Highly Evasive Adaptive Threats (HEAT) attacks are a new class of cyber threats that leverage web browsers as the attack vector and use various techniques to evade detection. Jonathan Lee, Senior Product Manager at Menlo Security, looks at HEAT and the four evasive techniques that characterise such attacks.
When organisations moved to remote or hybrid working, they pivoted quickly by migrating applications and services to the cloud. It allowed employees armed with a web browser to access what they needed anytime, anywhere.
However, effectively moving existing on-prem security appliances to the cloud does not mean they have the visibility, context and awareness to effectively enforce security controls in the cloud. Web browsers are constantly being updated to address vulnerabilities. Additionally, SaaS and cloud applications are expanding the attack surface. It means there is more distributed work and data to protect.
Threat actors adapting to new security solutions
Threat actors understand this shift and have adapted their techniques accordingly. It has led to a rise of a new class of threats termed Highly Evasive Adaptive Threats or HEAT.
HEAT attacks are being leveraged by known threat groups. One example is Nobelium, the Russian state-sanctioned outfit behind the SolarWinds supply chain attack in 2020. The Gootloader campaign is another example of a HEAT attack. It leverages SEO poisoning to generate high-level page rankings for compromised websites. This particular campaign is known to deliver the REvil ransomware.
But each of these attack methods is different, so what leads them to be classified as HEAT?
HEAT attacks work via the web browser and employ various techniques to evade detection. They can bypass traditional web security measures. They also leverage web browser features to deliver malware or compromise credentials. In many cases, this leads to the delivery of ransomware.
In an analysis of half a million malicious domains, Menlo Labs found that 69% of these websites used HEAT tactics to deliver malware. These attacks allow threat actors to deliver malicious content to the endpoint by adapting to the targeted environment. Since July last year, our research team has seen a 224% increase in HEAT attacks.
HEAT attacks leverage one or more of the following core techniques that bypass legacy network security defences:
1. Evades static and dynamic content inspection
HEAT attacks often use HTML smuggling and/or JavaScript trickery within browser environments to deliver malicious payloads to endpoints. This technique constructs the malicious file at the browser with no request for a remote file that can be inspected.
It transfers the malware and effectively bypasses various firewalls and network security solutions. This includes sandboxes and anti-virus in legacy proxies. File types assumed to be blocked by secure web gateway policies can still make it to endpoints without any user interaction.
Menlo Labs team analysed HTML smuggling, observing a new campaign dubbed ISOMorph, which used the Discord messaging app – with more than 300 million registered users – to host malicious payloads. It leveraged the ‘downloadable BLOB’ tactic to dynamically construct a file at the browser and download it to the endpoint with no user intervention.
2. Evades malicious link analysis
HEAT attacks evade malicious link analysis engines. These are traditionally implemented in the email path. They allow links can be analysed before arriving at the endpoint. Users are targeted (or speared) with malicious links via channels outside of email, such as social media and professional networks, collaboration tools, SMS, shared documents, etc.
These malicious links are increasingly used to steal corporate credentials instead of personal ones to deliver malware to endpoints and bypass security.
In a recent cyberthreat campaign, attackers leveraged spear-phishing tactics on LinkedIn. The platform’s direct messaging feature was used to send fake job offers using malicious links to infect users with a backdoor Trojan. It gave attackers complete remote control over the target’s computer. This attack never appeared in the email path and evaded any analysis.
3. Evades offline categorisation and threat detection
HEAT attacks evade web categorisation by using benign websites. They compromise both existing sites and create new ones. It is what the Menlo Labs team has coined as Good2Bad websites. Once threat actors decide to activate these websites, they use them for malicious purposes for a short amount of time. They then revert the websites to their original content or simply remove them.
Given that malicious websites have short lifespans, they evade website analysis and categorisation and appear as indicators of compromise (IOC) only when it’s too late and already irrelevant.
The recent critical Internet zero-day attack discovered in Log4j, a Java library for logging error messages in applications, can only increase the exploitation of good websites. Threat actors use the volume of websites that leverage Log4j to exploit the increased opportunity to compromise sites further and use them for malicious purposes.
4. Evades HTTP traffic inspection
In HEAT attacks, malicious content – browser exploits, crypto-mining code, phishing kit code and images impersonating known brand logos – is generated by JavaScript in the browser by its rendering engine. It makes any detection techniques prior to the web page execution or rendering useless. The top three impersonated brands are Microsoft, PayPal and Amazon.
Consequently, such HEAT attacks avoid detection by any static signatures that examine webpage source code and HTTP traffic. Obfuscated JavaScript is often used, increasing the challenge for security researchers and detection engines. JavaScript is a ubiquitous client-side scripting language used by nearly all websites. Therefore, it is impractical to simply disable JavaScript completely. Threat actors will use this to their advantage.
The challenge for organisations is that HEAT characteristics have genuine uses. They cannot simply be blocked at the function level and must be prevented. In the face of HEAT attacks, organisations need to focus on three areas to limit their exposure:
- Shifting from a detection to a prevention mindset
- Stopping threats before they hit the endpoint
- Incorporating advanced anti-phishing and threat isolation capabilities.
For more information on HEAT: Too Hot to Handle.
Menlo Security protects organizations from cyberattacks by eliminating the threat of malware from the web, documents, and email. Menlo Security’s isolation-powered cloud security platform scales to provide comprehensive protection across enterprises of any size, without requiring endpoint software or impacting the end user-experience. Menlo Security is trusted by major global businesses, including Fortune 500 companies and eight of the ten largest global financial services institutions, and is backed by Vista Equity Partners, Neuberger Berman, General Catalyst, American Express Ventures, Ericsson Ventures, HSBC, and JP Morgan Chase. Menlo Security is headquartered in Mountain View, California. For more information, please visit www.menlosecurity.com.