Learn how hybrid work is fueling ransomware attacks and what to do about it.

Back to blog

HEAT attacks: Evading HTTP traffic inspection

Illustration of laptop with Javascript hiding a bug captioned HEAT attacks

Share this article

The infamous bank robber Willie Sutton is often (inaccurately) attributed as saying that he robbed banks because “That’s where the money is.” While this oft-cited legend is false, it’s also spot-on: Banks do get robbed because that’s where the money is. This truism holds for the digital economy as well. Cyberattackers target systems where the people and the data are.

The challenge for attackers and enterprise defenders alike is the fact that the locations where people and their data reside are also changing. There was a time when attackers focused their attack exploits on their targets’ networks, endpoints, or server operating systems, as well as installed applications. They still do, but as enterprise private data centers disappear, most work occurs online, and threat actors are increasingly targeting web browsers. By some estimates, workers spend 75 percent of their day working and being productive in a web browser. That’s where the people and the data — aka the money — are.

In this series on Highly Evasive Adaptive Threats (HEAT), we’ve detailed how attackers use techniques to evade static and dynamic content inspection, malicious link analysis, and offline categorization and threat detection. HEAT attacks are increasing in the wild, and enterprises that rely on legacy security defenses designed for the days of on-premises networks and private data centers will find themselves falling victim.

This post examines how threat actors craft their attacks to evade HTTP traffic inspection. In these attacks, threat actors use JavaScript to dynamically generate malicious content after HTTP traffic has passed through the inspection engine. This content is created within the web browser on the endpoint. Because these images are rendered or the code is executed within the local JavaScript engine, these attacks bypass security vetting that occurred before the attack code reached the endpoint.

Before we dive into the specifics of these attack techniques, it’s a good idea to look at how traditional HTTP traffic inspection works. With HTTP traffic inspection, the HTTP stream is analyzed for threats. The HTTP analysis engine will look for exploits coming to the browser, such as malware, malicious content, signatures typical of phishing kits, brand-impersonating images, and more. Of course, attackers will attempt to evade this type of detection, and they certainly have ways to do so.

One of the most common ways to evade HTTP traffic inspection is by utilizing obfuscated JavaScript to hide anything that could trigger security defenses. To do this, attackers have the malicious payload assembled dynamically within the JavaScript engine in the browser. This way, signature-based HTTP traffic inspection technologies will miss the attack as it heads toward the endpoint. The execution of such attacks often begins with sophisticated phishing pages that trick users into thinking that they are genuine. Attackers will use exploit code that is obfuscated or dynamically generated to avoid JavaScript signatures based on detection. They may also use creative CSS manipulations to avoid visual detections and convert benign-looking images to images that impersonate known brands for phishing purposes. All of this happens at the browser level and in front of the end-user’s eyes, avoiding any inspection point prior to that.

As we covered in a recent featured article on HEAT attacks, attackers use JavaScript because it’s so popular. An analysis recently conducted by the HP Threat Research team found that such hidden JavaScript techniques were recently used to insert remote access Trojans on endpoints to commandeer end-user devices and steal sensitive data. In this attack, the threat actors used RATDispenser, a JavaScript loader that employs rarely detected JavaScript attachments.

These obfuscation techniques designed to evade HTTP inspection can’t be identified with traditional HTTP traffic inspection that occurs on network traffic. These attacks will successfully bypass those security controls and execute on the endpoint. To catch these kinds of attacks, enterprises must look at the execution of the JavaScript engine and identify malicious behavior based on the activity on the endpoint so that the attack can be identified and blocked before it is fully executed.

With these attacks, the security that works best is close to the user and where code is executed and data is manipulated. That’s within the web browser. This is a different strategy than what has been typically implemented, such as web security platforms that focus on acceptable use policy enforcement, use signatures to identify malware, and don’t evaluate the specific activity within web browsers and applications.

What enterprise security teams must do is ensure that all content is correctly inspected and that HEAT (and other) attacks are stopped in ways that legacy security tools often miss. As remote and hybrid work become the norm, attackers will continue to leverage these tactics, meaning enterprise security teams need to put an emphasis on preventative security measures.

Download white paper: The threat landscape HEATs up with Highly Evasive Adaptive Threats

Share this article

Make the secure way to work the only way to work.

To talk to a Menlo Security expert, complete the form, or call us at (650) 695-0695.