protect themselves from the negative repercussions.

References: