Request a Quote
Book a demo

Mandiant researchers uncover that QR codes can be used to circumvent browser isolation

Mandiant researchers uncover QR codes can be used to bypass isolated browsers, and Digital Eye use SQL injection to hide malicious code inside Visual Studio and Azure

More like this

This week, we explore a recent discovery revealing how malicious actors can exploit QR codes to bypass isolated browsers. Additionally, we delve into a cyber espionage campaign aimed at IT service providers in Southern Europe.

New threat can introduce malicious actions to an environment

Security researchers at Mandiant have uncovered a method by which attackers can circumvent browser isolation technologies using QR codes. Browser isolation is a security measure that runs content in a secure environment, transmitting only visuals to the user’s device. This prevents direct interaction between potentially malicious web content and the local system. This approach effectively blocks traditional command-and-control (C2) communications, which rely on HTTP requests.

In their proof-of-concept, Mandiant’s team demonstrated that an attacker-controlled server can embed malicious commands within a QR code. When a user scans this QR code with a mobile device, it initiates communication with the attacker’s server. This exploits the fact that QR codes can encode URLs or other data that, when scanned, lead to unintended actions.

The attack leverages the Puppeteer JavaScript library and a headless Google Chrome browser to generate and display the QR code. However, the researchers note that any modern browser could implement this method. By embedding malicious payloads within QR codes, attackers can effectively bypass the security controls of browser isolation, as the scanning action occurs outside the isolated browsing environment.

This finding by Mandiant highlights a significant vulnerability in current browser isolation strategies. This emphasizes the need for comprehensive security measures that account for various attack vectors. Organizations are advised to educate users about the risks associated with scanning unsolicited QR codes and implement security solutions to detect and mitigate such threats.

TL;DR: QR codes risk to isolated browsers

Mandiant researchers found attackers using QR codes to bypass browser isolation by embedding malicious payloads that activate when scanned on mobile devices. This method exploits a gap in browser isolation, emphasizing the need for better defences and user awareness of QR code risks.

Malicious actors utilize SQL injection in Visual Studio code and Azure infrastructure

A cyber espionage campaign, dubbed Operation Digital Eye, has been identified targeting large business-to-business IT service providers in Southern Europe between late June and mid-July 2024. Attributed to a suspected China-linked group, the attacks were detected and neutralized before data exfiltration occurred. The threat actors exploited Visual Studio Code’s Remote Tunnels feature for command-and-control (C2) operations, leveraging its legitimate functionality to execute arbitrary commands and manipulate files remotely. This tactic blended malicious activities with regular network traffic, complicating detection efforts.

The group gained initial access through SQL injection attacks on internet-facing applications and database servers, utilizing the penetration testing tool SQLmap to automate the exploitation process. Post-compromise, the attackers deployed a PHP-based web shell, PHPsert, to maintain persistent remote access. They conducted reconnaissance, harvested credentials, and moved laterally within networks using Remote Desktop Protocol (RDP) and pass-the-hash techniques. Notably, they used a custom-modified version of Mimikatz, mimCN, for pass-the-hash attacks. This tool shares substantial code overlaps with those used in other suspected Chinese cyber espionage operations, such as Operation Soft Cell and Operation Tainted Love, indicating a possible shared vendor or digital quartermaster within the Chinese Advanced Persistent Threat (APT) ecosystem.

The campaign underscores state-sponsored actors’ sophisticated methods, including abusing legitimate tools and cloud infrastructure to obfuscate malicious activities, evading traditional security measures. It highlights the critical need for robust security protocols and vigilant monitoring to detect and mitigate such advanced threats.

TL;DR: Digital Eye targets southern European IT service providers through SQL injections

Operation Digital Eye, a China-linked cyber espionage campaign, targeted Southern European IT service providers in mid-2024. Hackers exploited Visual Studio Code’s Remote Tunnels for stealthy command-and-control, gaining access via SQL injection and using custom tools like mimCN for credential theft and lateral movement. The attack highlights the abuse of legitimate tools to evade detection and underscores the need for strong security defenses.

Stay Vigilant: Your current tools may not be enough

These stories showcase the potential for new mediums to get around security. It also shows the exploitation of legitimate tools to introduce malware into a secure environment. IT teams must monitor employees’ actions and assume any potential vector is compromised. HTML blocking outright, alongside employee education, and granular application allowlisting are methods IT teams can use to combat these threats. Discover how ThinScale can help in these areas—contact us today for more information.

Contact us
Picture of 3HO5FT7vKY7m
3HO5FT7vKY7m

Related

Ready to see it in action?

Book a demo
Get a quote
Book a demo
Linkedin Twitter Youtube

ThinScale is the all-in-one solution for endpoint security and management at scale. Our products simplify IT challenges and protect remote, on-site, and hybrid workforces.

Contact us
Linkedin Twitter Youtube
Book a demo
Get a quote
Products
Solutions
Resources
Company
Request a Quote
Book a demo