HTML smuggling is the latest cybercrime tactic you need to worry about

It will be hard to catch these smugglers, as they’re abusing an essential element of web browsers that allow them to assemble code at endpoints, bypassing perimeter security.

istock-807196312.jpg

Image: oatawa, Getty Images/iStockphoto

Cybersecurity company Menlo Labs, the research arm of Menlo Security, is warning of the resurgence of HTML smuggling, in which malicious actors bypass perimeter security to assemble malicious payloads directly on victims’ machines.

More about cybersecurity

Menlo shared the news along with its discovery of an HTML smuggling campaign it named ISOMorph, which uses the same technique the SolarWinds attackers used in their most recent spearphishing campaign. 

SEE: Security incident response policy (TechRepublic Premium)

The ISOMorph attack uses HTML smuggling to drop its first stage on a victim’s computer. Because it is “smuggled,” the dropper is actually assembled on the target’s computer, which makes it possible for the attack to completely bypass standard perimeter security. Once installed, the dropper grabs its payload, which infects the computer with remote access trojans (RATs) that allow the attacker to control the infected machine and move laterally on the compromised network.

HTML smuggling works by exploiting the basic features of HTML5 and JavaScript that are present in web browsers. The core of the exploit is twofold: It uses the HTML5 download attribute to download a malicious file that’s disguised as a legitimate one, and it also uses JavaScript blobs in a similar fashion. Either one, or both combined, can be used for an HTML smuggling attack. 

Because the files aren’t created until they are on the target computer, network security won’t pick them up as malicious–all it sees is HTML and JavaScript traffic that can easily be obfuscated to hide malicious code. 

The problem of HTML obfuscation becomes even more serious in the face of widespread remote work and cloud hosting of day-to-day work tools, all of which are accessed from inside a browser. Citing data from a Forrester/Google report, Menlo Labs said that 75% of the average workday is spent in a web browser, which it said is creating an open invitation to cybercriminals, especially those savvy enough to exploit weak browsers. “We believe attackers are using HTML Smuggling to deliver the payload to the endpoint because the browser is one of the weakest links without network solutions blocking it,” Menlo said. 

SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)

Because the payload is constructed directly in a browser at the target location, typical perimeter security and endpoint monitoring and response tools make detection nearly impossible. That’s not to say that defending against HTML smuggling attacks is impossible, though–it just means companies need to assume the threat is real and likely, and to construct security based on that premise, suggests U.K.-based cybersecurity firm SecureTeam. 

SecureTeam makes the following recommendations for protecting against HTML smuggling and other attacks that are likely to pass with ease through perimeter defenses:

  • Segment networks to limit an attacker’s ability to move laterally.
  • Use services like Microsoft Windows Attack Surface Reduction, which protects machines at the OS level from running malicious scripts and spawning invisible child processes.
  • Ensure firewall rules block traffic from known malicious domains an IP addresses.
  • Train users: The attacks described by Menlo Security require user interaction to infect a machine, so be sure everyone knows how to detect suspicious behavior and attacker tricks. 

Also see