Learn how hybrid work is fueling ransomware attacks and what to do about it.
Traditional security approaches are flawed, costly, and overwhelming for security teams. Menlo Security is different. It’s the simplest, most definitive way to secure work—making online threats irrelevant to your users and your business.
Our platform invisibly protects users wherever they go online. So threats are history and the alert storm is over.
Traditional network security wasn’t built to address today’s complex enterprise environments. SASE fixes that problem.
Menlo Labs provides insights, expertise, context and tools to aid customers on their journey to connect, communicate and collaborate securely without compromise. The collective is made up of elite security researchers that put a spotlight on the threats you know and don’t know about.
Menlo Labs provides insights, expertise, context and tools to aid customers on their journey to connect, communicate and collaborate securely without compromise.
Share this article
When it comes to how people work and collaborate, the novel coronavirus pandemic ushered the most rapid pivot in history. Never before had so many shifted so quickly. And that shift created a dramatic pulling forward of demand for cloud services and accelerated the adoption of cloud applications and digital transformation efforts by a decade.
Consider this: A survey conducted by Forrester Consulting, commissioned by Google, found that staff spend 75 percent of their working time online, mainly within a web browser. Further, SaaS applications are in use within 99 percent of organizations. We don’t need statistics to prove this, of course, as we see it all around us in our daily lives — the web browser is essentially the new office space.
Cybercriminals have noticed this trend, too, and they’re evolving their attacks to take advantage accordingly. As this series on Highly Evasive Adaptive Threats (HEAT) highlights, criminals modify their attacks to infiltrate the browser in new ways and adopt new twists for established attacks to prevent detection. Not only has the trend to the cloud accelerated business technology by a decade, but this trend has also set many traditional security defenses behind by the same 10 years.
If enterprise security professionals don’t adapt and choose to protect their enterprise against these attacks, they’ll find themselves woefully under-defended. Cybercriminals are bringing the HEAT to web browsers, and these HEAT attacks are currently being used to deliver all forms of malware and to conduct enterprise attacks. And there’s no sign of a cooldown anytime soon.
Let’s take a look at one of the four core HEAT characteristics; specifically, how these attacks are able to evade both static and dynamic content inspection.
That means there’s no reason for the malware to get inspected by a Secure Web Gateway or any network security appliance, like a sandbox.
Interestingly, this attack technique isn’t taking advantage of what is typically thought of as a software vulnerability or design flaw; instead, the method is exploiting the way modern browsers work and the techniques developers typically use to optimize download speeds and improve the user web experience.
These attacks aren’t merely hypothetical; they’re increasingly happening in the real world because people spend much more time working within their browsers.
The Menlo Labs research team has identified several campaigns involving HTML smuggling. One such incident is the recent ISOMorph HTML smuggling campaign. This campaign, identified during the summer of 2021, leveraged HTML smuggling techniques we detailed above. Multiple sections of malware were independently downloaded to the browser and then assembled within the rendering of the web page on the endpoint. A BLOB element was used to create a malicious .iso file that was downloaded to the user’s endpoint the moment they accessed the web page, without any specific user action.
This ISOMorph attack followed other campaigns that used this technique, including attacks operated by threat actor NOBELIUM (the group thought to be behind the SolarWinds attack). Microsoft says it has observed this technique being used to deliver the banking Trojan Mekotio, the AsyncRAT/NJRAT, and TrickBot. This is malware that attackers use to command control of targeted endpoints and distribute ransomware and other threats.
With ISOMorph, the attackers targeted the popular communication platform Discord and its roughly 300 million registered users. Menlo Labs witnessed the malicious actors using Discord to host a Remote Access Trojan (RAT) known as AsyncRAT. AsyncRAT employs many ways to evade detection, log passwords, and exfiltrate data.
Attackers are increasingly turning to HTML smuggling and other HEAT tactics because they’re successful at getting to the end user’s browser by bypassing common defenses, such as Secure Web Gateways and their anti-malware and sandboxing capabilities, as well as network and HTTP inspections, malicious link analysis, offline domain analysis, and threat intelligence feeds. Because HEAT-styled attacks are so successful, they’ve set enterprises back considerably in their security investments.
While these attack techniques aren’t new, threat actors are getting better at putting them to use and scaling the adoption of these attack tactics. After all, it’s been possible to successfully bypass Secure Web Gateways for some time, such as by sending files that are too big to be analyzed by their engines, by “protecting” files with passwords, or by encrypting them. With HTML smuggling, however, there is no file to analyze.
HTML smuggling is another example of why enterprise security teams need to shift their attention from just email, network, and other traditional attack vectors and pay much closer attention to what attackers are doing within the web browser. And security teams need to make sure that they have the appropriate levels of defenses in place.
We expect attackers to keep bringing the HEAT to the web browser for some time. After all, the move to the cloud and digital transformation isn’t going away, since they provide tremendous opportunities for modern businesses to succeed. Unfortunately, bad actors will increase their focus on ways to exploit these trends.
Mark Guntrip on Feb 08, 2022
Threat Trends & Research
To talk to a Menlo Security expert, complete the form, or call us at (650) 695-0695.