Summary:
Mandiant has identified an innovative method to bypass browser isolation technology by leveraging QR codes for command-and-control operations. Browser isolation is a security approach that routes web requests through remote browsers hosted in the cloud, virtual machines, or on-premises environments. This technology prevents malicious scripts or commands from reaching the local browser by streaming only the visual representation of a web page to the user’s device. While effective at blocking traditional C2 communications that rely on HTTP traffic, this method is not foolproof, as Mandiant's research reveals.

In their novel technique, Mandiant researchers encode commands within QR codes displayed on a webpage. Since browser isolation streams visual content, the QR codes are transmitted back to the client. On infected devices, malware can decode the QR codes to extract instructions, bypassing traditional isolation defenses. This approach demonstrates a potential weakness in existing browser isolation mechanisms, as attackers can exploit visual elements rather than relying on scripts or HTTP responses. Mandiant's proof-of-concept used Cobalt Strike’s External C2 feature.

Analyst Comments:
Despite its ingenuity, the technique has practical limitations. QR codes can only carry a maximum of 2,189 bytes of data, and operational constraints further reduce this capacity. Additionally, latency of approximately 5 seconds per request limits the transfer rate to 438 bytes per second, making it unsuitable for transferring large payloads or conducting high-bandwidth operations such as SOCKS proxying. The study also did not account for advanced security measures like domain reputation checks, URL scanning, or data loss prevention tools, which could potentially block or mitigate such attacks.

Suggested Corrections:
Researchers at Mandiant have recommended the following mitigations:

Organizations should not solely rely on browser isolation to protect themselves from web-based threats, but rather embrace the "defense in depth" strategy and establish a well-rounded cyber defense posture. Mandiant recommends the following controls:

1. Monitor for anomalous network traffic: Even when using browser isolation, organizations should inspect network traffic and monitor for anomalous usage. The C2 method described in this post is low-bandwidth, hence transferring even small datasets will require many HTTP requests.
2. Monitor for browsers in automation mode: Organizations can monitor when browsers are used in automation mode by inspecting the process command line. Chromium-based browsers use flags such as -enable-automation and -remote-debugging-port to enable other processes to control the browser through the DevTools protocol. Organizations can monitor for these flags during process creation.

Link(s):
https://www.bleepingcomputer.com/ne...ser-isolation-for-malicious-c2-communication/
https://cloud.google.com/blog/topics/threat-intelligence/c2-browser-isolation-environments/