HEAT attacks: A new spin on browser exploit techniques

It is no secret that the web browser is becoming an increasingly popular target for cybercriminals looking to compromise an endpoint to gain entry to a network. The increased business use of the browser (remote work) on networks that lack the perimeter security infrastructure of traditional campus networks has made them easier to exploit. In recent months, we have seen an increase in cyberattacks and data leaks caused by browser-related security incidents, including a data breach caused by a phishing attack on Dropbox that gained the hacker access to over 100 of the company’s code repositories in November, and December’s CircleCi breach resulting from an infection of information-stealing malware.

Highly Evasive Adaptive Threats, or HEAT attacks, are a new spin on existing browser exploit techniques that make them much more dangerous. These attacks exploit browsers by leveraging features and tools to bypass traditional security controls and then attack from within, including compromising credentials or deploying ransomware. Comprised of known tactics such as phishing messages, HTML smuggling and dynamic drive-by downloads, these attacks frequently target SaaS applications and other web-based tools that are critical to productivity.

Dangers Posed by HEAT Attacks

Unfortunately, HEAT attacks are able to bypass typical cybersecurity controls like Secure Web Gateways (SWG) and anti-malware capabilities through malicious links disguised as common URLs that victims assume to be safe. HEAT attacks go beyond traditional phishing methods, which have historically been launched by way of email, by inserting themselves into links that are not flagged by anti-phishing software

While conventional security tools are able to detect obvious and unmasked threats, they are far less likely to identify and prevent a highly evasive and adaptive threat that goes out of its way to disguise itself and not appear as a traditional threat. All security measures that are in place before a HEAT attack reaches the browser itself are significantly less effective, including malicious link analysis, network- and HTTP-level inspections and indicator of compromise (IOC) feeds. Once HEAT tactics bypass all traditional security controls that have been put in place by an organization, the attacker is able to compromise credentials, deliver ransomware and take hold of sensitive data.

How Companies Can Protect Themselves Against HEAT Attacks

These attacks succeed because, generally, they have already bypassed traditional security measures and browsers do not have innate mechanisms to evaluate the code that HEAT attacks execute as either malicious or benign. For this reason, organizations cannot rely only on their capacity to block these attacks since their characteristics have valid uses -- they must learn to prevent the ill-natured use of such techniques.

If an organization is relying on detection and response, it likely means that the attack will be at least partially successful and the affected system will find itself in a "containment and recovery" situation, rather than simply triaging a minor incident. Security controls that work only to detect and respond to threats are unreliable when it comes to HEAT attacks, so it is critical that organizations prioritize preventative measures.

Organizations should apply Zero Trust principles of strong authentication, continuous reauthorization, least privilege access and network segmentation to protect against HEAT attacks. A solution that protects the attack vector (the browser) in its entirety is the most preventative tool an organization can implement to avoid HEAT attacks, as the browser is the place where these attacks reveal themselves for what they truly are. Strong browser security solutions must be totally autonomous from other third-party feeds and monitor runtime telemetry in order to successfully thwart HEAT attacks.

The browser deserves to be a more secure component of the organizational supply chain given its importance as one of the most widely-used tools in today’s workforce.  As browsers become more complex with new features and uses, threat actors will continue to leverage browser vulnerabilities in 2023 to breach organizations and access sensitive data through highly evasive and adaptive threats.

HEAT attacks are tricky to defend against because they cannot be completely prevented by most tools and are able to bypass common security measures. This is why it’s especially critical that organizations and security teams have a proper understanding of how HEAT attacks operate and implement proactive security approaches to stay one step ahead of attackers while better protecting themselves from the negative repercussions.

Image Credit: Wayne Williams

Avihay Cohen is CTO and Co-Founder of Seraphic Security.