As much as infosec pros try, sometimes it’s hard to lock down everything on the devices of employees. And despite attempts at security awareness, often the little angels like downloading things without permissions.
Browser extensions which offer the promise of productivity assistance are a perfect example. Few staff realize these can be a source of malware or that allows the injection of malicious code, which is why the best environment is one that has as few add-ons as possible — even if they come from a legitimate source, like a big-name app store.
That was illustrated this week with a report from Seattle-based security vendor Icebrg Inc., which said it has discovered four sophisticated malicious Google Chrome extensions on over half a million browsers, including workstations within major organizations globally. It came after a customer detected a suspicious spike in outbound network traffic from a workstation.
“Although likely used to conduct click fraud and/or search engine optimization (SEO) manipulation, these extensions provided a foothold that the threat actors could leverage to gain access to corporate networks and user information,” says the company.
Iceberg notified Google, which has removed the extensions.
They are:
–Change HTTP Request Header
–Nyoogle
–Lite Bookmarks
–Stickies, which allows the creation of Post-It-like notes.
Here’s how these extensions can be troublesome: The Change HTTP Request Header extension itself does not contain any overtly malicious code, says Icebrg. However, it allows the injection and execution of arbitrary JavaScript code. By design, Chrome’s JavaScript engine executes JavaScript code contained within JSON, (JavaScript Object Notation) a lightweight data-interchange format. Due to security concerns, Chrome prevents the ability to retrieve JSON from an external source by extensions, which must explicitly request its use via the Content Security Policy (CSP). But under some circumstances, it can, leading to the possibility of JavaScript code injection. For this extension the control server returning obfuscated JavaScript to the victim host.
It then establishes a WebSocket tunnel to proxy browsing traffic via the victim’s browser for visiting advertising related domains, suggesting a potential click fraud campaign was the motive. But, Icebrg notes, the same capability could also be used by a threat actor to browse internal sites of victim networks, effectively bypassing perimeter controls meant to protect internal assets from external parties.
The other three extensions work in a similar way.
While this report deals with Chrome, the problem exists for any browser that allows extensions.
Google is trying to give administrators more control over Chrome browser extensions. But Icebrg argues that “without upstream review or control over this technique, malicious Chrome extensions will continue to pose a risk to enterprise networks.”
Meanwhile security awareness training has to include mention of the dangers of adding extensions that aren’t approved by administrators.