In a unique attack, cyber-criminals have locally installed an extension to manipulate data in internal web applications that the victims have access to.
Cyber-criminals have been using a novel approach to exfiltrate data that involves directly injecting malicious Google Chrome extensions onto victims’ Windows machines via the abuse of Google’s cloud synching function.
The aim of the recently identified campaign is to manipulate data in internal web applications that the victims have access to, according to an analysis.
Directly Planning
According to Bojan Zdrnja, writing for the SANS Institute, attackers are directly planting malicious extensions on the targets’ computers, rather than uploading them to the Chrome Web Store & waiting for victims to download them.
The malicious add-on disguises itself as a “Forcepoint Endpoint Chrome Extension for Windows,” with the attackers using the security company’s logo to enhance an air of legitimacy.
Threat players “dropped the extension locally in a folder & loaded it directly from Chrome on a compromised workstation,” explained Zdrnja, in an analysis late last week. “This is actually a legitimate function in Chrome – you can access it by going to More Tools -> Extensions & enabling Developer mode, after which you can load any extensions locally, directly from a folder by clicking on ‘Load unpacked.’”
Workstation
The analysis does not outline how the initial compromise was carried out. However, when it comes to its aim, “they actually limited activities on this workstation to those related to web applications, which explains why they dropped only the malicious Chrome extension, & not any other binaries,” the researcher explained.
“That being said, it also makes sense – almost everything is managed through a web application today, be it your internal CRM, document management system, access rights management system or something else.”
Malicious Google Chrome Extension
For all Chrome extensions, configuration parameters are stored in a file named manifest.json. In the case of the false Forcepoint extension, 3 specific malicious functions stood out to Zdrnja.
The authors used a “content scripts” parameter to define which JavaScript files will be injected into web pages by the extension.
“This can be used by an attacker to add arbitrary code to target web pages (think about changing content & stealing data),” the researcher noted.
Storage API
Then, a permissions parameter specified that the extension could use the storage API.
Finally, the background parameter specifies JavaScript files that will run when extension is loaded.
“This is where the attacker had their exfiltration & command-&-control features embedded,” he added. “Background files are extremely powerful & allow a script to receive a message & send it in background.”
‘Chats’ with Legit Extensions to Steal Data
The makers of the malicious Forcepoint add-on were able to steal information from users’ internal extensions thanks to setting up a behind-the-scenes “chat” between the malicious extension & other web apps.
A function called “chrome.runtime.onConnectExternal.addListener,” is provided by the Chrome browser to extensions. As its name indicates, it listens for when a connection to the browser is made from another extension. Meanwhile, a port object called “port.onMessage.addListener,” is used, which allows for 2-way communication between the extensions.
The extension then takes credentials – mail & oAuth tokens – from the victim’s machine.
Parameter Type
“There is a switch that checks the value of parameter type in the received message,” according to the analysis. “Now an interesting thing happens: if the value of the type parameter is ‘check_oauth_token_status,’ the extension will verify if there is a key called ‘oauth_token’ in Chrome’s storage. If it is there, it will send back (to the other extension) a message containing the value of the token with the status set to true, after which it will be deleted from Chrome’s storage.”
If the value of the type parameter is “save_mailhighlight_token,” the malicious extension will create a new key in Chrome’s storage called email, which will be saved in Chrome’s storage.
Google’s Cloud
The extension also uses the “chrome.storage.sync.get” & “chrome.storage.sync.save” methods, so that all these values will be automatically synced to Google’s cloud by Chrome, under the context of the user being logged in in Chrome. This provides an unusual exfiltration method.
“In order to set, read or delete these keys, all the attacker has to do is log in with the same account to Google, in another Chrome browser (& this can be a throwaway account), & they can communicate with the Chrome browser in the victim’s network by abusing Google’s infrastructure,” Zdrnja explained.
Novel Cyber-attack
Attackers can use this approach for exfiltrating data as well as C2 communications.
“While there are some limitations on size of data & amount of requests, this is actually perfect for C2 commands (which are generally small), or for stealing small, but sensitive data – such as authentication tokens,” according to the researcher. “It will be slow because Chrome & Google throttle requests, allowing us to transfer 4 MB at a time.”
Chrome Extensions
The attack is unusual & novel, he added: “there were also some things that I saw for the 1st time, which is why I think this particular exploitation is novel.”
To protect their environments, admins should make sure that Chrome extensions are controlled, says Zdrnja.
“Google allows you to do that through group policies so you can define exactly which extensions are allowed/approved & block everything else,” he concluded.
https://www.cybernewsgroup.co.uk/virtual-conference-march-2021/