4 evasive web browser attacks targeting federal agencies

The way federal employees work has changed dramatically over the past three years. Digital transformation, cloud migration and hybrid work models have spread out infrastructure and endpoints away from the central data center out to the edge of the network. As a result, data and applications are now accessed via the browser more than ever before. Malicious actors are taking notice of these expanding threat surfaces and are taking advantage of vulnerabilities in the browser to target federal agencies.

Here are four ways adversaries are using vulnerabilities in the browser to attack federal agencies:

1. Gaps in URL filtering

Terrorists figured out long ago that the best way to smuggle explosives is to deconstruct bombs and ferry individual parts separately across the border before reconstructing the devices once they get past security. Cybercriminals have recently developed similar techniques to bypass traditional anti-virus and sandbox solutions that scan web content for known malware signatures and suspicious behavior. These include dynamic file downloads (a tactic known as HTML Smuggling), Javascript trickery, password-protected archive files and oversized files–using gaps in inspection policies to smuggle malicious content past the Secure Web Gateway (SWG) before reconstructing and activating them in the browser after the initial breach has been made.

2. Expanding threat vectors

While phishing has traditionally been delivered via email, enterprising threat actors are now using other channels that aren’t covered by email security tools to deliver malicious content. This includes browser-based content such as websites, Software as a Service (SaaS) platforms, social media and professional networks, collaboration tools and SMS. Threat surfaces will continue to expand as brands find new ways to interact with customers and partners, and traditional security solutions are not keeping up.

3. Static categorization engines

The fact that a website is categorized as safe one day doesn’t mean that it will be safe tomorrow. Termed Legacy URL Reputation Evasion (LURE), this tactic allows threat actors to compromise websites already-trusted by categorization engines and turn them into festering dens of malicious activity. This even includes websites owned or hosted by well-known brands and media outlets. Playing the long game, attackers have been known to create new sites and let them build up a good reputation across categorization engines before using them to deliver malicious content.

4. Vulnerabilities in JavaScript

The web continues to run on JavaScript, despite the language’s security vulnerabilities. Malicious content such as browser exploits and phishing kit code can be hidden or obfuscated to make the JavaScript unreadable, allowing the code to bypass detection by the SWG. The compromised JavaScript is then revealed in the browser at run time and is allowed to execute its active content on the endpoint. Attackers also use website manipulations to hide impersonation logos behind morphed images to avoid visual detection in inspection engines.

Understand the Threats You Face

Hybrid work is here to stay, making the browser the number one business tool in the federal government. IT teams need to rethink traditional security strategies in light of these changes–focusing on detecting and stopping browser-based attacks before they infiltrate the network. The first step is to understand if your agency is currently susceptible to these highly evasive threats, which the Menlo Labs research team have categorized as Highly Evasive Adaptive Threats.