Menlo Security finds cloud migration and remote work gives rise to new era of malware

Menlo Security finds cloud migration and remote work gives rise to new era of malware

Menlo Security, a leader in cloud security, has announced it has identified a surge in cyberthreats, termed Highly Evasive Adaptive Threats (HEAT), that bypass traditional security defences. HEAT attacks are a class of cyberthreats targeting web browsers as the attack vector and employ techniques to evade detection by multiple layers in current security stacks, including firewalls, secure web gateways, sandbox analysis, URL reputation and phishing detection. HEAT attacks are used to deliver malware or to compromise credentials, which in many cases leads to ransomware attacks.

In an analysis of almost 500,000 malicious domains, the Menlo Security Labs research team discovered that 69% of these websites used HEAT tactics to deliver malware. These attacks allow bad actors to deliver malicious content to the endpoint by adapting to the targeted environment. Since July 2021, Menlo Security has seen a 224% increase in HEAT attacks.

HEAT attacks leverage one or more of the following core techniques that bypass legacy network security defences:

  • Evades both static and dynamic content inspection: HEAT attacks evade both signature and behavioural analysis engines to deliver malicious payloads to the victim using innovative techniques such as HTML Smuggling. This technique is used by threat actors including Nobelium, the hacking group behind the SolarWinds ransomware attack. In one recent case, dubbed ISOMorph, the Menlo Labs research team observed the campaign using the popular Discord messaging app to host malicious payloads.
  • Evades malicious link analysis: These threats evade malicious link analysis engines traditionally implemented in the email path where links can be analysed before arriving at the user. 
  • Evades offline categorisation and threat detection: HEAT attacks evade web categorisation by delivering malware from benign websites, either by compromising them or patiently creating new ones. Referred to as Good2Bad websites. Menlo Labs has been tracking an active threat campaign dubbed SolarMarker, which employs SEO poisoning. The campaign started by compromising a large set of low-popularity websites that had been categorised as benign, infecting these websites with malicious content. 
  • Evades HTTP traffic inspection: In a HEAT attack, malicious content such as browser exploits, cryptomining code, phishing kit code and images impersonating known brands’ logos is generated by JavaScript in the browser by its rendering engine, making any detection technique useless. 

“With the abrupt move to remote working in 2020, every organisation had to pivot to a work from anywhere model and accelerate their migration to cloud-based applications,” said Amir Ben-Efraim, Co-founder and CEO of Menlo Security. “An industry report found that 75% of the working day is spent in a web browser, which has quickly become the primary attack surface for threat actors, ransomware and other attacks. The industry has seen an explosion in the number and sophistication of these highly evasive attacks and most businesses are unprepared and lack the resources to prevent them. Cyberthreats are a mainstream problem and a boardroom issue that should be on everyone’s agenda.”

Browse our latest issue

Intelligent CISO

View Magazine Archive