Browser attacks are currently some of the most elusive and hard to detect attacks existing in the cyberspace. They do not require
the attacker to have previous interactions with the victims, such as sending them e-mails, social media or text messages, they just
need the victim to visit the malicious page. And most of the times the malicious pages are the usual pages in legitimate and well established
web sites, with many visitors every day, weaponized with a malicious implant. Some of these attacks mine crypto coins using visitor's browsers (cryptojacking),
others steal credit card information (data skimming) and others, the most dangerous ones, can take full control of visitor's device
(browser exploits). Browser attacks focus on traditional browsers, such as Chrome, Edge or Firefox, but they also target mobile devices, which makes
them even harder to detect.
Browser exploits are programs specially crafted to exploit vulnerabilities inside browsers or technologies used by browsers. A browser
exploit can take full control of the attacked device. Lately, browser exploits became the predilect tactic for APT and cybercriminal
groups, as they are very hard to detect, some of them having been actively exploiting victims for many months, and even years. Browser exploits can
target specific technologies (such as phone makers, browser types, etc.), specific IP addresses, specific browser languages, etc. which
makes them even harder to detect through traditional methods.
Malicious cryptojacking implants inside legitimate web sites use visitor's device computing power in order to mine for various cryptocurrencies.
This behaviour generates latency in overall performance of the device
Data skimming is a web attack in which a malicious implant inside a legitimate e-shop collects the credit card information submitted by the visitor
and sends it to the attacker.
The HTTP/S and HTML protocols have different implementations on different browsers, mainly because HTTP was standardized as a
protocol years later after browsers emerged, thus allowing browser engines to have their own implementation and interpretation
of these protocols.
in the webpage it loads.
Traditional antivirus products or intrusion detection sensors would use signature scanning to identify browser attacks,
looking for known code snippets that are involved in these attacks. But in the recent years, browser attacks evolved to using
To counter this behavior, traditional security products try to detect the signature of the actual exploit, or the aftermath of
the attack, such as the connection to the command and control server, but if the exploit is unknown or very new, there is no signature
for it, and if the command and control server doesn't look suspicious, for instance it's a DNS request, or a HTTPS connection,
the attack goes totally undetected.
So, the only solution seems to be client-side honeypots, which emulate browsers and access websites hoping to find browser
attacks. But this approach is very time consuming as modern websites can have hundreds or thousands of pages, and loading
each and every one of them in an instrumented environment takes some time. Also, the attackers developed a series of methods
to identify instrumented environments, ranging from delayed execution to detection of virtualized environments, which are
specific to client-side honeypots. On top of that, the attackers fingerprint the browser, and only attack certain browsers,
certain technologies or users from a certain geographical area or IP range.
If the client-side honeypot doesn't guess all of the
above, the attack never happens, so the security product fails to identify an offensive web page.
Do watering hole attacks actually happen?
These features of watering hole attacks made them the perfect candidate in penetrating highly secured networks from banks,
defense industry or government contractors, tech giants such as Facebook, Apple, Twitter, or Microsoft, but also, activist
groups, investigative journalists or political disidents all over the world.
Most of the times the victims realize they have been compromised after a very long period of time, sometimes even years,
sometimes never, and when they realize the attack happened, it's usually because of luck or coincidence.
DEKENEAS uses machine learning to understand the contents and behaviour of a web page before further dynamic instrumentation
looking for code constructs or specifics needed to perform malicious activities. In addition to this, by the implementation of
"Code Logic Emulator (CLE)" technology, a major number of machine learning features were added from the actual logic behind the
If an HTML element shows signs of suspicious behavior it gets instrumented in a smart sandbox which emulates user behavior
according to the requirements identified by "Requirements Extractor (RE)" technology. For instance, if the HTML element tries
to identify certain user agents or language settings, the smart sandbox starts that specific browser on that specific platform,
with the specific language settings.
This behavior greatly reduces the analysis time, as only suspicious HTML elements will be analyzed, in the same time maximizing
the accuracy of detection, by creating the specific environment requested by the website code.
The network traffic resulted from the interaction with the malicious HTML element is recorded and analyzed with "Network Attack Detector (NAD)"
technology which identifies attack signs inside network traffic.
These unique features allowed DEKENEAS to uncover a series of complex attacks carried by APT groups, but also
carried by cybercriminals, all of them using either very new or unknown exploitation vectors.