By Vinay Pidathala, Director of Security Research, Menlo Security
Cybersecurity is never straightforward.
While defense techniques, technologies, policies and methodologies continue to evolve at pace, such defenses often trail in the wake of novel cyber attacks that seek out and exploit vulnerabilities in new ways, catching security teams off guard.
Indeed, recent times have provided many headaches for security professionals; Cybersecurity Ventures reveals that cyber attacks in 2021 will amount to a collective cost of approximately $6 trillion – and the situation isn’t forecast to improve any time soon. Where attacks are expected to intensify by an additional 15% a year for the next four years, total cyber attack-centric damages could amount to as much as $10.5 trillion by 2025.
One of the main concerns today is the exponentially growing number of techniques that cybercriminals are adding to their arsenal. Whether that’s malware, ransomware, DDoS attacks or phishing, they continue to expand their techniques, with the next being ever more malicious than the last.
HTML Smuggling explained
HTML Smuggling is a prime example of this in action.
While the broad concept itself is nothing new, the threat is making something of a resurgence having recently been used by Nobelium – the hackers behind the renowned SolarWinds attack that was uncovered in December 2020.
In simple terms, HTML Smuggling provides hackers with a means of bypassing perimeter security through the generation of malicious code behind a firewall. This is executed in the browser on the target endpoint.
Where a malicious payload is constructed in the browser, no objects need to be transferred, which network perimeter security systems might typically detect. As a result, through HTML Smuggling, many commonly used, traditional security solutions, such as sandboxes and legacy proxies, can be sidestepped.
ISOMorph – a new variation
This is what happened in the case of Nobelium’s HTML Smuggling attack that we are calling ISOMorph.
Here, popular talk over voice, video, and text digital communication platform Discord was targeted, the app being home to more than 150 million active users.
With ISOMorph, HTML Smuggling allows the first attack element to be dropped onto a victim’s computer. This is then constructed on the endpoint, removing the opportunity for detection. After installation, the hackers are then able to execute the payload that infects the computer with remote access trojans (RATs), before setting about logging passwords and exfiltrating data.
While the resurgence of HTML Smuggling through ISOMorph is new, it shouldn’t necessarily come as any great surprise. Indeed, from the cyber attackers’ perspective, it is a logical avenue to pursue.
Thanks to the pandemic, remote and hybrid working has become the new norm. Where such working models are now commonly used, the increased use of cloud services and expansion of organizations’ digital footprints has exposed a series of new security related challenges.
Today, the browser plays a more vital role in day-to-day operations than ever before – yet, unfortunately, it remains one of the weakest links in the cybersecurity chain, making HTML Smuggling an all the more attractive proposition to threat actors.
From access to execution
So, what should we be looking out for in the case of an HTML Smuggling attack?
In the case of ISOMorph, Menlo Security’s analysis has shown that attackers are using both email attachments and web drive-by downloads to achieve initial infection.
Thereafter, using JavaScript, they are opting to use a technique often used by web developers to optimize file downloads. This entails the construction of the malicious payload on the HTML page as opposed to making an HTTP request that can then retrieve a desired asset from a web server.
With ISOMorph, the payload in question was an ISO file – a disk image that contains all the required components that would be able to install software. The benefit of the ISO file is that it does not require the endpoint to have any third-party software to install. In this instance, ISOMorph was also able to achieve persistence by creating a Windows directory on the endpoint.
Equally, it is one example of a file type that is exempt from inspection across both web and email gateway devices.
In analyzing the ISO files that were used in the campaigns that we were monitoring, we found that the VBScript will often contain various malicious scripts capable of executing and thereafter fetching additional PowerShell scripts that can download a file to the endpoint.
The malicious code is also executed by proxy by tapping into trusted elements on the endpoint. We saw MSBuild.exe used, for example – a process that is typically whitelisted, allowing the injected code to further avoid detection. Here, ISOMorph used reflection techniques to load a DLL file in memory before injecting the remote access trojan into MSBuild.exe, ensuring antivirus software could then be bypassed.
Prevention and solutions
The resurgence of HTML Smuggling should be cause for concern.
While vaccination efforts continue to ramp up and economies and societies continue to open up once more, the impact of COVID-19 will be felt long after 2021. In the case of work, the many benefits that have been realized from remote and hybrid working models will ensure that such ways of working won’t disappear anytime soon. As a result, the browser will continue to offer hackers new avenues to attack their target endpoints.
For this reason, HTML Smuggling is expected to stay. In the case of ISOMorph, it is proving to be an effective method from which attackers are able to infiltrate victims’ devices and deploy payloads while bypassing traditional network security tools.
So, how can it be combatted? The answer is in the form of isolation technologies.
Developed with the simple purpose of comprehensively protecting users as they use web services – be it email applications, browsers, or otherwise – isolation creates a virtual barricade between the endpoint and external threats from the internet.
While content, such as emails and web traffic, can still be viewed in a seamless manner, it is never downloaded to the endpoint, eliminating the opportunity for malicious code to infiltrate a device and begin exploiting vulnerabilities.
To achieve a robust endpoint protection strategy, isolation must be placed front and center.
About the Author
Vinay Pidathala is Director, Security Research at Menlo Security based in Mountain View, California. Previously, Vinay was at Aruba Networks and also held positions at FireEye and Qualys.
Vinay can be reached online at: @menlosecurity and at our company website: https://www.menlosecurity.com/