Google Report Highlights Malware Targeting Browser Vulnerabilities

By Nick Kael, CTO at Ericom

The browser is the target

Last week, Google’s Project Zero exploit research team published reports detailing a sophisticated cyber operation that targeted vulnerabilities in Chrome and Windows, installing malware to exploit weaknesses in the browser and operating system to compromise endpoints. Some of the advanced malware targeted vulnerabilities that were, at the time, unknown to Google and Microsoft. These included:

• CVE-2020-6418—Chrome Vulnerability in TurboFan
• CVE-2020-0938—Font Vulnerability on Windows
• CVE-2020-1020—Font Vulnerability on Windows
• CVE-2020-1027—Windows CSRSS Vulnerability

How browser vulnerabilities are leveraged in attacks

In a multi-step process, hackers first designed malware to exploit these four specific vulnerabilities. They then embedded the malware into the code of websites – either newly created sites or existing sites they were able to penetrate and then alter.

The result was the creation of malicious “watering-hole” sites, which infect an endpoint web browser application (e.g. Chrome) as it renders the web page when a user visits the site. (For an illustration of how malware within website code gets into an endpoint browser, right click your mouse and select “view page source” the next time you visit a site in Chrome. All the code that you see came into your browser when you browsed to that webpage).

A final step of the attack, which was not covered in the report, was to lure users to the “watering-hole” sites, most likely through a combination of phishing emails and/or social engineering techniques. The attackers may have cast a wide net, pulling in users indiscriminately, or gone after specific high-value individuals, who were targeted because the hackers believed their laptops might have elevated system and data access rights.

Hundreds of browser vulnerabilities are discovered each year

While this specific attack had characteristics that pointed to hackers with a high level of sophistication and resources, it is a prime example of a type of attack type that has recently grown dramatically in the wild. Many IT professionals are shocked to learn how many browser vulnerabilities are discovered each year. In 2019 for example, nearly 450 new vulnerabilities were reported across the four leading web browsers (Chrome, Edge, Safari, and Firefox). It is just these types of vulnerabilities that hackers target with browser exploits, by altering website code to exploit the vulnerability, get onto the endpoint and, from there, move laterally in the network to lock up systems, steal data, disrupt operations, and destroy digital assets.

What can organizations do to stop these attacks?

Unfortunately, legacy security tools like Secure Web Gateways and web-filtering Next Generation Firewalls are often powerless to prevent this class of attack. They rely on detection approaches that scan through web traffic looking for known malware signatures, or try to determine which sites might be bad based on risk factors such as length of time a URL has been active.

These approaches, of course, cannot stop a hacker from splicing zero-day malware onto an existing 3rd-party website with web code vulnerabilities that make it ripe for hijacking. More importantly, they cannot protect an organizations if one of their users browses to a watering-hole site, since neither the zero-day nor the URL is (yet) known to be bad.

Remote browser isolation: The Zero Trust answer

Remote Browser Isolation (RBI) is a detectionless new approach that applies the zero trust concept of “trust nothing, always verify” and applies it to web browsing. Since it is a given that web content can’t be verified as safe, RBI trusts no website as being safe enough to be rendered on an endpoint.

RBI prevents ransomware, advanced web threats, and phishing attacks from reaching user endpoints by executing active web content in a remote, isolated cloud container. A user who browses to a malicious site or clicks a URL embedded in a phishing email remains completely safe since no web content is ever executed directly on their device.

The user experiences secure and seamless interaction via safe rendering information representing the website that is sent to the device’s browser. For additional phishing protection, websites launched from URLs in emails can be rendered in read-only mode to prevent users from entering personal credentials. Attached files are sanitized before being transmitted to endpoints, ensuring that malware within downloads cannot compromise users’ devices.

The RBI approach changes the traditional web security paradigm that was based on detection. Instead, it leverages a prevention-without-detection approach that stops 100% of web-based malware – even zero-day drive-by and watering-hole malware – from compromising endpoints.

Due to the power of this approach, RBI is starting make waves in the cybersecurity industry. In its most recent Secure Web Gateway Magic Quadrant, Gartner noted the increasing market demand for RBI. They also highlighted RBI in the latest Gartner Hype Cycle for Network Security, stating “we (Gartner) see RBI being a critical capability in the future delivery of a secure access service edge (SASE), supporting integration with secure web gateways, cloud access security brokers, and Zero Trust network access services.”

Many organizations have discovered the power of RBI and are bringing it into their security stack in 2021 to significantly improve ransomware prevention and data protection.

To learn more about the risks associated with browser vulnerabilities and how RBI is uniquely able to prevent this growing class of attacks, please download, “Browsers are the Target, Protect them with Zero Trust Browser Isolation.”

About the Author

Nick Kael, CTO | Ericom

A cybersecurity expert with over 20 years of experience in web technologies, architecture, infrastructure, networking and dev environments, Nick is responsible for solution management, technology strategy and technology partnerships. Nick was previously Symantec Group CTO for Global Service Providers, following his tenure as Director of the Chief Architect Team for Channel and Service Providers at Zscaler and an earlier position in the Symantec CTO organization. His certifications include CEH7, CCSK, BCCPP, Bluecoat Blue Knight, MCSE + Security, CCDP, CCNA, CCSA, VTP5 and VTSP5.