Threat actors are continuing to amplify their attacks and explore shifty ways to compromise organizations. One specific tactic that’s growing in popularity is Legacy URL Reputation Evasion (LURE). We’ve previously covered this tactic, but with the discovery of new LURE attacks, organizations that use earlier-generation Secure Web Gateways (SWGs) and traditional URL filters will find themselves increasingly at risk. We felt it’s important to take a closer look at these attacks and what steps organizations can take to stop them successfully.
Essentially, LURE attacks evade web filters that attempt to categorize domains based on trust. The attackers do so by compromising poorly secured websites that are already trusted by these security systems and using them to serve up malware or steal user credentials. The rise of these LURE attacks is startling. We’ve found that LURE tactics have increased by more than 950 percent within the past two years. These attacks can be used to publish phishing pages, execute browser exploits, and deliver malicious files to user endpoints.
LURE attacks are just one type of Highly Evasive Adaptive Threat (HEAT). To recap, HEAT attacks are a class of cyberthreats that target web browsers as the attack vector. They employ techniques that successfully evade multiple layers of detection in current security stacks. That means they successfully circumvent firewalls, SWGs, sandbox analysis, URL reputation, and phishing detection. HEAT attacks are often the initial way attackers deliver malware or compromise credentials, leading to successful ransomware attacks.
New LURE attacks identified
BleepingComputer covered a LURE attack in a recent report. This story details how security researchers have witnessed an increase in reverse tunnel services used in conjunction with common URL shorteners as part of effective phishing campaigns.
Using this LURE attack, the threat actors don’t have to register and build domains for use in their attacks, as they did in the past. As BleepingComputer reported, these attackers can “host the phishing pages locally on their own computers and route connections through the external service. Using a URL shortening service, they can generate new links as often as they want to bypass detection.”
With this strategy, the attackers don't have to worry about complaints about the phishing site coming into the hosting providers too quickly for their attacks to be effective, and they can generate as many links as they need until they compromise their target. Both of these techniques bypass traditional reputation-based URL filters.
Attackers get creative with LURE attacks
The LURE attack covered by BleepingComputer is just the most recent example of a LURE-type HEAT attack that the Menlo Labs research team has monitored recently. Another is the Browser in the Browser campaign, or BitB attack, that we covered in May. In a BitB attack, the threat actor will compromise a poorly protected website and create fake pop-up windows that appear to be a sign-in page from a trusted entity, such as Facebook or Google, so that the malicious site appears legitimate to potential victims. While the pop-up is fake, it will often have a legitimate URL, as with most phishing attacks. Of course, the underlying pop-up code is designed to capture log-in credentials and act on them once they are entered into the bogus window.
Another LURE attack example, and one that Menlo Labs also detailed, is using a CAPTCHA feature to make malicious websites appear legitimate and entice users into providing their access credentials.
Anatomy of a LURE-based ransomware attack
Attackers can use LURE-style HEAT attacks for many reasons, ranging from credential harvesting to ransomware attacks. In a ransomware attack, the threat actor could use the LURE HEAT technique to compromise a poorly defended website. Since the website is already classified as having a good reputation and is trusted, web categorization tools and other filtering defenses do not block or flag the site.
Here’s what happens:
- The compromised website hosts a malicious PDF appearing in search results.
- A user clicks the SEO poisoned link, and, after multiple HTTP redirects, a malicious first-stage malware payload is downloaded to the endpoint.
- The attacker leverages this backdoor access to gather system information to further their attack.
- At this point, the threat actor can either sell access to the highest ransomware threat actor via the Dark Web or deliver the payload themselves.
- The ransomware actor delivers its attack payload, such as Cobalt Strike, through the backdoor so that they can then move laterally within the network.
- The attacker gains full domain compromise via a successful Active Directory breach.
- The actor then deploys ransomware to all connected workstations.
HEAT attacks, such as LURE—used to gain entry to an endpoint and then deliver malware to further the attacker’s goal to move laterally and deeper within organizations—occur daily. To successfully defend against such attacks, enterprises must first understand how they may be susceptible. Only then can they mitigate their at-risk areas.
Defending against LURE attacks
To help organizations prevent these types of attacks, Menlo recently released a HEAT Security Assessment Toolkit that provides a lightweight penetration and exposure assessment to help organizations better understand their susceptibility to HEAT attacks. The HEAT Check tool enables security teams to run a light penetration test that identifies areas of susceptibility to HEAT attacks, such as LURE and others. The assessment utilizes several real-world HEAT attacks that threat actors currently use so that security teams can safely determine their organization’s actual exposure.
The HEAT Check tool does not deliver actual malicious content or an attack. Instead, it relies on an industry-standard file known as EICAR to test existing HEAT exposure risk. EICAR is a standard malware text file developed by the European Institute for Computer Antivirus Research (EICAR). If the EICAR file is delivered without triggering an alert inside the security stack, it proves that the security technology is not providing the necessary level of protection to successfully defend against HEAT attacks.
In addition to the HEAT Check tool, security teams can also access the Menlo Security HEAT Analyzer App for Splunk, now available on Splunkbase. This provides organizations with visibility around HEAT attacks that might have impacted their network, without the risk of sharing data outside their organization. This assessment tool analyzes customers’ web traffic to determine if they have some susceptibility to HEAT attacks, and it identifies if there is any form of HEAT exposure currently in their network.