CyberWire Daily - Attackers (ab)using Google Chrome. [Research Saturday]
Episode Date: February 20, 2021Guest Bojan Zdrnja of Infigo IS and a certified instructor at SANS Institute shares an incident he discovered where attackers were using a pretty novel way of exfiltrating data and using that channel ...for C&C communication. The code that was acquired was only partially recovered, but enough to indicate powerful features that the attackers were (ab)using in Google Chrome. The basis for this attack were malicious extensions that the attacker dropped on the compromised system. The research can be found here: Abusing Google Chrome extension syncing for data exfiltration and C&C Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello everyone and welcome to the CyberWires Research Saturday.
I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
I was actually working on several incidents where I noticed that attackers did some,
well, let's say weird things with browsers.
That's Bohan Zajerna.
He's a senior information security consultant at a company called Infigo.
He's also a certified instructor at the SANS Institute. The research we're discussing today is titled
Abusing Google Chrome Extension Syncing for Data Exfiltration and CNC.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your
attack surface with public-facing IPs that are exploited by bad actors more easily than ever
with AI tools. It's time to rethink your security. Zscaler Zero Trust plus AI stops attackers by
hiding your attack surface, making apps and IPs invisible,
eliminating lateral movement, connecting users only to specific apps,
not the entire network,
continuously verifying every request based on identity and context,
simplifying security management with AI-powered automation,
and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
So that prompted me to do a bit more analysis of what exactly they did and we managed to recover some files that were used by attackers and ended up finding out something very interesting.
We found out that they were using some malicious extensions which were sideloaded so they were using some malicious extensions, which were sideloaded.
So they were not available on Google's website
where you normally download extensions from.
They were sideloaded.
They were loaded directly into Chrome.
And we found out that those extensions
contained some very interesting functionality
that allowed them to basically abuse Google's infrastructure
through a legitimate function in Chrome,
which is used for syncing data between different Chrome instances.
And so they were using this particular functionality
as their data exfiltration and command and control center mechanism.
Well, let's walk through it together.
First of all, a little bit of background on how Google handles extensions.
What's the general functionality there?
Sure. So with extensions, we can basically add all sorts of different functionality to our browsers.
And basically all popular browsers support some kind of extensions probably the most popular extensions are
various ad blockers that quite often people actually use
They sometimes help you remove certain ads from websites
Change them a little bit. So there may be easier to read and use. Now, those extensions are generally very, very powerful and dangerous at the same time.
They are powerful because they can change basically anything you see in your browser.
And for the same reason, they are dangerous because they can also modify whatever you see on a particular web page, for example.
So there are tens, if not hundreds of thousands of different extensions.
Only some of them are, of course, very popular,
but there is basically nothing preventing you from producing your own extensions
that can be used in a browser.
And most people, I would say, or it's a hazard to guess,
load their extensions through the Chrome Web Store,
but as you mentioned, you can sideload them as well.
Exactly.
So basically, the Google's Web Store should be the one place
to go and download your extensions from.
Now, keep in mind, that doesn't need to be completely safe either.
There have been malicious extensions,
and Google does wipe them here and there from
Google Store. Actually, about a week ago, they also removed another popular extension that
was found to have certain malicious elements in it. So normally, you would go to that website,
download the extension and allow the extension to run the extension will ask you for certain
permissions a lot of people just click on okay and allow that permission that story extension to
run now besides this the chrome the chrome web browser also allows you to do so-called side
loading where you can load an extension directly from your hard drive and this is basically intended to be used by developers
because this will allow them to load those extensions they are working on without going
through the process of sending the extension to google before it's ready obviously but as we saw
the bad guys can use that particular feature as well and and in this case the one you discovered
it was sideeloaded and what
were they... they were pretending to be something else. Yeah, exactly. So they
sideloaded the extension and when you create that extension there is a
file called manifest.json that basically defines what your extension
does, what it looks like, how it will present itself to the user and so on. So what I did was that they took the icon of another extension
of a security software producer company called Forcepoint,
which had nothing to do with the extension whatsoever,
but they just took their icon from the website
and they presented the add-on as a Force point DLP extension for Chrome.
This was obviously done in order to make it look as a legitimate add-on,
where in fact it wasn't.
And do you have any idea how they were convincing people to sideload this?
Do we suspect it was some sort of social engineering?
Yeah, unfortunately I wasn't able to find it out.
I suspect it's either social engineering, as you said,
because it's not all that difficult to get people to load it,
especially since it's just an extension.
You can tell them, look, this is not a binary.
It's just a browser extension.
Or they maybe managed to compromise the machines as well
and drop the file directly and just load it then into Chrome.
And after that, they don't need to do anything on that machine.
They can basically use Chrome as their bot that they will control from a different place somewhere else in the world,
as long as that Chrome is signed to Google to allow them to sync data of the extension.
Well, take us through what this extension actually did,
what was going on under the hood here.
All right, so basically what I found out
and what I saw in parts that we managed to recover
was that they were able to read certain information
from other websites.
So basically once you run an extension depending on the permissions
that you gave to that extension the extension basically can see anything that's happening in
your chrome browser or any other browser that you run with with a similar extension
and that's what i did with this extension they allowed it permission to read anything
so the extension was trying to find some authentication tokens and then relay them to the attacker by abusing the sync feature
so that particular relay was actually flowing through Google's infrastructure.
They didn't have to set up their own command and control center.
They just relayed and synced the data through Google.
Well, let's dig into that.
I mean, how does Google's sync functionality work?
How is it supposed to work?
And how are they taking advantage of that?
Sure. So it's actually a cool feature.
It's a completely legitimate feature.
And if any of the listeners are using Chrome,
a lot of them might be using this feature already.
So basically in Chrome, when you log into your Google account,
Chrome will allow
you to sync data between different chrome instances so for example if you have two laptops
or if you have a laptop and your i don't know ipad or phone or anything as long as you use chrome on
all of them and you log in to your google account if you allow syncing and there is a button that you have to click on to
turn on syncing then all of these browsers will basically sync data between them this means that
they will sync bookmarks your history of pages but it also allows them for to sync extension data
so there is a small data storage mechanism that every single extension can use to basically store some data.
That data can be stored either locally, so it's available only to this particular instance of Chrome,
or it can be synced through the syncing feature between any other instance of Chrome that runs the same extension.
of Chrome that runs the same extension.
So basically what the attackers
were able to do here is to load
the same extension in a
different Chrome browser anywhere else
in the world, log in with the
same account, so they need to know
the account username and password, which
is logged in, signed in to Google,
right? And then that other
instance will simply sync data
with the first instance of Chrome.
And this communication works in both directions.
Well, help me understand here.
So through this syncing functionality through the browser plugin,
they need to know the user name, but they don't have to be logged in as that user?
name, but they don't have to be logged in as that user?
Okay, so they need to log in in Chrome as the user that is used to sync the data.
So in the particular incident I was investigating,
the legitimate user actually didn't use that feature at all.
So what the attacker did was that the attacker signed in
on behalf of that user
with a throwaway account on Google and then used that account to sync data.
I see.
Now there's some functionality going on behind the scenes here
where extensions are able to swap information between them.
What's going on there?
Yeah, exactly.
So Google actually provides extension developers with a legitimate
mechanism to perform that because they expect that extensions will need to sync some data. So,
for example, if you have one Google Chrome instance and you change something in an extension,
you change a setting, then as a user, you would probably expect that the same setting is changed
in your other instance of Chrome, for example, on your other laptop.
So that's why they added this feature for extensions.
And as I said, it's a legitimate feature, which makes sense.
Now, the malicious extension basically abuses this particular feature,
and it has a mechanism that allows it to set keys with certain values.
And those keys with values will be very, very quickly synced between those two instances by using Google's infrastructure.
In a matter of seconds, right?
Exactly, in a matter of seconds.
Now, you can't transfer gigabytes, really.
There is a limit that Google imposes here.
It's in the original text, but generally from some of the tests I did,
it will allow you to exfiltrate a couple of megabytes per hour,
which in a real-world scenario would be probably good enough
for an attacker that wants to find a very stealthy way to exfiltrate data from an environment,
especially since this data will be flowing only through Google.
And if you are doing some network inspection, you will not see absolutely any suspicious traffic apart from traffic going to Google's website.
traffic apart from traffic going to Google's website.
Right.
And one of the things you point out in your research here is that that makes it hard to block this because you would affect legitimate good functionality from Google if you did.
Exactly.
Exactly.
So the website that's being used by the syncing feature is clients4.google.com.
And the same website is actually used by Chrome, for example, when you start it,
to figure out if you are connected to the internet or not,
if you have some blockers on your network or similar.
So if you just say that you don't want to allow anyone in your enterprise to access this website,
you might break some legitimate functionality of Chrome. So it's not that easy to disable the syncing feature.
So what options do folks have to protect themselves against this?
So that's a great question. And luckily, there is a way to make this secure in enterprise
environments primarily. So first of all, with any extension, as we already mentioned earlier,
since they can be malicious, we should be very careful when loading those extensions.
Now, there is nothing to prevent people from side-loading extensions if they want to,
but luckily for us, Google did publish policies that can be used, for example, in Windows
Domain as a group policy that your enterprise administrator can push and either completely
disable extensions or just create a whitelist of extensions that you want to allow your
users to use and then blacklist absolutely everything else.
And that's something that I would definitely suggest that any enterprise
does, because it will make your
Chrome installations across your enterprise much more secure. It will give you
power of controlling which extensions are installed and which are not.
So basically you can block whole classes of attacks with that.
Do you have any idea who's behind this
and anything in terms of attribution or who they're targeting?
Not at this moment, unfortunately.
This was found as a couple of incidents
and it was not related to those incidents
so the attackers probably dropped the file by accident
because they used some other functionality that we found.
So at this point in time, I don't know what exactly they were trying to steal
or who is behind this.
Yeah, it's certainly a clever attack.
And it's one of those ones that I think leaves you both impressed
and scratching your head.
It's pretty straightforward, but boy, it seems to be effective.
Yeah, exactly.
Exactly.
The beauty behind this is that, as you said, it's pretty straightforward.
It's actually relatively simple,
and you don't need to be the world's best developer to code this.
But at the same time, it's very, very stealthy
and definitely makes me feel unpleasant about all those extensions
that I use as a user as well because I like some functionality they provide.
Our thanks to Bohan Zujurna for joining us.
The research is titled Abusing Google Chrome Extension Syncing for Data Exfiltration and CNC.
We'll have a link in the show notes.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total
control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Valecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.