HEAT attacks: Evading HTTP content/page inspection

The infamous bank robber Willie Sutton is often (inaccurately) attributed as saying that he robbed banks because “That’s where the money is.” While this oft-cited legend is false, it’s also spot-on: Banks do get robbed because that’s where the money is. This truism holds for the digital economy as well. Cyberattackers target systems where the people and the data are.

The challenge for attackers and enterprise defenders alike is the fact that the locations where people and their data reside are also changing. There was a time when the attack surface of the web browser was limited and attackers focused their attack exploits on their targets’ networks, endpoints, or server operating systems, as well as installed applications. They still do, but as enterprise private data centers disappear and most work occurs online, threat actors are increasingly targeting web browsers to evade traditional endpoint and network security technology like firewalls, sandboxes, Secure Web Gateways (SWGs), and endpoint detection and response platforms. By some estimates, workers spend 75 percent of their day working and being productive in a web browser. That’s where the people and the data — aka the money — are.

We’ve recently been detailing how attackers leverage Highly Evasive Adaptive Threat (HEAT) techniques to evade file-based inspection, email security tools, and URL filtering. HEAT attacks are increasing in the wild, and enterprises that rely on legacy security defenses designed for the days of on-premises networks and private data centers will find themselves falling victim.

This post examines how threat actors craft their attacks to evade HTTP content inspection. In these attacks, threat actors use JavaScript to dynamically generate malicious content after HTTP content has passed through the inspection engine. This content is created within the web browser on the endpoint. Because these images are rendered or the code is executed within the local JavaScript engine, these attacks bypass security vetting that occurred before the attack code reached the endpoint.

Before we dive into the specifics of these attack techniques, it’s a good idea to look at how traditional HTTP content inspection works. With HTTP content inspection, the HTTP stream is analyzed for threats. The HTTP analysis engine will look for exploits coming to the browser, such as malware, malicious content, signatures typical of phishing kits, brand-impersonating images, and more. Of course, attackers will attempt to evade this type of detection, and they certainly have ways to do so.

One of the most common ways to evade HTTP content inspection is by utilizing obfuscated JavaScript to hide anything that could trigger security defenses. To do this, attackers have the malicious payload assembled dynamically within the JavaScript engine in the browser. This way, signature-based HTTP content inspection technologies will miss the attack as it heads toward the endpoint. The execution of such attacks often begins with sophisticated phishing pages that trick users into thinking that they are genuine. Attackers will use exploit code that is obfuscated or dynamically generated to avoid JavaScript signatures based on detection. They may also use creative CSS manipulations to avoid visual detections and convert benign-looking images to images that impersonate known brands for phishing purposes. All of this happens at the browser level and in front of the end-user’s eyes, avoiding any inspection point prior to that.

As we covered in a recent featured article on HEAT attacks, attackers use JavaScript because it’s so popular. An analysis recently conducted by the HP Threat Research team found that such hidden JavaScript techniques were recently used to insert remote access Trojans on endpoints to commandeer end-user devices and steal sensitive data. In this attack, the threat actors used RATDispenser, a JavaScript loader that employs rarely detected JavaScript attachments.

These obfuscation techniques designed to evade HTTP inspection can’t be identified with traditional HTTP content inspection that occurs on network content. These attacks will successfully bypass those security controls and execute on the endpoint. To catch these kinds of attacks, enterprises must look at the execution of the JavaScript engine and identify malicious behavior based on the activity on the endpoint so that the attack can be identified and blocked before it is fully executed.

With these attacks, the security that works best is close to the user and where code is executed and data is manipulated. That’s within the web browser. This is a different strategy than what has been typically implemented, such as web security platforms that focus on acceptable use policy enforcement, use signatures to identify malware, and don’t evaluate the specific activity within web browsers and applications.

What enterprise security teams must do is ensure that all content is correctly inspected and that HEAT (and other) attacks are stopped in ways that legacy security tools often miss. In order to effectively mitigate potential threats within the contemporary web browsing environment, it is imperative for enterprises to prioritize achieving comprehensive browser visibility. This focus on browser visibility enables security teams to detect and protect against suspicious activities and malicious intent originating from websites in real-time. By adopting this proactive approach, cybersecurity professionals can better safeguard their organizations' digital assets and maintain a secure browsing experience for all users.