There’s more than 25 ways to bypass a Secure Web Gateway • The Register

Defcon Secure Web Gateways (SWGs) are an essential part of enterprise security, which makes it shocking to learn that every single SWG in the Gartner Magic Quadrant for SASE and SSE can reportedly be bypassed, allowing attackers to deliver malware without Gateways ever catching on.

Using a tactic he’s dubbed “last mile reassembly,” SquareX founder and long-time security researcher Vivek Ramachandran said he’s managed to suss out more than 25 different methods to bypass SWGs, all of which boil down to the same basic exploit: They miss a lot of what’s going on in modern web browsers.  

“[SWGs] were invented almost 15, 17 years back [and] it all started as SSL intercepting proxies,” Ramachandran told us. “As cloud security became more important people built out this entire security stack in the cloud.

“This is really where the problem begins.” 

SWGs, Ramachandran explains, are mostly relying on their ability to infer application layer attacks from network traffic before they make it to a web browser. If, say, the traffic wasn’t recognizable as malicious, the SWG might not detect it, instead delivering it to a user’s browser. 

That’s exactly what Ramachandran has worked out how to do. 

“These vendors cannot fix this,” the SquareX founder told us, “because … these are fundamentally architectural bugs.”

SWGing malware? More like chugging with reckless abandon

The premise of last-mile reassembly, if you haven’t worked it out from its name already, is pretty simple. 

“Attackers have access to a last-mile compute machine, which is the web browser, where they can run scripts and reassemble attacks at the last minute,” Ramachandran said. “For the end victim, the experience is identical.”

By splitting or chunking malware, using Web Assembly files, smuggling malware in other files, and otherwise breaking malicious files up into multiple small, unrecognizable pieces, Ramachandran told us an attacker can deliver and force a browser to reassemble malware without a SWG ever being tipped off that there’s a download happening. 

“I hoped that, because these chunks don’t look like real files, that they would have at least triggered an alarm,” he said. Alas, they mostly didn’t trigger anything. 

Much of the reason why malicious content can be easily smuggled past SWGs has to do with the fact that, as mentioned, they’re getting old, and aren’t equipped to handle the complexity of the modern internet browser. SWGs typically have a ton of unmonitored channels, including gRPC, webRTC, WebSocket and WebTorrent, meaning things sent via those methods go entirely unchecked. 

When asked about the severity of this issue, Ramachandran had much to say. “Most [SWG] vendors are aware of some of these attacks, but this would cannibalize their approach.” He added that “SWGs are only stopping the most basic of attacks.” 

Addressing this fundamental problem with SWGs while relying on the cloud is “a fool’s pursuit,” Ramchandran told us, which breaks the “whole model of cloud security.” 

To detect all the attacks that Ramachandran and the team at SquareX came up with would require full emulation of every single browser tab in order for a Gateway to be application context aware. Ramachandran believes that would be practically impossible with the cloud. 

The cybersecurity veteran declined to name any vendor names, telling us he doesn’t want to shame anyone, but does want security professionals and CISOs to be aware that the thing they’re relying on to protect their users’ browsing activity simply do not work. 

Ramachandran is also starting to suspect some of the attacks he’ll highlight today at Defcon are already being used in the wild. SquareX is releasing a free tool for SWG customers to test the vulnerability of their own setups.

As to what companies can do to protect themselves from such attacks, Ramachandran has a simple suggestion: “attacks happen in the browser, but the only place they can be detected is on the endpoint.” 

Unfortunately, many SWG customers may lack the appropriate endpoint protection to pick up the SWG slack. 

“A large part of the marketing push from these SASE and SSE vendors is that … we already filter malware in the cloud so you don’t need endpoint security,” Ramachandran asserted. “Just let everything happen in the cloud – why do you need to manage the endpoint?” 

Last-mile assembly attacks appear to be a very valid reason. ®