As much as infosec pros try, sometimes it’s hard to lock down everything on the devices of employees. And despite attempts at security awareness, often the little angels like downloading things without permissions.
Browser extensions which offer the promise of productivity assistance are a perfect example. Few staff realize these can be a source of malware or that allows the injection of malicious code, which is why the best environment is one that has as few add-ons as possible — even if they come from a legitimate source, like a big-name app store.
That was illustrated this week with a report from Seattle-based security vendor Icebrg Inc., which said it has discovered four sophisticated malicious Google Chrome extensions on over half a million browsers, including workstations within major organizations globally. It came after a customer detected a suspicious spike in outbound network traffic from a workstation.
“Although likely used to conduct click fraud and/or search engine optimization (SEO) manipulation, these extensions provided a foothold that the threat actors could leverage to gain access to corporate networks and user information,” says the company.
Iceberg notified Google, which has removed the extensions.
–Change HTTP Request Header
–Stickies, which allows the creation of Post-It-like notes.
It then establishes a WebSocket tunnel to proxy browsing traffic via the victim’s browser for visiting advertising related domains, suggesting a potential click fraud campaign was the motive. But, Icebrg notes, the same capability could also be used by a threat actor to browse internal sites of victim networks, effectively bypassing perimeter controls meant to protect internal assets from external parties.
The other three extensions work in a similar way.
While this report deals with Chrome, the problem exists for any browser that allows extensions.
Google is trying to give administrators more control over Chrome browser extensions. But Icebrg argues that “without upstream review or control over this technique, malicious Chrome extensions will continue to pose a risk to enterprise networks.”
Meanwhile security awareness training has to include mention of the dangers of adding extensions that aren’t approved by administrators.