Find the right approach to browser security
Traditional security approaches are flawed, costly, and overwhelming for security teams. Menlo Security is different. It’s the simplest, most definitive way to secure work—making online threats irrelevant to your users and your business.
Our platform invisibly protects users wherever they go online. So threats are history and the alert storm is over.
Traditional network security wasn’t built to address today’s complex enterprise environments. SASE fixes that problem.
Menlo Labs provides insights, expertise, context and tools to aid customers on their journey to connect, communicate and collaborate securely without compromise. The collective is made up of elite security researchers that put a spotlight on the threats you know and don’t know about.
Menlo Labs provides insights, expertise, context and tools to aid customers on their journey to connect, communicate and collaborate securely without compromise.
Neko Papez | May 09, 2023
Share this article
Despite some good news from the recently released 2023 CyberEdge Cyberthreat Defense Report (CDR), high-profile breaches continue to plague the industry. From Rackspace to Twitter to GitHub, businesses, organizations and government agencies around the world have been victimized by sophisticated threat actors who are getting better at evading traditional security solutions.
The somewhat silver lining is that there is a clear pattern that’s shedding light on these Highly Evasive Adaptive Threats (HEAT). These HEAT attacks exploit vulnerabilities in web browsers, using a variety of evasive techniques to get around detection-based security tools. These include multi-factor authentication (MFA) bypass, HTML smuggling, leveraging malicious password-protected, and Legacy URL Reputation Evasion (LURE). Needless to say, they’re serving as a wake-up call for security teams to bolster their browser security.
While you may not have been familiar with HEAT attacks before, we’ve compiled a list of five recent headline-grabbing cyber attacks you may have read about in the news that fall into this threat category:
Read the news article
Evasive technique: Leveraging malicious password-protected files
Traditional security technology bypassed: Secure Web Gateway (SWG), sandbox, Secure Email Gateway
Attack anatomy: Notorious hacker Earth Preta, long suspected to be supported by the Chinese government, continues to evolve its evasive techniques to gain access to IT networks around the world. In its latest attack, the group used a malicious password protected file to deploy backdoor access and command and control tools used for data exfiltration. The messages are delivered through spear phishing to intended victims with Google Drive or DropBox links that hide the malicious payloads in fake files that are disguised as legitimate documents. Most recently, Earth Preta has been embedding download links in password protected files to avoid scanning by email gateway solutions or secure web gateways (SWGs) and sandboxes–tools that often have policies allowing all password-protected files to be downloaded through the browser to avoid inhibiting legitimate business use cases.
Preventing an attack: Whether they are known or unknown, good or bad—Remote Browser Isolation (RBI) fetches and executes all files in a remote browser in the cloud. By leveraging these solutions, documents are rendered on a secure, isolated web page, which undergoes active scanning. Only only after a document passes inspection can administrators download it. This results in providing the maximum protection with minimal disruption to the user experience.
Evasive technique: Legacy Reputation Evasion Technique (LURE)
Traditional security technology bypassed: URL filtering, HTTP page/content inspection
Attack anatomy: A recent phishing campaign uses Google Ads to sneak phishing sites into Google searches in an attempt to steal Amazon Web Service (AWS) users’ login credentials. In fact, the attack places the malicious results second—only behind Amazon’s own paid search results. Once clicked, the links send the user to a fake food blog under the attackers’ control. Users are then redirected to a fake AWS login page with seemingly authentic Amazon branding and messaging. Users that enter their credentials into the fake form are then compromised.
Preventing an attack: Establishing a good reputation in Google Ads for the fake food blog allows the threat actor to get around categorization engines that block suspicious sites. Using dynamic policy enforcement inside of Isolation can help stop these attacks by automatically disabling login forms and making them read only. These phishing defense tools are implemented at the browser level rather than solely on the email path—an approach that stops phishing attacks delivered through threat vectors other than email.
Evasive technique: HTML smuggling
Traditional security technology bypassed: File-based inspection, HTTP content/page inspection
Prevention: Preventative technology like isolation acts as the surrogate browser in this case to monitor files looking to reassemble and execute on the user’s local browser. These suspicious documents are isolated and undergo inspection by an anti-virus tool or sandbox. Preventative phishing tools can also inspect images (such as a brand logo) post rendering and identify if they’ve been manipulated at the file level.
Evasive technique: SEO poisoning
Prevention: Advanced phishing defense tools implemented in the web path rather than the email path can discover obfuscated content at runtime inside isolation. By using a surrogate browser inside isolation, obfuscated content is de-obfuscated at runtime inside of isolation protecting user from any malicious code that would have run on the user’s local browser at runtime, completely protecting the user.
Evasive technique: MFA bypass
Traditional security technology evaded: URL filtering, HTTP page/content inspection
Attack anatomy: An unknown threat actor recently sent prompts to Reddit employees directing them to visit a malicious website that looked and acted like the company’s intranet gateway. A single user fell for the phishing attack and gave up their credentials and two-factor authentication (aka MFA) tokens. The threat actor was then able to access internal documents, business systems and some advertising information.
Prevention: New isolation-based behavioral engines use advanced machine learning algorithms to analyze brand logos, page elements, input fields and URL links directly inside the browser to determine in real time whether a requested page is malicious. Coupled with adaptive security controls, these anti-phishing tools can dynamically block access or render the page in read only mode.
With Google reporting that 75% of knowledge work is being conducted within a web browser, and Verizon sharing that 90% of breaches now occur through the browser, it’s safe to say that these productivity tools are in the spotlight for cybersecurity teams. Malicious actors are continuously evolving their techniques to make it harder than ever for traditional security tools to detect evasive browser attacks in progress. And once they make that initial access into an endpoint, it’s too late to stop the attack from spreading. Organizations need to focus more on a proactive, preventative browser security strategy to stop these highly sophisticated attacks. This can be achieved by focusing on technology that provides browser visibility and adaptive security controls that prevent zero-hour attacks from occurring in the first place.
Posted by Neko Papez on May 09, 2023
Tagged with Awareness, Blog, HEAT, Isolation, Threat Trends
Protecting the Remote Workforce
To talk to a Menlo Security expert, please complete the form.