What is Dekeneas?

DEKENEAS is a web malware scanner able to detect browser attacks, such as exploits, watering holes, drive-by attacks, web based cryptojacking or data skimming (such as Magecart) implants. Unlike other publicly available tools, DEKENEAS is mostly efficient at identifying 0day attacks (previously unknown attacks), having detected such attacks against popular browsers such as Chrome, Firefox or Safari, both for traditional (desktop, laptop, etc. running Linux, Windows and MacOS) and mobile (Android, iOS) devices. While nowadays malware eludes most traditional signature scanning technologies, DEKENEAS employs the power of machine learning to analyze the behaviour of web pages, and whenever an element of a web page looks suspicious it is analyzed by a smart sandbox. For more information consult the datasheet and the presentation.

BROWSER ATTACKS PROBLEM REALITY SOLUTION

Browser attacks

Browser attacks are currently some of the most elusive and hard to detect attacks existing in the cyberspace. They do not require the attacker to have previous interactions with the victims, such as sending them e-mails, social media or text messages, they just need the victim to visit the malicious page. And most of the times the malicious pages are the usual pages in legitimate and well established web sites, with many visitors every day, weaponized with a malicious implant. Some of these attacks mine crypto coins using visitor's browsers (cryptojacking), others steal credit card information (data skimming) and others, the most dangerous ones, can take full control of visitor's device (browser exploits). Browser attacks focus on traditional browsers, such as Chrome, Edge or Firefox, but they also target mobile devices, which makes them even harder to detect.

Browser exploits

Browser exploits are programs specially crafted to exploit vulnerabilities inside browsers or technologies used by browsers. A browser exploit can take full control of the attacked device. Lately, browser exploits became the predilect tactic for APT and cybercriminal groups, as they are very hard to detect, some of them having been actively exploiting victims for many months, and even years. Browser exploits can target specific technologies (such as phone makers, browser types, etc.), specific IP addresses, specific browser languages, etc. which makes them even harder to detect through traditional methods.

Cryptojacking

Malicious cryptojacking implants inside legitimate web sites use visitor's device computing power in order to mine for various cryptocurrencies. This behaviour generates latency in overall performance of the device

Data skimming

Data skimming is a web attack in which a malicious implant inside a legitimate e-shop collects the credit card information submitted by the visitor and sends it to the attacker.

The problem

The HTTP/S and HTML protocols have different implementations on different browsers, mainly because HTTP was standardized as a protocol years later after browsers emerged, thus allowing browser engines to have their own implementation and interpretation of these protocols.

Once with the introduction of Javascript, the web pages began to act dynamically, instead of serving static content. This means that the final form of the website will only be interpreted by user's browser, after all Javascript is executed in user's browser context. This also means that the security products should know exactly how user's browser interprets and executes the Javascript in the webpage it loads.

Traditional antivirus products or intrusion detection sensors would use signature scanning to identify browser attacks, looking for known code snippets that are involved in these attacks. But in the recent years, browser attacks evolved to using Javascript obfuscation to hide relevant code snippets, making it impossible for traditional security products to detect such attacks.

To counter this behavior, traditional security products try to detect the signature of the actual exploit, or the aftermath of the attack, such as the connection to the command and control server, but if the exploit is unknown or very new, there is no signature for it, and if the command and control server doesn't look suspicious, for instance it's a DNS request, or a HTTPS connection, the attack goes totally undetected.

So, the only solution seems to be client-side honeypots, which emulate browsers and access websites hoping to find browser attacks. But this approach is very time consuming as modern websites can have hundreds or thousands of pages, and loading each and every one of them in an instrumented environment takes some time. Also, the attackers developed a series of methods to identify instrumented environments, ranging from delayed execution to detection of virtualized environments, which are specific to client-side honeypots. On top of that, the attackers fingerprint the browser, and only attack certain browsers, certain technologies or users from a certain geographical area or IP range.

If the client-side honeypot doesn't guess all of the above, the attack never happens, so the security product fails to identify an offensive web page.

Do watering hole attacks actually happen?

These features of watering hole attacks made them the perfect candidate in penetrating highly secured networks from banks, defense industry or government contractors, tech giants such as Facebook, Apple, Twitter, or Microsoft, but also, activist groups, investigative journalists or political disidents all over the world.

Most of the times the victims realize they have been compromised after a very long period of time, sometimes even years, sometimes never, and when they realize the attack happened, it's usually because of luck or coincidence.

DEKENEAS

DEKENEAS uses machine learning to understand the contents and behaviour of a web page before further dynamic instrumentation looking for code constructs or specifics needed to perform malicious activities. In addition to this, by the implementation of "Code Logic Emulator (CLE)" technology, a major number of machine learning features were added from the actual logic behind the malicious code.

If an HTML element shows signs of suspicious behavior it gets instrumented in a smart sandbox which emulates user behavior according to the requirements identified by "Requirements Extractor (RE)" technology. For instance, if the HTML element tries to identify certain user agents or language settings, the smart sandbox starts that specific browser on that specific platform, with the specific language settings.

This behavior greatly reduces the analysis time, as only suspicious HTML elements will be analyzed, in the same time maximizing the accuracy of detection, by creating the specific environment requested by the website code.

The network traffic resulted from the interaction with the malicious HTML element is recorded and analyzed with "Network Attack Detector (NAD)" technology which identifies attack signs inside network traffic.

These unique features allowed DEKENEAS to uncover a series of complex attacks carried by APT groups, but also carried by cybercriminals, all of them using either very new or unknown exploitation vectors.

08.03.2023 -- TODAY WE SAVED OUR CUSTOMER FROM BLACKBYTENT RANSOMWARE

One of the customers of AIO (AM I OWNED) product was alerted late last night by some of the decoys deployed inside their infrastructure. Specifically, the first alert was triggered by an Active Directory decoy, soon followed by triggering of various Microsoft Office and PDF decoys placed on a certain workstation inside their network. The incident response team was able to determine with precision the compromised workstation, isolating it from the network and recovering binaries used by the threat actors. After carefully investigating the binaries we were able to assert with certainty that they were part of BlackByteNT ransomware campaign. Also, the incident response team was able to determine that initial access was obtained through a malicious Microsoft Office document sent by e-mail (CVE-2023-21716).

06.12.2022 -- ROMANIAN PUBLIC INSTITUTION WEBSITE USED IN WATERING HOLE ATTACK

Romanian public institution in Cluj area used in watering hole attack
The exploit was a type confusion in V8 bug affecting Windows, Linux and MacOS Chrome and Microsoft Edge and it was patched in the latest Chrome, version 108.0.5359.94 for Mac and Linux, and to 108.0.5359.94 or 108.0.5359.95 for Windows. We were able to obtain the full exploitation chain and also, the second stage malware thanks to #Dekeneas next-gen dynamic analysis. We haven't been able to perform accurate attribution during this attack. Some other websites may be hosting the same attack code as we discovered this particular attack while one of our users was visiting the watering hole website.

14.11.2022 -- NEW PRODUCTS ADDED

DEKENEAS products:

Browser Attack Detector
Can detect cryptojacking attacks (unauthorized use of browser to mine cryptocurrencies), data skimming attacks (credit card stealing implants, usually in web shops) or known and unknown exploit attacks against Chrome, Firefox, Edge, Safari, for desktops/laptops/servers but also for mobile (Android and iOS) or IoT devices.

Cyber Threat Intelligence NEW
Custom tailored CTI feed collected from a network of hundreds of devices (honeypots with low, medium or high interaction) for more than 60 different technologies from generic technologies, such as HTTP or SSH, to ICS/SCADA or IoT technologies.

Am I Owned NEW
We can transform virtually any asset in your network or device into a decoy appealing to hackers. When attackers compromise such an asset you will get an alert, knowing something unauthorized is happening, long before the attacker can impact your organization.

Phishing Attack Detection NEW
Actively detecting phishing campaigns aimed at your organization, also providing analysis and takedown services.

22.02.2022 -- DEKENEAS 2.0 RELEASED

We are thrilled to announce the release of DEKENEAS 2.0, three years after DEKENEAS 1.0 was first introducing the concept of using machine learning to detect browser attacks and malicious web implants. The experience we gathered allowed us to better understand the tactics, techniques and procedures used by skilled actors to exploit and attack browser technologies, and while we constantly improve the technologies used to detect, identify and analyze web based threats, the new release brings a total rewrite from scratch of the whole project, new approaches and technologies. As a result, we added new instructions and code constructs used in malicious implants to our detection algorithm, we developed a new technology called "Code Logic Emulator (CLE)", we improved the "Requirements Extractor (RE)" technology, we replaced the old Javscript sandbox with native smart sandboxes for both mobile and desktop environments, supporting various browsers for Windows, Linux, MacOS, Android or iOS, and last, but not least, we added "Network Attack Detector (NAD)" which is also a novel technology aiming to identify exploitation attempts in network traffic.

Code Logic Emulator
"Code Logic Emulator" (CLE) is a technology we developed in order to maximize the detection probability of malicious web implants by emulating the logic behind the code without the need to emulate the code itself and before deciding to analyze it inside a sandbox environment. Understanding the logic behind the suspicious code adds a great number of new features to the malicious features dataset, which is used to describe the behaviour of a malicious implant, therefore giving a more accurate picture on the functionalities of the code.

Requirements Extractor
"Requirements Extractor" (RE) is a technology used to identify if the code under scrutiny is requiring specific conditions to run, such as certain user agents, browser settings, language settings, IP address space, etc. This information is used both as features in the malicious features dataset, but also to know a priori what kind of sandbox environment to be started for this specific piece of code. This technology greatly reduces the probability of missing certain malicious activities due to analysis performed in the wrong environment.

Native Smart Sandboxes
One of the most important improvements we made to DEKENEAS platform is the implementation of native sandboxes. We designed and created sandboxes for Linux, Windows and MacOS operating systems which are used in classical desktop devices, but also we designed and created sandboxes for mobile devices running on iOS and Android. The sandboxes support various browser technologies, specific to each platform and deploy methods and techniques to deter the identification of the analysis environment by making it appear legitimate. This includes, but is not limited to user interactions, screen sizes, apps and programs installed, etc.

Network Attack Detector
The "Network Attack Detector" (NAD) is a novel technology able to identify attacks in network traffic. The "Network Attack Detector" decrypts network traffic between client browser and the web server and scans for various indicators of exploitation such as nop sleds, heap spraying, shellcode and other specific indicators of attacks or compromises.

All these technologies work together to give a better insight and understanding on how the attacks are performed, providing a hollistic approach on identification and analysis of browser attacks, both on traditional devices such as personal computers, or laptops, but also on mobile devices such as smartphones or tablets.

Happy hunting!

DEKENEAS

DEKENEAS is a unique product, being the only publicly available tool able to identify with great accuracy both known and unknown browser exploits ("0day") and attacks by the means of artificial intelligence algorithms, instead of traditional signature scanning. Our approach is mainly focused on detection of unknown attack vectors for the vast majority of existing desktop browsers, such as Chrome, Edge, Firefox or Safari, but also mobile devices browsers for Android and iPhone. Our artificial intelligence algorithms understand the code of the website before actually executing it, and tries to understand if the code constructs encountered are malware specific or they are benign. Also it tries to figure out if there are special conditions for certain code to run, such as specific User-Agent strings, language settings or IP addresses. All this information is later used during the instrumentation performed by Dekeneas Sandbox, which comes as a double check, actually executing the suspicious code in a real environment according to the special conditions requested by the analyzed code, launching a specific browser with specific language or country settings in a specific environment (desktop or mobile), and analyzing how the code interacts with the browser. In addition to code instrumentation Dekeneas Sandbox also analyzes the traffic generated looking for exploitation gadgets, therefore maximizing the chances of identifying unknown attacks.

• Signature less scanning - browser malware looks different from infection to infection so signature scanning is mostly useless
• In-depth scanning of websites - most attacks are not placed in the first page
• Code interpretation without actually executing the code - greatly optimizing analysis time
• Detection of attacks in the early stage - as opposed to traditional methods who detect post-exploitation stage of infection
• Anti anti analysis capabilities - most browser attacks are highly obfuscated and have anti analysis capabilities
• Anti evasion capabilities - most browser attacks are able to evade detection by targetting specific browsers, technologies or settings

Download Datasheet

Download Presentation

Dekeneas On-Premise WSG

The Dekeneas WSG range is a family of secure web gateway appliances, integrating the advanced artificial intelligence malware scanning capabilities of the DEKENEAS into your network, protecting your users from some of the most elusive attacks used by hackers.

WSG-010 WSG-100 WSG-200

WSG-010

Virtual Appliance

• Administration interface
• Transparent Proxy (network traffic redirector, WCCP redirect)
• Explicit Proxy (supports PAC installation, WPAD server, Active Directory)
• HTTP/S inspection
• URL filtering based on DEKENEAS

• Integrated DEKENEAS engine
• Supports both IPv4 and IPv6 protocol stacks
• Supports integrations with external threat intelligence feeds, commercial or open source
• Custom and automated whitelisting of websites
• Custom and automated blacklisting of malicious websites
• Automated antivirus scanning of files in transit
• Automated updates of AV signature database
• Automated blocking of malicious files in transit

Download Datasheet

WSG-100

Hardware Appliance

• Administration interface
• Transparent Proxy (network traffic redirector, WCCP redirect)
• Explicit Proxy (supports PAC installation, WPAD server, Active Directory)
• HTTP/S inspection
• URL filtering based on DEKENEAS
• Active Directory integration (multi realm, multi forest NTLM, single sign on through browser stored credentials)
• Inline sandbox
• Bandwidth management

• Integrated DEKENEAS engine
• Supports both IPv4 and IPv6 protocol stacks
• Supports integrations with external threat intelligence feeds, commercial or open source
• Custom and automated whitelisting of websites
• Custom and automated blacklisting of malicious websites
• Automated antivirus scanning of files in transit
• Automated updates of AV signature database
• Automated blocking of malicious files in transit
• Automated YARA scanning of files in transit
• Automated updates of AV signature database
• Automated blocking of malicious files in transit
• Data leakage prevention through artificial intelligence classification

Download Datasheet

WSG-200

Hardware Appliance

• High availability setup

• Administration interface
• Transparent Proxy (network traffic redirector, WCCP redirect)
• Explicit Proxy (supports PAC installation, WPAD server, Active Directory)
• HTTP/S inspection
• URL filtering based on DEKENEAS
• Active Directory integration (multi realm, multi forest NTLM, single sign on through browser stored credentials)
• Inline sandbox
• Bandwidth management

• Integrated DEKENEAS engine
• Supports both IPv4 and IPv6 protocol stacks
• Supports integrations with external threat intelligence feeds, commercial or open source
• Custom and automated whitelisting of websites
• Custom and automated blacklisting of malicious websites
• Automated antivirus scanning of files in transit
• Automated updates of AV signature database
• Automated blocking of malicious files in transit
• Automated YARA scanning of files in transit
• Automated updates of AV signature database
• Automated blocking of malicious files in transit
• Data leakage prevention through artificial intelligence classification

Download Datasheet