A Browsing Challenge

A Browsing Challenge

Analysts are challenging malicious extension risks

  • By David Pearson
  • Sep 01, 2018

Google Chrome is largely considered one of the most security-conscious browsers, but recent headlines revealed some of its weaknesses. Reporting indicates that four of Chrome’s most popular extensions, which have amassed more than 500,000 downloads in total, are thought to be malicious.

The suspect extensions have since been banned from the Chrome Web Store, but the news highlights the inherent risk of browsers and third-party apps, which warrant deeper examination.

Ongoing Browser Extension Risks

Google has made significant efforts to enhance the security of its browser. In addition to more commonly-known measures, the company invests in bug bounties and other competitions to help root out some of the major problems that could be exploited by a high-skilled attacker, and takes a forward-thinking approach when it comes to user privacy. These measures do make it harder for hackers, but with so much market share and interest from the security community, vulnerabilities will continue to be discovered. Additionally, because extensions are generally created by third-party vendors, it’s a great source of unknown.

When it comes to extensions, Chrome requires downloads directly from the Chrome Web Store for major OSes (Windows/ OS X). However, it doesn’t seem as though there are any security checks conducted on these extensions before they’re published. This means it would take a critical mass of security-related complaints before Chrome would be made aware of any problem. That’s not to blame Google—even if its extensions were subject to the same scrutiny used for Android apps in the Google Play Store, no checks are perfect. We still see news about malicious apps making their way into the public arena in the Google Play Store several times a year.

With communications allowed between extensions, it’s also theoretically possible for an adversary with two or more extensions installed on a user’s browser to covertly pass information or perform different parts of an attack on the system. Then, there’s the problem of very carefully-hidden Trojan extensions and the ability to hijack and implant code into a trusted developer’s development system. These are all potential ways in for persistent and sophisticated attackers.

This is not to pick on Chrome—other browsers absolutely hold malicious extensions. Firefox still allows add-ons (their extensions) to be hosted external to their store, which eliminates a central point for management. Its publishing process is also less than rigorous, and seems to focus only on code correctness. And while Safari does review extensions before including them in the App Store, we still hear of malicious apps appearing there from time to time.

Identifying Malicious Extensions

For security analysts, identifying malicious extensions is no easy task. They aren’t going to show up in places analysts typically monitor such as CMDBs or logs. The only way to find them is on the network. If analysts are looking for something that the extension happens to do—such as leaking passwords in an obvious way or matching a network signature or indicator of compromise for malicious activity—it’s possible that their security tools will generate alerts pointing them to the related traffic that occurs after the fact.

If the tool an analyst is using has the ability to parse HTTP headers in a meaningful way, they may also be able to find malicious extensions by identifying these behaviors while looking for the Chrome-Extension value within the header. With more flexible query language offered by cutting-edge tools, it’s easy to become more or less specific with respect to what you’re looking for within HTTP, whether it be the headers or some other location.

In short, the original discovery of the malicious extension information and ways it is stored would likely be by chance or by deep investigation. However, if a tool the analyst uses has the ability to spot malicious activity, then the hard work of identifying the bad extension can be done by one researcher and reused by many.

The Challenge in Responding to Malicious Extensions

While finding a malicious extension is a major challenge, it’s still only the first step. The ability to contextualize the behavior associated with the session with respect to the device and its peers is where the baggage of current-version technologies slows analysts down.

Once a malicious extension is detected, analysts will quickly want to know what to do to stop the bleeding. Are any external communications related to this? Is any information being exfiltrated? What kinds of attacks are occurring internally? Is any pivoting/ lateral movement behavior happening with stolen credentials, possibly accessing more sensitive data? They’ll also quickly want to know who else is affected—spanning both devices, and users—when they were infected, which browsers and versions are impacted, whether the decision to install the extension was completely voluntary and more.

Each of the above steps can take tens of minutes to hours— and in some cases, they are impossible given time constraints and resources. The overall security maturity of the organization, and whether or not the security development team has created homegrown solutions to unify typically disparate pieces of information and infrastructure, will determine how effectively this workflow can be handled.

Today, overburdened analysts will typically only do this type of thorough investigation if there’s enough certainty that this is a truly serious incident—there are simply not enough human resources, nor the right incentives in the SOC, to do this deep level of work for naught. Moreover, the problem is exacerbated since existing security technologies provide little to no context—leaving it to the analyst to figure things out.

At Awake Security, we call this problem the Investigation Gap. After prevention methods fail, potential threats are detected and security alerts are generated, the time-consuming and manual heavy-lifting of an investigation falls to the analysts before any remediation steps can be taken. If an organization’s security tools miss a potential threat and no alert is generated, it falls on the analysts to find time to threat hunt and identify malicious activity on their own—a task that’s nearly impossible in most SOCs given their existing alert investigation workload.

The recent Chrome news put a spotlight on malicious browser extensions that underscores the risk incurred when trust is given to third parties. Often that trust is not well understood when given, and quickly forgotten. However, it also points to a deeper underlying issue for analysts working to identify malicious extensions and mitigate their harmful effects.

It’s critical that we find new ways to give analysts deep visibility into the network and streamline their time spent getting from questions to answers during their investigations. Only then will we start gaining ground on this type of challenge.

This article originally appeared in the September 2018 issue of Security Today.

Featured

  • The Evolution of IP Camera Intelligence

    As the 30th anniversary of the IP camera approaches in 2026, it is worth reflecting on how far we have come. The first network camera, launched in 1996, delivered one frame every 17 seconds—not impressive by today’s standards, but groundbreaking at the time. It did something that no analog system could: transmit video over a standard IP network. Read Now

  • From Surveillance to Intelligence

    Years ago, it would have been significantly more expensive to run an analytic like that — requiring a custom-built solution with burdensome infrastructure demands — but modern edge devices have made it accessible to everyone. It also saves time, which is a critical factor if a missing child is involved. Video compression technology has played a critical role as well. Over the years, significant advancements have been made in video coding standards — including H.263, MPEG formats, and H.264—alongside compression optimization technologies developed by IP video manufacturers to improve efficiency without sacrificing quality. The open-source AV1 codec developed by the Alliance for Open Media—a consortium including Google, Netflix, Microsoft, Amazon and others — is already the preferred decoder for cloud-based applications, and is quickly becoming the standard for video compression of all types. Read Now

  • Cost: Reactive vs. Proactive Security

    Security breaches often happen despite the availability of tools to prevent them. To combat this problem, the industry is shifting from reactive correction to proactive protection. This article will examine why so many security leaders have realized they must “lead before the breach” – not after. Read Now

  • Achieving Clear Audio

    In today’s ever-changing world of security and risk management, effective communication via an intercom and door entry communication system is a critical communication tool to keep a facility’s staff, visitors and vendors safe. Read Now

  • Beyond Apps: Access Control for Today’s Residents

    The modern resident lives in an app-saturated world. From banking to grocery delivery, fitness tracking to ridesharing, nearly every service demands another download. But when it comes to accessing the place you live, most people do not want to clutter their phone with yet another app, especially if its only purpose is to open a door. Read Now

Most   Popular

New Products

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.”

  • Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

    Connect ONE®

    Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening.