Webinar:
First Line of Defense: Menlo Secure Enterprise Browser
Icon Rounded Closed - BRIX Templates

HEAT attacks: Evading URL filtering

Mark Guntrip
|
March 6, 2022
linkedin logotwitter/x logofacebook logoSocial share icon via eMail

We’ve recently been detailing how attackers are leveraging Highly Evasive Adaptive Threats (HEAT) to easily bypass traditional security defenses. And to successfully do so, attackers are focusing their attention where users are the most productive and are employing HEAT tactics that successfully bypass these defenses to compromise their victims.

Knowledge workers now rely heavily on web browsers, which have become more sophisticated over time. However, many organizations continue to depend on traditional network and endpoint security solutions, such as sandboxes, firewalls, and endpoint detection and response platforms. These solutions were designed for simpler web browsing interfaces and are no longer sufficient to protect the modern, versatile browser that employees use today. Workers now utilize browsers for a wide range of tasks, including communication with colleagues and partners, accessing web-based applications for productivity, and researching work-related topics that often involve browsing news websites. According to the Pew Research Center, about 80% of Americans get their news online. And to do so, they are mainly hitting social media and Internet search engines. This is where one HEAT attack technique is proving effective in its exploits.

One of the ways the security industry tries to flag malicious websites is by categorizing them as trusted or untrusted. To categorize these sites, web security tools consider characteristics such as the age of the website domain, the reputation of the domain, its popularity, and whether the site has previously been associated with illegal or malicious activity. HEAT attacks evade web categorization by quickly flipping benign, or trusted, websites to malicious websites capable of delivering malware – a tactic the Menlo Labs team refers to as Legacy URL Reputation Evasion (LURE).

How attackers evade URL filtering

These attacks can be implemented in many ways. Certainly, threat actors can buy domains and establish sites that will gain trust and then turn them into malicious websites at the right time. Attackers utilize numerous ways to infiltrate legitimate websites and turn them into malware delivery vectors.

When creating new websites, the threat actors will provide content and conduct themselves in a way that will build trust with the website over time. These websites are left with legitimate content and no malicious activity for a long period of time. An attacker or group might build a supply chain of such sites for use in their campaigns.

Once these sites gain a decent reputation, the attackers will flip a proverbial switch that allows the site to deliver malware and phish for credentials. Threat actors can then take advantage of any visitors that are directed to the website through SEO traffic or guide intended victims to the site through a URL. When the attack is complete, the threat actors will either shut down the site or flip the site back to its original trusted state. If they attempt to flip the site back to a trusted status, chances are they will use it again in a future attack.

By the time traditional security tools identify the tactics at play, the damage is done. These attack types are growing. The Menlo Labs team has observed an increase of more than 137% in websites that evaded categorization from 2020 to 2021, and an even greater increase from 2019 to 2021 – 958%.

Part of the reason these attacks have increased so dramatically is that websites remain vulnerable. Consider the recent Log4j vulnerability. Log4j is an open-source library that is used for logging application error messages. This library is nearly ubiquitous, and unpatched versions are highly vulnerable. Those vulnerable and at-risk sites will prove to be a fruitful entryway into legitimate websites for static and dynamic content inspection evasion for some time ahead.

When it comes to active attacks, Menlo Labs is watching SolarMaker, an active threat campaign that implements SEO poisoning to attract audiences to low-trafficked sites that have been identified as benign. After the sites gain increased traction from the SEO fuel they provided, the threat actors place malicious content within them. According to our research, Secure Web Gateways have offered access to these websites before any analysis identified the malicious activity and appropriately categorized the websites.

This certainly isn’t the only attack designed to evade URL filtering.

Recently, Bleeping Computer covered how a massive campaign targeted 900,000 WordPress sites within a single week. The attackers did so by attempting to redirect web visitors to malicious advertising sites or deliver a backdoor if the endpoint had administrative rights enabled. “Based on the payload, the attacks seem to be the work of a single threat actor, who used at least 24,000 IP‌ addresses over the past month to send malicious requests to more than 900,000 sites,” Ionut Ilascu wrote.

Then there’s this research from Volexity that shows how attackers can amplify attacks that leverage evasion techniques to reach thousands of users. The attack summarized by Volexity details how the North Korean APT known as InkySquid uses browser exploits to deliver their malicious payload to as many victims as possible. They did so by infecting the website of the Daily NK, a widely read paper in that country.

“These URLs lead to legitimate files used as part of the normal function of the Daily NK website; however, their contents were modified by the attacker to include code redirecting users to load malicious JavaScript from the attacker-owned domain jquery[.]services. The attacker-included code was only added for short periods and was swiftly removed, making identification of this activity difficult as the malicious content was not always available,” Volexity wrote.

Consider the significance for a moment. Attackers can create URLs and build trust among web crawlers and security categorization engines. They can also infect popular, well-trafficked websites to conduct their attacks and deliver malware through the endpoint web browser. It’s clear that defenders must think differently to successfully prevent these HEAT attacks. To successfully stop attacks, defenders must evolve along with their adversaries.

Today, security is most effective when it’s close to where the user works: within the web browser or web-connected application. And to successfully stop HEAT attacks, enterprise security teams need to consider security technology the provides visibility into the browser and offers dynamic security controls to protect against suspicious behaviors and malicious website intent in real-time, as well as technology that will apply consistent security policies across endpoints and simplify the management of security policies so that modern HEAT attacks can be stopped. Finally, when looking at the rising threat of HEAT attacks, it’s essential that security teams focus much more heavily on web defenses.