Cyber Security News

Browser Isolation Bypassed: QR Codes Used in Novel C2 Attacks

Cyware

### #QRCodeExploitation #BrowserIsolationBypass #C2Innovations

Summary: A recent Mandiant report reveals how attackers can bypass browser isolation technology by using QR codes to execute command-and-control operations, highlighting vulnerabilities in this cybersecurity measure. The innovative method demonstrates the need for organizations to adopt a multi-layered defense strategy to mitigate such risks.

Threat Actor: Unknown | Unknown
Victim: Various Organizations | Various Organizations

Key Point :

  • Attackers circumvent browser isolation by embedding command-and-control data within machine-readable QR codes.
  • The method involves a compromised system using a headless browser to render a webpage displaying a QR code, which is then decoded to extract command data.
  • Challenges include data limitations of QR codes and latency issues, which can hinder high-bandwidth operations.
  • Mandiant emphasizes the importance of a ‘defense in depth’ strategy, combining browser isolation with other cybersecurity measures.
  • Recommended mitigation strategies include network traffic monitoring and automation detection to identify potential threats.

Browser isolation technology, often lauded as a cornerstone of modern cybersecurity, is not impervious to creative exploitation. A recent report from Thibault Van Geluwe de Berlaere at Mandiant unveils an innovative method for attackers to bypass browser isolation and execute command-and-control (C2) operations using QR codes.

Browser isolation operates by segregating web activity from the user’s local device, either through cloud-based (Remote Browser Isolation, RBI), on-premises, or local environments. The visual content of web pages is streamed to the user’s browser, isolating the user from malicious content such as phishing sites or client-side browser exploits.

As the report describes, “Browser isolation protects users from web-based attacks by sandboxing the web browser in a secure environment (either local or remote) and streaming the visual content back to the user’s local browser.” However, attackers have adapted, circumventing the technology’s restrictions.

Traditional C2 operations rely on HTTP requests to and from the attacker-controlled server. However, in a browser isolation scenario, only the rendered pixels of a webpage are streamed back to the local browser, preventing typical HTTP-based C2 methods. This limits the implant’s ability to decode commands from HTTP responses—a significant hurdle for attackers.

Mandiant’s Red Team introduced a novel solution to this limitation: embedding C2 data within machine-readable QR codes. The process is as follows:

  1. The C2 server serves a webpage displaying a QR code.
  2. A headless browser on the compromised system renders the page, screenshots the QR code, and decodes it to extract command data.
  3. The extracted data directs the implant’s operations, completing the C2 cycle.

This method works seamlessly within the pixel-streaming model of browser isolation. The report notes, “Instead of decoding the HTTP response for the command to execute, the implant visually renders the web page and decodes the command from the QR code displayed on the page.

Mandiant demonstrated a working proof-of-concept using Puppeteer and Chrome in headless mode. The integration of this technique with Cobalt Strike’s External C2 feature illustrates its real-world viability. However, the approach is not without challenges:

  • Data Limitations: QR codes have a maximum data size of 2,953 bytes. During testing, Mandiant found a practical limit of 2,189 bytes per code due to pixel quality constraints in the rendered stream.
  • Latency: Each C2 operation introduces a delay of approximately 5 seconds, resulting in slow data transfer rates unsuitable for high-bandwidth operations like SOCKS proxying.

While this technique underscores weaknesses in browser isolation, Mandiant emphasizes its continued value as a security measure. As the report concludes, “Organizations should not solely rely on browser isolation to protect themselves from web-based threats but rather embrace the ‘defense in depth’ strategy and establish a well-rounded cyber defense posture.

To mitigate risks posed by such advanced techniques, Mandiant recommends the following measures:

  1. Network Traffic Monitoring: Inspect traffic for anomalies, especially low-bandwidth activity indicative of iterative HTTP requests.
  2. Automation Detection: Monitor browsers for automation mode indicators such as Chromium’s --enable-automation flags.
  3. Defense in Depth: Combine browser isolation with other cybersecurity measures to create a robust multi-layered defense

Related Posts:

Source: https://securityonline.info/browser-isolation-bypassed-qr-codes-used-in-novel-c2-attacks

Tags: MONITOR, PHISHING, BROWSER, CLOUD

Check this following Post also