Awake Security researchers have made news in the past 24 hours by exposing a scheme in which some 79 malicious Google extensions were found on the Chrome Web Store as early as the first week of May. While much of the news focused on malicious Chrome extensions, security professionals wondered how attackers managed to bypass the cloud-based security tools researchers and security analysts use. for a decade or more.
Reuters first broke the story, reporting that users of the Chrome browser – by far the world’s largest browser with 2 billion users – have downloaded the malicious Chrome extensions nearly 33 million times.
Google has since removed the extensions from the Chrome Web Store and said that when alerted to extensions that violate its policies, it takes action and uses those incidents as training material to improve its automated and manual scans.
Gary Golomb, co-founder and chief scientist of Awake Security, said the attackers were hiding behind thousands of malicious domains hosted at GalComm, an Israel-based registrar. According to Awake Security report, of the 26,079 accessible domains registered through GalComm, 15,160 domains (or almost 60%) were malicious or suspicious. He said the malicious extensions could take screenshots, read the clipboard, harvest ID tokens stored in cookies, and capture user keystrokes, including passwords.
While Golomb couldn’t point to any specific financial damage caused by the malicious extensions, he said it exposed an “unintended consequence” of cloud computing. Golomb said attackers created a way to bypass cloud-based reputation services or virus scanners used by most researchers and enterprise security teams. So if a security researcher suspected one of the domains in the GalComm registry and inspected it with one of the standard cloud-based reputation services, it would seem normal to them.
“This creates a real problem for security teams because they have to be 110% sure something is wrong before they can take someone’s laptop away for the day,” Golomb said. “The attackers deprived security teams of the ability to build a case. They also showed that by bypassing all the cloud-based tools used by security researchers, they could bypass normal detection. What prevents a group from creating its own registry and launching another campaign? »
While GalComm has publicly denied any wrongdoing, Golomb was less sure, saying he didn’t believe anything so substantial could be done without the registrar’s knowledge. He said that at worst they were complicit, but they could also have just “looked away”. He also said that ICANN, the main international domain registration organization, does “very little” to police such activities.
“While domain organizations are loosely governed by ICANN, there is very little active oversight,” Golomb said. “We believe that registrars like GalComm can operate effectively as cyber arms dealers, providing a platform through which criminals and nation states can deliver malicious sites, tools and extensions. without consequences.”
Boris Cipot, senior security engineer at Synopsys, said Awake Security’s research highlights that there is an unfortunate byproduct of a software development ecosystem (the cloud) that chooses to relax the rules in favor more software offerings.
“There is no doubt that malicious actors will take advantage of this to distribute malicious code,” Cipot said.
Cipot said companies need to train users to be aware of the software they use. This includes not only core assets such as Office 365 or the Chrome browser, but also extensions installed with those assets. He said they were all part of the used software inventory list and should be tracked and dealt with appropriately.
Security teams should ask themselves a few basic questions: Who is the developer? What does the software do? Where does the data go? What can the software access? Are the software extensions well maintained? Are there any existing vulnerabilities to be wary of?
“Companies need to be aware of these issues and apply strict, but otherwise simple rules,” Cipot said.
“For example, don’t access bank details from the same computer where you read your emails. In other words, accounting employees should have a specially hardened computer with no functionality other than to perform their accounting and banking duties,” he said. “Replying to emails and browsing the web can be done on another computer. While businesses may incur additional costs for offering additional computers, the cost is significantly less than if they were to fall victim to a cyberattack.