While hackers are always experimenting and innovating to catch up with the latest cybersecurity advances, they are also not afraid to stick with the tried and true. Why? Because it works.
Why spend a lot of time and money trying to outfox the good guys if a simple phishing email still gets you in? Same with other “tricks.” One oldie but goodie (if you are a hacker) has seen a resurgence this year: HTML smuggling.
“HTML smuggling has been around for a while, and it can be very effective in achieving some objectives from the hackers’ point of view,” says James Carlson, an independent cybersecurity consultant in Portland, Oregon.
Researchers have warned of a recently launched HTML smuggling campaign that is making the rounds. The campaign is called “Duri,” and it utilizes the tried and true hacker comfort food of HTML smuggling.
ThreatPost described it in a recent dispatch:
An active campaign has been spotted that utilizes HTML smuggling to deliver malware, effectively bypassing various network security solutions, including sandboxes, legacy proxies, and firewalls.
ThreatPost says Duri – which has been around since July – works by launching attacks that send victims malicious links.
Duri is not completely new
Similar smuggling programs have been around as far back as the early 2000s. They create an HTML file that contains an encrypted version of an HTA payload. Dangerous HTA payloads have historically been used in email phishing attacks as attachments.
Most protection programs have caught up over the years and don’t even allow HTA through, Carlson tells SmarterMSP.
However, hackers have found ways around such protections by creating an HTML file that delivers an encrypted version of an HTA payload. The content is served as a single HTTP request, which the proxy will happily allow.
As if #MSPs don’t have enough to worry about with remote work #cybersecurity concerns and COVID-related phishing, now the old trick of #HTMLsmuggling is resurfacing.
Carlson recommends that utilizing HTA files for web-based attacks against Internet Explorer has proven reliable and successful because an HTA file when opened in IE, gets launched by mshta.exe, which is a signed Microsoft binary prompting PowerShell and injecting a payload into memory.
Explorer, though, does have some built-in warnings that users shouldn’t ignore. For instance, the browser prompts the user not once, but twice, when attempting to load an HTA file. Because these alerts that Explorer has do decrease the chances of a successful attack, Explorer offers a mixed bag of sorts. Other browsers seem more hit and miss in their attempts to filter out these kinds of attacks.
How can MSPs defend clients against HTML smuggling?
- Block all HTA and MSHTA files. Carlson advises one tactic would be to not allow HTA files in your client’s system. That’s a catch-all system that might block some legitimate files, but it may be worthwhile for some businesses to go that route.
- Strong endpoint protection. HTML smuggling is a viable tool for hackers, and there are not many practical tools for the good guys to intercept a well-executed HTML smuggling attempt, warns Carlson. So if, figuratively speaking, a vaccine isn’t feasible, then treatment is the next best thing. And, in this case, treatment is reliable endpoint protection. MSPs should implement measures that deaden the impact of malicious content that finds its way to endpoints. You want to have perimeters and applications on the endpoints so that if the payload is released, it stays in place.
For his final piece of advice, Carlson offers, “Robust user education is the probably the most powerful weapon MSPs have at their disposal.”
Photo: BEST-BACKGROUNDS / Shutterstock