QR codes can be used to crack this vital browser security tool

By
SACHIN KELKAR
-
7

QR codes can be used to crack this vital browser security tool

News

By Sead Fadilpašić

published 9 December 2024

Browser isolation can easily be bypassed with QR codes, experts warn


Ransomware
Image credit: Shutterstock(Image credit: Shutterstock)
  • Browser isolation runs all scripts in a remote, or virtual environment, but QR codes still make it through
  • If a device is infected with malware, it can get commands via QR codes, rendering browser isolation useless
  • The method works, but has its limitations

Cybersecurity researchers from Mandiant claim to have discovered a new way to get malware to communicate with its C2 servers through the browser, even when the browser is isolated in a sandbox.

There is a relatively new method of protecting web-borne cyberattacks, called “browser isolation”. It makes the victim’s browser communicate with another browser, located in a cloud environment, or a virtual machine. Whatever commands the victim inputs are relayed to the remote browser, and all they get in return is the visual rendering of the page. Code, scripts, commands, all get executed on the remote device.

One can think of it as browsing through the lens of a phone’s camera.

Limits and drawbacks

But now, Mandiant believes that C2 servers (command & control) can still talk to the malware on the infected device, regardless of the inability to run code through the browser, and that is – via QR codes. If a computer is infected, the malware can read the pixels rendered on the screen, and if they’re a QR code, that is enough to get the program to run different actions.

Mandiant prepared a proof-of-concept (PoC) showing how the method works on the latest version of Google Chrome, sending the malware through Cobalt Strike’s External C2 feature.

The method works, but it’s far from ideal, the researchers added. Since the data stream is limited to a maximum of 2,189 bytes, and since there is a roughly 5-second latency, the method cannot be used to send large payloads, or facilitate SOCKS proxying. Furthermore, additional security measures such as URL scanning, or data loss prevention, may render this method completely useless.

Still, there are ways the method could be abused to run destructive malware attacks. Therefore, IT teams are advised to still keep an eye on the flow of traffic, especially from headless browsers running in automation mode.

Via BleepingComputer

You might also like

  • Another major US healthcare organization has been hacked, with potentially major consequences
  • Here’s a list of the best antivirus
  • These are the best endpoint protection tools right now
TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

More about security
AI PC laptop

Microsoft challenges you to hack its LLM email service

Red padlock open on electric circuits network dark red background

Popular Python AI library hacked to deliver malware

Latest
Micron 6550 ION solid-state drive (SSD) pictured against a black background

Everything you need to know about Micron’s “game-changer” 6550 ION SSD

See more latest ►
Previous articleThis is too easy – I just used Sora for the first time and it blew my mind
Next articleEverything you need to know about Micron’s “game-changer” 6550 ION SSD
SACHIN KELKAR
SACHIN KELKAR
https://topupdatetoday.com/

RELATED ARTICLESMORE FROM AUTHOR