Focus Mode
Threat Research

“QR Coding: C2 in Browser Isolation”

GoogleCloudIntel
Summary:
Browser isolation is a security measure that separates web browsing activities from local devices to protect against cyber threats. Mandiant reveals a new method attackers can use to bypass browser isolation by utilizing QR codes for command-and-control (C2) communications, demonstrating the vulnerabilities in this security technology. Organizations are advised to adopt a comprehensive defense strategy beyond relying solely on browser isolation.
#BrowserIsolation #CyberDefense #CommandAndControl
Keypoints:

  • Browser isolation protects users by sandboxing web browsers in secure environments.
  • Three types of browser isolation exist: Remote, On-Premises, and Local.
  • Mandiant demonstrates a method to circumvent browser isolation using QR codes for C2 communications.
  • Attackers can send commands to compromised systems by embedding data in QR codes displayed on web pages.
  • The technique works across all types of browser isolation environments.
  • Challenges include latency and limitations on data size for QR codes.
  • Organizations should monitor network traffic and browser automation to detect potential threats.
    • MITRE Techniques:

  • Command and Control (T1071): Utilizes QR codes displayed on web pages to send commands from an attacker-controlled server to a compromised device.
  • Exfiltration Over Command and Control Channel (T1041): Transfers command output encoded in URL parameters back to the C2 server.
    • IoC:

  • [domain] attacker-controlled-server.com
  • [url] example.com/qr-code-page
  • [file name] malicious-implant.exe
  • [tool name] Puppeteer
  • [tool name] Cobalt Strike

    • Full Research: https://cloud.google.com/blog/topics/threat-intelligence/c2-browser-isolation-environments/

    Tags: EXFILTRATION, BROWSER, CLOUD, MONITOR, TOOL