Highly Evasive Adaptive Threat

Last updated

A Highly Evasive Adaptive Threat (HEAT) is a cybersecurity attack type designed to bypass traditional network security defenses. [1] [2] HEAT attacks are designed to find ways around protections that have been in place for years. [3] HEAT attacks are able to bypass typical cybersecurity controls, such as secure web gateways (SWG) and anti-malware capabilities, through malicious links disguised as common URLs that victims assume are safe. HEAT attacks go beyond traditional phishing methods, which have historically been delivered by email, by inserting themselves into links that are not flagged by anti-phishing software. [4] Similar to most cybersecurity threats, the drivers of HEAT attacks are primarily monetary and political. HEAT attacks focus on technical limitations of commonly deployed security tools with the primary target being web browsers. [5] Nation-states and cybercriminals typically use HEAT attacks for phishing attempts or ransomware initial access. [6]

Contents

Highly Adaptive Evasive Threats (HEAT) require adaptive threat analysis technology to detect threats missed by other approaches. [7]

Definition

HEAT attacks demonstrate four primary characteristics [8]

History and notable HEAT attacks

Though some of the techniques used in HEAT attacks have been in the industry for several years, the increasing trends towards remote work, increasing use of Software as a Service (SaaS) and browser-based applications, and ransomware attacks have accelerated adoption of HEAT techniques by attackers.

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security is the protection of computer software, systems and networks from threats that may result in unauthorized information disclosure, theft of hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.

A spoofed URL involves one website masquerading as another, often leveraging vulnerabilities in web browser technology to facilitate a malicious computer attack. These attacks are particularly effective against computers that lack up-to- security patches. Alternatively, some spoofed URLs are crafted for satirical purposes.

A web threat is any threat that uses the World Wide Web to facilitate cybercrime. Web threats use multiple types of malware and fraud, all of which utilize HTTP or HTTPS protocols, but may also employ other protocols and components, such as links in email or IM, or malware attachments or on servers that access the Web. They benefit cybercriminals by stealing information for subsequent sale and help absorb infected PCs into botnets.

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

Mobile security, or mobile device security, is the protection of smartphones, tablets, and laptops from threats associated with wireless computing. It has become increasingly important in mobile computing. The security of personal and business information now stored on smartphones is of particular concern.

SmartScreen is a cloud-based anti-phishing and anti-malware component included in several Microsoft products:

Cozy Bear, classified by the United States federal government as advanced persistent threat APT29, is a Russian hacker group believed to be associated with one or more intelligence agencies of Russia. The Dutch General Intelligence and Security Service (AIVD) deduced from security camera footage that it is led by the Russian Foreign Intelligence Service (SVR), a view shared by the United States. Cybersecurity firm CrowdStrike also previously suggested that it may be associated with either the Russian Federal Security Service (FSB) or SVR. The group has been given various nicknames by other cybersecurity firms, including CozyCar, CozyDuke, Dark Halo, The Dukes, Midnight Blizzard, NOBELIUM, Office Monkeys, StellarParticle, UNC2452, and YTTRIUM.

<span class="mw-page-title-main">Locky</span>

Locky is ransomware malware released in 2016. It is delivered by email with an attached Microsoft Word document that contains malicious macros. When the user opens the document, it appears to be full of gibberish, and includes the phrase "Enable macro if data encoding is incorrect," a social engineering technique. If the user does enable macros, they save and run a binary file that downloads the actual encryption Trojan, which will encrypt all files that match particular extensions. Filenames are converted to a unique 16 letter and number combination. Initially, only the .locky file extension was used for these encrypted files. Subsequently, other file extensions have been used, including .zepto, .odin, .aesir, .thor, and .zzzzz. After encryption, a message instructs them to download the Tor browser and visit a specific criminal-operated Web site for further information.

Content Disarm & Reconstruction (CDR) is a computer security technology for removing potentially malicious code from files. Unlike malware analysis, CDR technology does not determine or detect malware's functionality but removes all file components that are not approved within the system's definitions and policies.

<span class="mw-page-title-main">LogicLocker</span> Ransomware worm targeting industrial control systems

LogicLocker, is a cross-vendor ransomware worm that targets Programmable Logic Controllers (PLCs) used in Industrial Control Systems (ICS). First described in a research paper released by the Georgia Institute of Technology, the malware is capable of hijacking multiple PLCs from various popular vendors. The researchers, using a water treatment plant model, were able to demonstrate the ability to display false readings, shut valves and modify Chlorine release to poisonous levels using a Schneider Modicon M241, Schneider Modicon M221 and an Allen Bradley MicroLogix 1400 PLC. The ransomware is designed to bypass weak authentication mechanisms found in various PLCs and lock out legitimate users while planting a logicbomb into the PLC. As of 14 February 2017, it is noted that there are over 1,400 of the same PLCs used in the proof-of-concept attack that were accessible from the internet as found using Shodan.

Numbered Panda is a cyber espionage group believed to be linked with the Chinese military. The group typically targets organizations in East Asia. These organizations include, but are not limited to, media outlets, high-tech companies, and governments. Numbered Panda is believed to have been operating since 2009. However, the group is also credited with a 2012 data breach at the New York Times. One of the group's typical techniques is to send PDF files loaded with malware via spear phishing campaigns. The decoy documents are typically written in traditional Chinese, which is widely used in Taiwan, and the targets are largely associated with Taiwanese interests. Numbered Panda appears to be actively seeking out cybersecurity research relating to the malware they use. After an Arbor Networks report on the group, FireEye noticed a change in the group's techniques to avoid future detection.

Content Threat Removal (CTR) is a cybersecurity technology intended to defeat the threat posed by handling digital content in the cyberspace. Unlike other defenses, including antivirus software and sandboxed execution, CTR does not rely on being able to detect threats. Similar to Content Disarm and Reconstruction, CTR is designed to remove the threat without knowing whether it has done so and acts without knowing if data contains a threat or not.

Internet security awareness or Cyber security awareness refers to how much end-users know about the cyber security threats their networks face, the risks they introduce and mitigating security best practices to guide their behavior. End users are considered the weakest link and the primary vulnerability within a network. Since end-users are a major vulnerability, technical means to improve security are not enough. Organizations could also seek to reduce the risk of the human element. This could be accomplished by providing security best practice guidance for end users' awareness of cyber security. Employees could be taught about common threats and how to avoid or mitigate them.

Trickbot was a trojan for Microsoft Windows and other operating systems. Its major function was originally the theft of banking details and other credentials, but its operators have extended its capabilities to create a complete modular malware ecosystem.

Emsisoft Ltd. is a New Zealand-based anti-virus software distributed company. They are notable for decrypting ransomware attacks to restore data.

Clop is a cybercriminal organization known for its multilevel extortion techniques and global malware distribution. It has extorted more than $500 million in ransom payments, targeting major organizations worldwide. Clop gained notoriety in 2019 and has since conducted high-profile attacks, using large-scale phishing campaigns and sophisticated malware to infiltrate networks and demand ransom, threatening to expose data if demands are not met.

Royal is a cybercriminal ransomware organization known for its aggressive targeting, its high ransom demands, and its use of double extortion. Royal does not use affiliates.

In computing, infostealers are a form of malicious software, created to breach computer systems to steal sensitive information—including login details, session cookies, financial information, and personally identifiable information. The stolen information are then packaged, sent to the attacker, and often traded on illicit markets to other threat actors.

References

  1. Security, Menlo (February 2, 2022). "Too hot to handle: Why modern work has given rise to HEAT attacks". Menlo Security.
  2. "3 Challenges to Identifying Evasive Threats". Palo Alto Networks.
  3. "The Browser Renaissance: Reshaping the Enterprise Browser Landscape". 31 July 2023 via www.youtube.com.
  4. "HEAT attacks: A new spin on browser exploit techniques". BetaNews. March 30, 2023.
  5. Barth, Bradley (September 27, 2022). "Browser-based HEAT attacks putting CISOs on the hot seat". SC Media.
  6. https://ten-inc.com/presentations/Menlo-Threat-Landscape-HEATs-Up-with-Highly-Evasive-Adaptive-Threats.pdf
  7. "Leverage Adaptive Threat Analysis to Detect Highly Evasive Malware". info.opswat.com.
  8. "The four evasive techniques of Highly Evasive Adaptive Threats -".
  9. Ramaswami, Andrea Kaiser, Shyam Sundar (April 1, 2020). "Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors". Cisco Umbrella.{{cite web}}: CS1 maint: multiple names: authors list (link)
  10. Subramanian, Krishnan (August 18, 2020). "New HTML Smuggling Attack Alert: Duri". Menlo Security.
  11. https://www.malware-traffic-analysis.net/2020/04/08/index.html/
  12. Intelligence, Microsoft Threat (November 11, 2021). "HTML smuggling surges: Highly evasive loader technique increasingly used in banking malware, targeted attacks". Microsoft Security Blog.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.