Real-world examples of Highly Evasive Adaptive Threats (HEAT) in the news

illustration of news anchor discussing HEAT breaking news

Despite some good news from the recently released 2023 CyberEdge Cyberthreat Defense Report (CDR), high-profile breaches continue to plague the industry. From Rackspace to Twitter to GitHub, businesses, organizations and government agencies around the world have been victimized by sophisticated threat actors who are getting better at evading traditional security solutions.

The somewhat silver lining is that there is a clear pattern that’s shedding light on these Highly Evasive Adaptive Threats (HEAT). These HEAT attacks exploit vulnerabilities in web browsers, using a variety of evasive techniques to get around detection-based security tools. These include multi-factor authentication (MFA) bypass, HTML smuggling, leveraging malicious password-protected, and Legacy URL Reputation Evasion (LURE). Needless to say, they’re serving as a wake-up call for security teams to bolster their browser security.

While you may not have been familiar with HEAT attacks before, we’ve compiled a list of five recent headline-grabbing cyber attacks you may have read about in the news that fall into this threat category:

Researchers uncover Chinese nation-state hackers’ deceptive attack strategies

Read the news article

Evasive technique: Leveraging malicious password-protected files

Traditional security technology bypassed: Secure Web Gateway (SWG), sandbox, Secure Email Gateway

Attack anatomy: Notorious hacker Earth Preta, long suspected to be supported by the Chinese government, continues to evolve its evasive techniques to gain access to IT networks around the world. In its latest attack, the group used a malicious password protected file to deploy backdoor access and command and control tools used for data exfiltration. The messages are delivered through spear phishing to intended victims with Google Drive or DropBox links that hide the malicious payloads in fake files that are disguised as legitimate documents. Most recently, Earth Preta has been embedding download links in password protected files to avoid scanning by email gateway solutions or secure web gateways (SWGs) and sandboxes–tools that often have policies allowing all password-protected files to be downloaded through the browser to avoid inhibiting legitimate business use cases.

Preventing an attack: Whether they are known or unknown, good or bad—Remote Browser Isolation (RBI) fetches and executes all files in a remote browser in the cloud. By leveraging these solutions, documents are rendered on a secure, isolated web page, which undergoes active scanning. Only only after a document passes inspection can administrators download it. This results in providing the maximum protection with minimal disruption to the user experience.

Malicious Google ads sneak AWS phishing sites into search results

Read the news article

Evasive technique: Legacy Reputation Evasion Technique (LURE)

Traditional security technology bypassed: URL filtering, HTTP page/content inspection

Attack anatomy: A recent phishing campaign uses Google Ads to sneak phishing sites into Google searches in an attempt to steal Amazon Web Service (AWS) users’ login credentials. In fact, the attack places the malicious results second—only behind Amazon’s own paid search results. Once clicked, the links send the user to a fake food blog under the attackers’ control. Users are then redirected to a fake AWS login page with seemingly authentic Amazon branding and messaging. Users that enter their credentials into the fake form are then compromised.

Preventing an attack: Establishing a good reputation in Google Ads for the fake food blog allows the threat actor to get around categorization engines that block suspicious sites. Using dynamic policy enforcement inside of Isolation can help stop these attacks by automatically disabling login forms and making them read only. These phishing defense tools are implemented at the browser level rather than solely on the email path—an approach that stops phishing attacks delivered through threat vectors other than email.

HTML smuggling campaigns impersonate well-known brands to deliver malware

Read the news article

Evasive technique: HTML smuggling

Traditional security technology bypassed: File-based inspection, HTTP content/page inspection

Attack anatomy: An increase in HTML smuggling campaigns have been impersonating well-known brands such as Adobe, Google and the U.S. Postal Service to deliver malware, including Cobalt Strike, Qakbot, IcedID and Xworm RAT. HTML smuggling works by breaking down malicious files into small Javascript blobs that don’t do anything suspicious by themselves. However, once past inspection engines, the files dynamically rebuild themselves at the browser level. These HTML smuggling techniques work by using HTML5 attributes that can work offline storing embedded payloads within JavaScript code, which is then decoded and re-assembled into file objects when opened via a web browser. Users often know to avoid suspicious file types such as an unknown PDF, but HTML files are often considered safe—especially when they are seemingly coming from a known brand.

Prevention: Preventative technology like isolation acts as the surrogate browser in this case to monitor files looking to reassemble and execute on the user’s local browser. These suspicious documents are isolated and undergo inspection by an anti-virus tool or sandbox. Preventative phishing tools can also inspect images (such as a brand logo) post rendering and identify if they’ve been manipulated at the file level.

Gootloader malware targets healthcare in ‘aggressive’ campaign

Read the news article

Evasive technique: SEO poisoning

Traditional security technology bypassed: URL filtering, HTTP page/content inspection

Attack anatomy: SEO poisoning allows malicious actors to take advantage of unsuspecting users by making their malicious content appear more relevant and trustworthy to users than it really is. It works by inserting specific keywords and links in a site to get it to rise to the top of search engine results. Users are tricked into visiting the sites where malware is downloaded through the browser onto their end device. Obfuscated Javascript loops that avoid detection by hiding code in page source files are then used to deliver ZIP files for first and second stage payloads that eventually lead to further deployment of malware such as Gootloader and Cobalt Strike. This gives the threat actor the ability to control the victim’s device and gather sensitive information.

Prevention: Advanced phishing defense tools implemented in the web path rather than the email path can discover obfuscated content at runtime inside isolation. By using a surrogate browser inside isolation, obfuscated content is de-obfuscated at runtime inside of isolation protecting user from any malicious code that would have run on the user’s local browser at runtime, completely protecting the user.

Reddit confirmed a security breach after a ‘sophisticated’ phishing attack

Read the news article

Evasive technique: MFA bypass

Traditional security technology evaded: URL filtering, HTTP page/content inspection

Attack anatomy: An unknown threat actor recently sent prompts to Reddit employees directing them to visit a malicious website that looked and acted like the company’s intranet gateway. A single user fell for the phishing attack and gave up their credentials and two-factor authentication (aka MFA) tokens. The threat actor was then able to access internal documents, business systems and some advertising information.

Prevention: New isolation-based behavioral engines use advanced machine learning algorithms to analyze brand logos, page elements, input fields and URL links directly inside the browser to determine in real time whether a requested page is malicious. Coupled with adaptive security controls, these anti-phishing tools can dynamically block access or render the page in read only mode.

Web browsers take the spotlight

With Google reporting that 75% of knowledge work is being conducted within a web browser, and Verizon sharing that 90% of breaches now occur through the browser, it’s safe to say that these productivity tools are in the spotlight for cybersecurity teams. Malicious actors are continuously evolving their techniques to make it harder than ever for traditional security tools to detect evasive browser attacks in progress. And once they make that initial access into an endpoint, it’s too late to stop the attack from spreading. Organizations need to focus more on a proactive, preventative browser security strategy to stop these highly sophisticated attacks. This can be achieved by focusing on technology that provides browser visibility and adaptive security controls that prevent zero-hour attacks from occurring in the first place.

The post Real-world examples of Highly Evasive Adaptive Threats (HEAT) in the news appeared first on Menlo Security.

*** This is a Security Bloggers Network syndicated blog from Menlo Security authored by Neko Papez. Read the original post at:

Avatar photo

Neko Papez

Neko is passionate about cybersecurity and delivering leading product initiatives that help drive demand and positive customer engagement. Prior to Menlo, he has led several high-impact teams at multiple start-ups and successfully executed key strategies to help produce meaningful results for customers and partners alike.

neko-papez has 17 posts and counting.See all posts by neko-papez