Menlo Security Identifies New HEAT Cyberthreats

Menlo Security this week disclosed it has been tracking a new class of cybersecurity threats, dubbed highly evasive adaptive threats (HEATs), that evade a wide range of traditional cybersecurity technologies.

Mark Guntrip, senior director of cybersecurity strategy at Menlo Security, said these threats specifically target web browsers as the attack vector. HEATs use evasive and adaptive techniques, as the name suggests, to evade detection by security technologies that employ sandbox analysis, URL reputation and phishing detection. The attacks deliver malware or simply compromise credentials that might later be used to enable a ransomware attack, Guntrip noted.

In an analysis of almost 500,000 malicious domains, Menlo Labs researchers discovered that 69% of the malicious websites it tracked used HEAT tactics to deliver malware. Since July 2021, Menlo Security observed a 224% increase in HEAT attacks.

Menlo Security is defining a HEAT attack as follows:

Evades both static and dynamic content inspection: HEAT attacks evade both signature and behavioral analysis engines to deliver malicious payloads to the victim using innovative techniques such as HTML smuggling. Menlo Labs has identified over 27,000 malware attacks delivered using HTML smuggling within the last 90 days.

Evades malicious link analysis: These threats evade malicious link analysis engines traditionally implemented in email.

Evades offline categorization and threat detection: HEAT attacks evade web categorization by delivering malware from benign websites, either by compromising them or creating new ones, also known as Good2Bad websites, by impersonating legitimate sites. Good2Bad websites have increased 137% year-over-year from 2020 to 2021. The top three brands impersonated in phishing attacks are Microsoft, PayPal and Amazon. A new phishing website imitating one of these brands is created every 1.7 minutes.

Evades HTTP traffic inspection: These attacks use malicious content such as browser exploits, cryptomining code, phishing kit code and images that impersonate a known brand’s logos. They also use the JavaScript rendering engine in a browser to make any detection technique useless.

It’s not clear how new these HEAT attacks are, necessarily; perhaps it is just that a new moniker is applied to a class of sophisticated cybersecurity attacks that are becoming more prevalent. With more employees working from home, reliance on browsers to access applications both in the cloud and on-premises IT environments has increased considerably.

To combat these threats, Menlo Labs is making a case for a platform that isolates Web browsers from the application they access using Menlo Security Isolation Platform and Adaptive Clientless Rendering (ACR) technology. ACR fetches and executes the functions of a web browser on its platform rather than on a corporate network. That approach enables Menlo Security to surface sanitized, nonexecutable content on any device to create a zero-trust IT environment.

Regardless of how organizations respond to these threats, it’s apparent that cybercriminals are adapting their techniques at rates that the average organization doesn’t fully appreciate, noted Guntrip. The probability that most organizations have already been compromised to some degree is very high. Now that remote work via a browser has become the new normal, it may behoove most organizations to at least review whether their legacy approaches to cybersecurity are still effective.

Avatar photo

Michael Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

mike-vizard has 775 posts and counting.See all posts by mike-vizard