Attackers break malware into tiny pieces and bypass your Secure Web Gateway
For almost twenty years, Secure Web Gateways (SWGs) have been used to monitor network traffic, block malicious files and websites, and protect enterprises from web-based threats. Many enterprises today are confident that their SWGs catch all known malware, as promised in their SLAs. However, it takes as little as chopping the malware up into smaller pieces to successfully bypass SWGs and deliver the malicious payload to the endpoint. Since researchers at SquareX have publicly demonstrated these attacks on browser. security, clients and vendors alike have been flabbergasted when they see how effortlessly these attacks evade their SWGs.
File Chunking: The Art of Breaking Malware Into Tiny, Undetectable Pieces
File chunking attacks take advantage of the fact that SWGs and cloud proxies analyze network traffic and files in isolation—one request at a time. In these attacks, malicious actors split a malware file into several smaller pieces or chunks and deliver them individually to the client browser. Since each piece is too small or seemingly benign on its own, the SWG doesn't recognize the overall malicious intent, allowing the chunks to pass through undetected.
Once all the chunks are delivered to the victim's browser, the attacker's JavaScript code reassembles the pieces into the full, executable malware on the client side. This could be ransomware, spyware, or any other form of malware, and by the time it's fully formed and downloaded on the client device, the SWG has already failed.
SWGs are excellent at detecting and blocking known malicious files when they appear in full form. They operate by scanning network traffic for known malware signatures or using AI/ML to detect suspicious patterns.
However, a typical SWG or cloud proxy examines each network request or data stream individually, and the stateless nature of these solutions means they do not maintain a memory of previous requests. SWGs do not have context to whether all the requests are originating from the same browser tab or window, meaning it cannot recognize that a series of harmless-looking chunks will be combined, on the same tab, into something dangerous.
These limitations allow attackers to successfully deliver well known malware to enterprise employees through file chunking.
Different Chunking Techniques
Attackers have developed various chunking techniques to further evade detection. Here are a few commonly used methods:
- Straight Split Attack: The malicious file is divided into multiple small parts and sent to the browser separately. Since the parts are too small to trigger security alerts, the SWG allows each chunk to pass. Once all the pieces are on the client side, JavaScript reassembles the malware and executes it.
- Reverse Split Attack: In this variation, each chunk is not only split but also reversed. This means even if some security solutions attempt to detect patterns in the individual pieces, the reversed content appears benign. Once all the reversed pieces are delivered, they are reversed back to their original form and reassembled before executing the malware.
- Random Size Attack: Here, the file is broken into random-sized chunks to make detection even more difficult. As the chunks vary in size and don't follow a predictable pattern, fingerprinting these pieces becomes almost impossible. Again, the malware is reassembled client-side once all parts are delivered.
- Mix and Match Attack: This method combines the reverse split and random size techniques, creating a highly obfuscated set of file chunks that make detection even harder. Once delivered to the client, the JavaScript reassembles the malware by both reversing and matching the random-sized pieces.
Along with these, more than 30 SWG bypasses are being exploited in the wild by attackers to enter enterprise networks. To protect themselves from these attacks, enterprises must adopt new, browser-native security approaches that can detect client-side activities within the browser and prevent malware download before it leaves the browser. Without this added layer of protection, businesses remain vulnerable to attacks that exploit the limitations of their cloud-proxy solutions.