News: 1723219209

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Secure Web Gateways are anything but as infosec hounds spot dozens of bypasses

(2024/08/09)


DEF CON Secure Web Gateways (SWGs) are an essential part of enterprise security, which makes it shocking to learn that every single SWG in the Gartner Magic Quadrant for SASE and SSE can reportedly be bypassed, allowing attackers to deliver malware without Gateways ever catching on.

Using a tactic he's dubbed "last mile reassembly," SquareX founder and [1]long-time security researcher Vivek Ramachandran said he's managed to suss out more than 25 different methods to bypass SWGs, all of which boil down to the same basic exploit: They miss a lot of what's going on in modern web browsers.

"[SWGs] were invented almost 15, 17 years back [and] it all started as SSL intercepting proxies," Ramachandran told us. "As cloud security became more important people built out this entire security stack in the cloud.

[2]

"This is really where the problem begins."

[3]

[4]

SWGs, Ramachandran explains, are mostly relying on their ability to infer application layer attacks from network traffic before they make it to a web browser. If, say, the traffic wasn't recognizable as malicious, the SWG might not detect it, instead delivering it to a user's browser.

That's exactly what Ramachandran has worked out how to do.

[5]

"These vendors cannot fix this," the SquareX founder told us, "because … these are fundamentally architectural bugs."

SWGing malware? More like chugging with reckless abandon

The premise of last-mile reassembly, if you haven't worked it out from its name already, is pretty simple.

"Attackers have access to a last-mile compute machine, which is the web browser, where they can run scripts and reassemble attacks at the last minute," Ramachandran said. "For the end victim, the experience is identical."

By splitting or chunking malware, using Web Assembly files, smuggling malware in other files, and otherwise breaking malicious files up into multiple small, unrecognizable pieces, Ramachandran told us an attacker can deliver and force a browser to reassemble malware without a SWG ever being tipped off that there's a download happening.

"I hoped that, because these chunks don't look like real files, that they would have at least triggered an alarm," he said. Alas, they mostly didn't trigger anything.

[6]

Much of the reason why malicious content can be easily smuggled past SWGs has to do with the fact that, as mentioned, they're getting old, and aren't equipped to handle the complexity of the modern internet browser. SWGs typically have a ton of unmonitored channels, including gRPC, webRTC, WebSocket and WebTorrent, meaning things sent via those methods go entirely unchecked.

When asked about the severity of this issue, Ramachandran had much to say. "Most [SWG] vendors are aware of some of these attacks, but this would cannibalize their approach." He added that "SWGs are only stopping the most basic of attacks."

[7]Google's next big idea for browser security looks like another freedom grab to some

[8]SSE kicks the 'A' out of SASE

[9]Sneaky SnakeKeylogger slithers into Windows inboxes to steal sensitive secrets

[10]In-app browsers are still a privacy, security, and choice problem

Addressing this fundamental problem with SWGs while relying on the cloud is "a fool's pursuit," Ramchandran told us, which breaks the "whole model of cloud security."

To detect all the attacks that Ramachandran and the team at SquareX came up with would require full emulation of every single browser tab in order for a Gateway to be application context aware. Ramachandran believes that would be practically impossible with the cloud.

The cybersecurity veteran declined to name any vendor names, telling us he doesn't want to shame anyone, but does want security professionals and CISOs to be aware that the thing they're relying on to protect their users' browsing activity simply do not work.

Ramachandran is also starting to suspect some of the attacks he'll [11]highlight today at DEF CON are already being used in the wild. SquareX is releasing a free tool for SWG customers to test the vulnerability of their own setups.

As to what companies can do to protect themselves from such attacks, Ramachandran has a simple suggestion: "attacks happen in the browser, but the only place they can be detected is on the endpoint."

Unfortunately, many SWG customers may lack the appropriate endpoint protection to pick up the SWG slack.

"A large part of the marketing push from these SASE and SSE vendors is that … we already filter malware in the cloud so you don't need endpoint security," Ramachandran asserted. "Just let everything happen in the cloud - why do you need to manage the endpoint?"

Last-mile assembly attacks appear to be a very valid reason. ®

Get our [12]Tech Resources



[1] https://www.theregister.com/2007/10/18/cafe_latte_wi-fi_attack/

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/blackhatanddefcon&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZraRgYOiT@KVJKVIkGB41AAAAEo&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/blackhatanddefcon&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZraRgYOiT@KVJKVIkGB41AAAAEo&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/blackhatanddefcon&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZraRgYOiT@KVJKVIkGB41AAAAEo&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/blackhatanddefcon&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZraRgYOiT@KVJKVIkGB41AAAAEo&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/blackhatanddefcon&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZraRgYOiT@KVJKVIkGB41AAAAEo&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[7] https://www.theregister.com/2023/07/25/google_web_environment_integrity/

[8] https://www.theregister.com/2022/05/02/see-vs-sase/

[9] https://www.theregister.com/2024/08/05/snakekeylogger_malware_windows/

[10] https://www.theregister.com/2024/03/27/inapp_browsers/

[11] https://sqrx.com/lastmilereassemblyattacks

[12] https://whitepapers.theregister.com/



why try to pass through the gateway when you can hit the service directly?

Anonymous Coward

Did he also say that if you allow direct access to the protected endpoints, that you are an ignorant fool?

Root of the problem

cosmodrome

"Secure Web Gateways (SWGs) are an essential part of enterprise security,"

And that's where the problem starts. Trying to fix the problem down the line is just putting patches on the fissures of a structural system that is statically underdefined - which means it will just break somewhere else.

Baird34

The link to the free tool doesn't work. Either that or I'm a newb and fell for a trap and my browser explodes.

Free tool

diodesign

Yeah, it's not out yet - we've linked to their site where it may appear, or we'll do an update if we spot it.

C.

Re: Free tool

Baird34

Cheers.

Paul Crawford

The basic flaw is allowing external code to run on your local machine. Welcome web monkeys!

Isolating the web browser better would help, but then so many businesses depend on it accessing local files, etc, and Google want even stupider features like USB access, etc.

Genderplex, n.:
The predicament of a person in a restaurant who is unable to
determine his or her designated restroom (e.g., turtles and tortoises).
-- Rich Hall, "Sniglets"