Researchers have discovered a method to bypass various forms of browser isolation, presenting a potential vulnerability that could enable cyber attackers to transmit harmful data to a remote device using QR codes.
The proof-of-concept (PoC) developed by experts from Mandiant showcases a technique that circumvents remote, on-premises, and local browser isolation by replacing HTTP request-based communication with QR codes. This manipulation allows malicious actors to relay commands from a command-and-control (C2) server to a target device. Browser isolation serves as a critical security measure for organizations combating phishing threats, protecting against browser-delivered attacks, and thwarting common C2 tactics employed by attackers.
Typically, when browser isolation is active, a remote browser manages all aspects of page rendering and JavaScript execution, transmitting only the visual representation of the webpage to the local browser. This approach hampers attackers’ ability to control a device remotely through HTTP requests, as the HTTP response delivered to the local browser solely consists of the streaming engine required to display the remote browser’s visual content.
By utilizing machine-readable QR codes, perpetrators can effectively transmit data from the attacker-controlled server to a compromised implant, even when the webpage is rendered in a remote browser. The malicious implant renders the webpage visually, decodes commands from the displayed QR code, retrieves a valid HTML webpage from the C2 server containing command data encoded within a QR code, and ultimately executes the C2 command on the compromised device.
However, the implementation of this bypass technique poses certain challenges and limitations. For instance, it is impractical to employ the PoC with QR codes containing the maximum data size, given that the visual quality may not be sufficient for reliable content reading. Additionally, the process incurs notable latency in the C2 channel, taking at least five seconds for requests to display and scan QR codes due to processing requirements and visual content streaming delays.
Furthermore, the PoC overlooks various security features inherent to browser isolation environments, such as domain reputation, URL scanning, data-loss prevention, and request heuristics. Overcoming these security layers may be necessary when using the bypass technique in such environments.
Despite the potential risks associated with this bypass method, Mandiant advocates for the continued utilization of browser isolation as a robust defense against client-side browser exploitation and phishing attempts. It is important to view browser isolation as a component of a comprehensive cyber defense strategy, complemented by measures such as monitoring for unusual network activity and engaging browsers in automation mode to combat web-based attacks.