CyberWire Daily - New exploits are tricking Chrome. [Research Saturday]
Episode Date: March 4, 2023Dor Zvi, Co-Founder and CEO from Red Access to discuss their work on "New Chrome Exploit Lets Attackers Completely Disable Browser Extensions." A recently patched exploit is tricking Chrome browsers o...n all popular OSs to not only give attackers visibility of their targets’ browser extensions, but also the ability to disable all of those extensions. The research states the exploit consists of a bookmarklet exploit that allows threat actors to selectively force-disable Chrome extensions using a handy graphical user interface making Chrome mistakenly identify it as a legitimate request from the Chrome Web Store. The research can be found here: New Chrome Exploit Lets Attackers Completely Disable Browser Extensions Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly
evolving cyberspace.
Thanks for joining us.
So we came across that exploit from a few samples that we found in the wild and found
it was also posted on GitHub by a user named Echo.
That's Dorz V. He's co-founder and CEO at Red Access. and found it was also posted on GitHub by a user named Echo.
That's Dorz V. He's co-founder and CEO at Red Access. The research we're discussing today is titled
New Chrome Exploit Lets Attackers Completely Disable Browser Extensions.
At first we noticed it was published as an exploit for Chromebook devices.
But then when we tested it in our lab, we found it works on other operating systems as well,
such as Windows and Linux.
And we found that it affects Chrome, but also other Chromium-based browsers in the same way.
So yeah, it's not surprising
because targeting browser extensions isn't something new.
But I think as web browsing comes more and more central
to the average user's work life,
browsers themselves are becoming increasingly attractive targets
to malicious actors.
Well, let's go through this together.
Can you describe to us exactly what's going on here?
Yeah, so the LTB, that's short for
literally the best exploit ever found.
Now, I wasn't responsible for the name,
but that's an exploit that targets Google Chrome
and affects Chromium-based browsers as well.
It allows attackers to selectively force
disabled browser extensions.
That exploit consists of a bookmark-led exploit
that allows attackers to disable any browser extension installed That exploit consists of a bookmark-like exploit
that allows attackers to disable any browser extension installed
using a simple, handy user interface that issues commands
that Chrome mistakenly identifies as legitimate requests.
Well, walk me through exactly how an attacker would go about doing this.
All right, so it is actually triggered by JavaScript in URL.
And the powerful thing about it is
that it even overwrites any security policy group
configured on the device.
So even if a user doesn't have any privileges
to disable browser extensions,
this exploit overwrites and disables them.
And the funny thing is that if there is a security policy group,
the user will not be able to turn them back on.
I think that many companies and personal users
are using some browser extensions to block ads, to manage their data,
or even as a browser-level antivirus.
Now, the ease with which this weakness
simply turns them off, that's what's scary here.
So regarding for your question,
I think there are multiple ways
an attacker can use to trigger that exploit.
Basically, just to get a user
to visit a URL with that JavaScript,
whether it's using phishing
or via a file containing a link
or via ads or any other way,
especially when this JavaScript code looks legitimate.
And that's what makes that exploit so easy to use.
So we've seen many attacks that require user
interaction, and this one is another classic
example of it.
Does this require any user interaction?
Other than visiting that URL, does
the user have to do anything or are there any alerts that they would
see? Yes, it is. It requires the user to
save a bookmark, which inside that bookmark
URL, there will be a JavaScript code.
And so then when the user visits that bookmark,
that's what executes the code? Exactly.
So when that code is executing, is there anything visible to the user?
Are there any screens that pop up, or are they in any way aware
of what's going on here? No.
That's completely seamless.
And I think turning
browser extensions off,
it can affect the user experience
as well as
the security level.
So at best, the attacker
will disable ad-blocking
extension, and you will notice that.
But in the same way
it can be an extension that organizations
use for browser protection. And in such a case, the attacker may turn off scanning mechanisms and
then easily attack and remain under the radar. So you will not notice any change. Yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security. Zscaler Zero Trust plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request
based on identity and context,
simplifying security management
with AI-powered automation,
and detecting threats using AI to analyze over 500 billion daily transactions. Hackers can't attack what they
can't see. Protect your organization with Zscaler Zero Trust and AI. Learn more at zscaler.com
slash security. Does the attacker have any visibility into the user's environment?
Are they able to select which extensions they're able to disable,
or is it an all-or-nothing kind of thing?
So yeah, they basically see all installed extensions,
and they can selectively force disable the one that they want to disable.
It can be all of them, but it can be a specific one that they chose.
Wow.
And would an administrator have any notice that this had taken place?
It can be. It depends on how they manage their browser extensions.
But usually there is no alerting system on such solutions or extensions.
So it can be both.
I see. Now, have you all come across examples of this being used in the wild?
Yes, we did. It was kind of a social attack page that triggers you,
tries to trick you to save a bookmark of that specific website.
They use Amazon gift card image or free iPhone message,
that once you click and save it, bookmark,
you should receive something.
But that's, I think, the social side of it.
And once you save it, that's it.
And what do you suppose they're after here?
I mean, disabling extensions in someone's Chrome browser,
are they looking to disable antivirus
in the browser? What do you think they're after here?
That's basically just a type of technique
to go under the radar and avoid the security.
It can be used in the personal market to run ads
or just a kind of social attack.
And it can also be a first stage
of a more sophisticated attack on a big company
that being used to disable their security.
So there is no specific type of attacker
that will use that.
It's more the technique of how can we go under the radar
and avoid in-browser security.
And you and your colleagues in this report,
you point out that we're seeing more and more attention
to browser extensions from some of these bad guys.
Yes, I think that browsing today
is at the core of the hybrid work.
And as such, it has become a main target for attackers.
We see it like browsers are frequently updated by their providers
to fix vulnerabilities and zero days that haven't been discovered.
However, browsing is far from being the only risky application in the browsing space.
Browsing is far from being the only risky application in the browsing space.
There are many web-based desktop applications that we use on a daily basis for work,
such as file-sharing applications, video conferencing, chat, or cloud applications that contain browsing risks that are not browser-based.
So the data that we share, the files we download,
the links we click on, they all can contain risks
related to browsing.
And that's where attackers are taking advantage
in targeting browsing applications.
Has this been patched yet?
Has Chrome been patched to prevent this now?
Yes, it is patched in version 106.
Google patched it.
And so if I'm running another Chromium-based browser,
the odds are if I'm keeping up to date, I'll be safe there as well?
Yes.
So what are your recommendations then
in terms of people protecting themselves
against this sort of thing?
So I think this brings us to the central issue
and critical consideration of deciding
on which cybersecurity solutions to invest in.
I think that the case here is a solution
that operates on the same layer it's meant to protect.
And that can lead to a security issue.
So rather than operating as a separate,
superior security layer,
these extensions here rely upon the integrity
of the very thing they are meant to protect,
which is the browser itself.
So I recommend using security solutions that operate on a separate,
fully independent layer that will not be affected by exploits
or vulnerabilities within the environment they are meant to secure.
Our thanks to Doris V. from Red Access for joining us.
The research is titled, New Chrome Exploit Let's Attackers Completely Disable Browser Extensions.
We'll have a link in the show notes. And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home. Black Cloak's award-winning digital executive
protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io. Search Saturday podcast is a production of N2K Networks, proudly produced in Maryland out of
the startup studios of DataTribe, where they're co-building the next generation of cybersecurity
teams and technologies. This episode was produced by Liz Urban and senior producer Jennifer Iben.
Our mixer is Elliot Peltzman. Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening.