QR codes can be used to crack this vital browser security tool

1 week ago 3
Ransomware
Image credit: Shutterstock (Image credit: Shutterstock)

  • Browser isolation runs all scripts in a remote, or virtual environment, but QR codes still make it through
  • If a device is infected with malware, it can get commands via QR codes, rendering browser isolation useless
  • The method works, but has its limitations

Cybersecurity researchers from Mandiant claim to have discovered a new way to get malware to communicate with its C2 servers through the browser, even when the browser is isolated in a sandbox.

There is a relatively new method of protecting web-borne cyberattacks, called “browser isolation”. It makes the victim’s browser communicate with another browser, located in a cloud environment, or a virtual machine. Whatever commands the victim inputs are relayed to the remote browser, and all they get in return is the visual rendering of the page. Code, scripts, commands, all get executed on the remote device.

One can think of it as browsing through the lens of a phone’s camera.

Limits and drawbacks

But now, Mandiant believes that C2 servers (command & control) can still talk to the malware on the infected device, regardless of the inability to run code through the browser, and that is - via QR codes. If a computer is infected, the malware can read the pixels rendered on the screen, and if they’re a QR code, that is enough to get the program to run different actions.

Mandiant prepared a proof-of-concept (PoC) showing how the method works on the latest version of Google Chrome, sending the malware through Cobalt Strike’s External C2 feature.

The method works, but it’s far from ideal, the researchers added. Since the data stream is limited to a maximum of 2,189 bytes, and since there is a roughly 5-second latency, the method cannot be used to send large payloads, or facilitate SOCKS proxying. Furthermore, additional security measures such as URL scanning, or data loss prevention, may render this method completely useless.

Still, there are ways the method could be abused to run destructive malware attacks. Therefore, IT teams are advised to still keep an eye on the flow of traffic, especially from headless browsers running in automation mode.

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Via BleepingComputer

You might also like

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read Entire Article