Highly Evasive Adaptive Threat

A Highly Evasive Adaptive Threat (HEAT) is a cybersecurity attack type designed to bypass traditional network security defenses.^[1] ^[2] HEAT attacks are designed to find ways around protections that have been in place for years.^[3] HEAT attacks are able to bypass typical cybersecurity controls, such as Secure Web Gateways (SWG) and anti-malware capabilities, through malicious links disguised as common URLs that victims assume are safe. HEAT attacks go beyond traditional phishing methods, which have historically been delivered by email, by inserting themselves into links that are not flagged by anti-phishing software.^[4] Similar to most cybersecurity threats, the drivers of HEAT attacks are primarily monetary and political. HEAT attacks focus on technical limitations of commonly deployed security tools with the primary target being web browsers.^[5] Nation-states and cybercriminals typically use HEAT attacks for phishing attempts or ransomware initial access.^[6]

Highly Adaptive Evasive Threats (HEAT) require adaptive threat analysis technology to detect threats missed by other approaches.^[7]

Definition[edit]

HEAT attacks demonstrate four primary characteristics^[8]

Evades offline categorization and threat detection - HEAT attacks bypass URL filtering by using ephemeral and/or compromised malicious sites with benign categorization.
Evades malicious link analysis - HEAT attacks bypass Email Security Tools by expanding from email phishing links to other sources such as web, social media, sms, and file sharing platforms.
Evades static and dynamic content inspection - HEAT attacks bypass file based inspection by using dynamic file downloads (ie. HTML smuggling).
Evades HTTP traffic inspection - HEAT attacks bypass HTTP Content/Page Inspection by using dynamically generated and/or obfuscated content (javascript code and images).

History and Notable HEAT Attacks[edit]

Though some of the techniques used in HEAT attacks have been in the industry for several years, the increasing trends towards remote work, increasing use of Software as a Service (SaaS) and browser based applications, and ransomware attacks have accelerated adoption of HEAT techniques by attackers.

DURI - the DURI HEAT attack was discovered in 2020. Duri's payload was malware that had been previously detected.^[9] However the delivery method evolved to use a HEAT attack technique, HTML smuggling, to increase its infection rate of targeted endpoints ^[10]:.
Qakbot - Qakbot is a banking trojan that has been in use since at least 2007. Qakbot is actively maintained and recent modifications include the use of HEAT attacks such as password protected zip files.^[11]
Nobelium - Nobelium malware is typically used in attacks focused on financial services and other highly targeted victims. The smuggling technique encoded a script within a web page or HTML attachment. The user's web browser decodes the script which subsequently creates the malware payload on the host computer.^[12]

References[edit]

^ Security, Menlo (February 2, 2022). "Too hot to handle: Why modern work has given rise to HEAT attacks". Menlo Security.
^ "3 Challenges to Identifying Evasive Threats". Palo Alto Networks.
^ "The Browser Renaissance: Reshaping the Enterprise Browser Landscape" – via www.youtube.com.
^ "HEAT attacks: A new spin on browser exploit techniques". BetaNews. March 30, 2023.
^ Barth, Bradley (September 27, 2022). "Browser-based HEAT attacks putting CISOs on the hot seat". SC Media.
^ https://ten-inc.com/presentations/Menlo-Threat-Landscape-HEATs-Up-with-Highly-Evasive-Adaptive-Threats.pdf
^ "Leverage Adaptive Threat Analysis to Detect Highly Evasive Malware". info.opswat.com.
^ "The four evasive techniques of Highly Evasive Adaptive Threats -".
^ Ramaswami, Andrea Kaiser, Shyam Sundar (April 1, 2020). "Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors". Cisco Umbrella.{{cite web}}: CS1 maint: multiple names: authors list (link)
^ Subramanian, Krishnan (August 18, 2020). "New HTML Smuggling Attack Alert: Duri". Menlo Security.
^ https://www.malware-traffic-analysis.net/2020/04/08/index.html/
^ Intelligence, Microsoft Threat (November 11, 2021). "HTML smuggling surges: Highly evasive loader technique increasingly used in banking malware, targeted attacks". Microsoft Security Blog.

[1] Security, Menlo (February 2, 2022). "Too hot to handle: Why modern work has given rise to HEAT attacks". Menlo Security.

[2] "3 Challenges to Identifying Evasive Threats". Palo Alto Networks.

[3] "The Browser Renaissance: Reshaping the Enterprise Browser Landscape" – via www.youtube.com.

[4] "HEAT attacks: A new spin on browser exploit techniques". BetaNews. March 30, 2023.

[5] Barth, Bradley (September 27, 2022). "Browser-based HEAT attacks putting CISOs on the hot seat". SC Media.

[6] ttps://ten-inc.com/presentations/Menlo-Threat-Landscape-HEATs-Up-with-Highly-Evasive-Adaptive-Threats.pdf

[7] "Leverage Adaptive Threat Analysis to Detect Highly Evasive Malware". info.opswat.com.

[8] "The four evasive techniques of Highly Evasive Adaptive Threats -".

[9] Ramaswami, Andrea Kaiser, Shyam Sundar (April 1, 2020). "Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors". Cisco Umbrella.{{cite web}}: CS1 maint: multiple names: authors list (link)

[10] Subramanian, Krishnan (August 18, 2020). "New HTML Smuggling Attack Alert: Duri". Menlo Security.

[11] ttps://www.malware-traffic-analysis.net/2020/04/08/index.html/

[12] Intelligence, Microsoft Threat (November 11, 2021). "HTML smuggling surges: Highly evasive loader technique increasingly used in banking malware, targeted attacks". Microsoft Security Blog.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]