A Browsing Challenge
Analysts are challenging malicious extension risks
- By David Pearson
- Sep 01, 2018
Google Chrome is largely considered one
of the most security-conscious browsers,
but recent headlines revealed some of its
weaknesses. Reporting indicates that four
of Chrome’s most popular extensions, which
have amassed more than 500,000 downloads
in total, are thought to be malicious.
The suspect extensions have since been banned from the
Chrome Web Store, but the news highlights the inherent risk of
browsers and third-party apps, which warrant deeper examination.
Ongoing Browser Extension Risks
Google has made significant efforts to enhance the security of
its browser. In addition to more commonly-known measures, the
company invests in bug bounties and other competitions to help
root out some of the major problems that could be exploited by
a high-skilled attacker, and takes a forward-thinking approach
when it comes to user privacy. These measures do make it harder
for hackers, but with so much market share and interest from the
security community, vulnerabilities will continue to be discovered.
Additionally, because extensions are generally created by
third-party vendors, it’s a great source of unknown.
When it comes to extensions, Chrome requires downloads directly
from the Chrome Web Store for major OSes (Windows/
OS X). However, it doesn’t seem as though there are any security
checks conducted on these extensions before they’re published.
This means it would take a critical mass of security-related complaints
before Chrome would be made aware of any problem.
That’s not to blame Google—even if its extensions were subject
to the same scrutiny used for Android apps in the Google Play Store, no checks are perfect. We still see news about malicious
apps making their way into the public arena in the Google Play
Store several times a year.
With communications allowed between extensions, it’s also
theoretically possible for an adversary with two or more extensions
installed on a user’s browser to covertly pass information or
perform different parts of an attack on the system. Then, there’s
the problem of very carefully-hidden Trojan extensions and the
ability to hijack and implant code into a trusted developer’s development
system. These are all potential ways in for persistent
and sophisticated attackers.
This is not to pick on Chrome—other browsers absolutely
hold malicious extensions. Firefox still allows add-ons (their extensions)
to be hosted external to their store, which eliminates a
central point for management. Its publishing process is also less
than rigorous, and seems to focus only on code correctness. And
while Safari does review extensions before including them in the
App Store, we still hear of malicious apps appearing there from
time to time.
Identifying Malicious Extensions
For security analysts, identifying malicious extensions is no easy
task. They aren’t going to show up in places analysts typically
monitor such as CMDBs or logs. The only way to find them is
on the network. If analysts are looking for something that the extension
happens to do—such as leaking passwords in an obvious
way or matching a network signature or indicator of compromise
for malicious activity—it’s possible that their security tools will
generate alerts pointing them to the related traffic that occurs after
the fact.
If the tool an analyst is using has the ability to parse HTTP
headers in a meaningful way, they may also be able to find malicious
extensions by identifying these behaviors while looking for
the Chrome-Extension value within the header. With more flexible
query language offered by cutting-edge tools, it’s easy to become
more or less specific with respect to what you’re looking for
within HTTP, whether it be the headers or some other location.
In short, the original discovery of the malicious extension information
and ways it is stored would likely be by chance or by deep
investigation. However, if a tool the analyst uses has the ability to
spot malicious activity, then the hard work of identifying the bad
extension can be done by one researcher and reused by many.
The Challenge in Responding
to Malicious Extensions
While finding a malicious extension is a major challenge, it’s
still only the first step. The ability to contextualize the behavior
associated with the session with respect to the device and its
peers is where the baggage of current-version technologies slows
analysts down.
Once a malicious extension is detected, analysts will quickly
want to know what to do to stop the bleeding. Are any external
communications related to this? Is any information being exfiltrated?
What kinds of attacks are occurring internally? Is any pivoting/
lateral movement behavior happening with stolen credentials,
possibly accessing more sensitive data? They’ll also quickly
want to know who else is affected—spanning both devices, and
users—when they were infected, which browsers and versions are
impacted, whether the decision to install the extension was completely
voluntary and more.
Each of the above steps can take tens of minutes to hours—
and in some cases, they are impossible given time constraints and
resources. The overall security maturity of the organization, and
whether or not the security development team has created homegrown
solutions to unify typically disparate pieces of information
and infrastructure, will determine how effectively this workflow
can be handled.
Today, overburdened analysts will typically only do this type
of thorough investigation if there’s enough certainty that this is
a truly serious incident—there are simply not enough human resources,
nor the right incentives in the SOC, to do this deep level
of work for naught. Moreover, the problem is exacerbated since
existing security technologies provide little to no context—leaving
it to the analyst to figure things out.
At Awake Security, we call this problem the Investigation Gap.
After prevention methods fail, potential threats are detected and
security alerts are generated, the time-consuming and manual
heavy-lifting of an investigation falls to the analysts before any
remediation steps can be taken. If an organization’s security tools
miss a potential threat and no alert is generated, it falls on the
analysts to find time to threat hunt and identify malicious activity
on their own—a task that’s nearly impossible in most SOCs given
their existing alert investigation workload.
The recent Chrome news put a spotlight on malicious browser
extensions that underscores the risk incurred when trust is given
to third parties. Often that trust is not well understood when
given, and quickly forgotten. However, it also points to a deeper
underlying issue for analysts working to identify malicious extensions
and mitigate their harmful effects.
It’s critical that we find new ways to give analysts deep visibility
into the network and streamline their time spent getting from
questions to answers during their investigations. Only then will
we start gaining ground on this type of challenge.
This article originally appeared in the September 2018 issue of Security Today.