Menlo Security, a leader in cloud security, announced it has identified a surge in cyberthreats, termed Highly Evasive Adaptive Threats (HEAT) that bypass traditional security defenses. HEAT attacks are a class of cyber threats targeting web browsers as the attack vector and employs techniques to evade detection by multiple layers in current security stacks including firewalls, Secure Web Gateways, sandbox analysis, URL Reputation, and phishing detection. HEAT attacks are used to deliver malware or to compromise credentials, which in many cases leads to ransomware attacks. applications and resources and the adoption of Zero Trust solutions.
CIO INFLUENCE News: AWS Forecast in Germany Calls for Increasing Clouds
In an analysis of almost 500,000 malicious domains, The Menlo Security Labs research team discovered that 69% of these websites used HEAT tactics to deliver malware. These attacks allow bad actors to deliver malicious content to the endpoint by adapting to the targeted environment. Since July 2021, Menlo Security has seen a 224% increase in HEAT attacks.
HEAT attacks leverage one or more of the following core techniques that bypass legacy network security defenses:
- Evades Both Static and Dynamic Content Inspection: HEAT attacks evade both signature and behavioral analysis engines to deliver malicious payloads to the victim using innovative techniques such as HTML Smuggling. This technique is used by threat actors including Nobelium, the hacking group behind the SolarWinds ransomware attack. In one recent case, dubbed ISOMorph, the Menlo Labs research team observed the campaign using the popular Discord messaging app to host malicious payloads.
- Menlo Labs identified over 27,000 malware attacks which were delivered using HTML Smuggling within the last 90 days
- Evades Malicious Link Analysis: These threats evade malicious link analysis engines traditionally implemented in the email path where links can be analyzed before arriving at the user.
- Evades Offline Categorization and Threat Detection: HEAT attacks evade web categorization by delivering malware from benign websites, either by compromising them, or patiently creating new ones. Referred to as Good2Bad websites. Menlo Labs has been tracking an active threat campaign dubbed SolarMarker, which employs SEO poisoning. The campaign started by compromising a large set of low-popularity websites that had been categorized as benign, infecting these websites with malicious content.
- Good2Bad websites have increased 137% year-over-year from 2020 to 2021.
- 44% of Menlo Security customers have accessed a website in the past year that falls in the Good2Bad classification, however Menlo’s patented Elastic Isolation Core™ prevented any infection from taking place.
- Evades HTTP Traffic Inspection: In a HEAT attack, malicious content such as browser exploits, crypto-mining code, phishing kit code and images impersonating known brand’s logos is generated by JavaScript in the browser by its rendering engine, making any detection technique useless.
- The top three brands impersonated in phishing attacks are Microsoft, PayPal, and Amazon. A new phishing website imitating one of these brands is created every 1.7 minutes.
CIO INFLUENCE News: Cycode Introduces Complete Approach to Application Security Posture Management
“Highly Evasive Adaptive Threat (HEAT) attacks evade existing security defenses by understanding all the technology integrated into the existing security stack and building delivery mechanisms to evade detection,” said John Grady, ESG Senior Analyst. “Organizations should focus on three key tenets to limit their susceptibility to these types of attacks: shifting from a detection to a prevention mindset, stopping threats before they hit the endpoint, and incorporating advanced anti-phishing and isolation capabilities.”
CIO INFLUENCE News: Vectra AI Adds Advanced Hybrid Attack Detection, Investigation and Response Capabilities for AWS
[To share your insights with us, please write to sghosh@martechseries.com]
