Resources

IronNet Blog

Executive Commentary, Threat Research, and Analysis from the IronNet team.

Browser extensions: Helper or hop point?

With an unprecedented number of people working from home — most likely juggling household duties and potentially homeschooling children or caring for others on top of that — the quest to identify opportunities for improving productivity has never been greater.  Enter … browser extensions. Is there anything that they can’t do? 

  • Set time limits on browsing to certain websites? Check.
  • Let me create checklists of my to-do items? Check.
  • Edit my spelling and grammar as I type? Check.

Don't get me wrong. We're all looking for ways to streamline our lives amidst the chaos. But I am compelled to share some urgent advice about those seemingly wonderful browser extensions, which essentially open a window to cyber risks lurking in the shadows.

Working from home during COVID-19

Let’s take a closer look at how installing unvetted browser extensions introduces cyber risk into your company’s computing environment. Adding an extension to your web browser potentially provides a third party with a peek into all of your online activities. On top of providing direct access to anything that you type into a browser or read in a browser, extensions may also have access to computer information such as the IP address of your system; physical location of the system; and information about installed operating systems, applications, and versions of each. 

Take a moment to place yourself in the shoes  of a cyber threat actor. “Is there a chance here to make a few bucks? Or can I use this wide-open window as a gateway to a corporate environment on behalf of a nation-state?” Back to reality: If you think you don’t have anything to offer this kind of adversary, think again. Your own system may be well-positioned as a stepping stone or hop point to the true target of interest, especially if you are working from a corporately provided or connected workstation. What kind of assets does your company manage that could prove to be of some value to someone intent on gathering intelligence, enabling financial gain, or doing harm?

What’s in it for threat actors?

The typical threat campaign will consist of distinct phases within which the actor conducts a specific type of activity. IronNet generally categorizes these phases as Reconnaissance, Access, Command and Control, and Action on Objectives. I can attest as  a cyber defender that you are most likely to encounter the latter three phases; therefore, it is easy to forget that the Recon phase is actually where your typical threat actor spends a significant amount of their time. Sometimes a “spray and pray” methodology is all they need to get the access they desire. Trolling the web for email addresses, piecing together spam campaigns, and lining up exploits to reel in victims of a more opportunistic variety is good enough to get the job done. Actors with more specific interests, however, — perhaps even categorized as more nefarious interests — are going to put the work into the reconnaissance required to make sure they are landing exactly where they want to be. 

A browser extension with expansive permissions that makes the data it collects available to purchase, or is itself backed by an actor with ill intentions, could serve to do this kind of  intelligence gathering a threat actor needs to more quickly identify access to targets and move out of the reconnaissance phase of the attack. In this day and age, browsers have become more proactive at attempting to make you aware of the risks you may be accepting by installing a given extension, providing “permissions warnings” to describe capabilities granted by an API to extension users; however, it is easy to click through these without giving them a whole lot of thought in the name of getting to the helpful thing you are trying to accomplish. Here are just a few examples of warnings you may come across:

Permission

Description

Warning

  • "http://*/*"
  • "https://*/*"
  • "*://*/*"
  • "<all_urls>"

Grants the extension access to all hosts. It may be possible to avoid declaring any host permissions by using the activeTab permission.

Read and change all your data on the websites you visit

“history"

Grants your extension access to the chrome.history API.

Read and change your browsing history

"contentSettings"

Grants your extension access to the chrome.contentSettings API.

Change your settings that control websites' access to features such as cookies, JavaScript, plugins, geolocation, microphone, camera etc.

"geolocation"

Allows the extension to use the HTML5 geolocation API without prompting the user for permission.

Detect your physical location

The types of data available for collection could equip an attacker to engage in one or more of the following scenarios:

Source the best topics to utilize within social engineering campaigns

Even in the most sound security ecosystem, people will remain the weakest link. Bad actors often employ phishing campaigns that incorporate high-profile news items (think coronavirus), calls to action, or other topics of interest for the intended target. These are perfect ways to gain initial access into a victim’s network once the target clicks on a malicious link or opens a malicious attachment. What better way to know the topics of highest interest to a given target than by perusing the target’s web history for recurring themes to incorporate into a campaign? 

Identify online services utilized by targets of interest

If an adversary has a predetermined target in mind, and is able to identify that the target utilizes a particular service provider (financial services are a great example), he or she could set up a domain masquerading as the legitimate service provider, and attempt to direct the user to the bogus version of the legitimate site. IronNet has detected many examples of this type of  brand impersonation, including pages built to look like Amazon, Microsoft, DHL, and Wells Fargo to name a few. All these examples were likely designed as part of credential harvesting campaigns. A 2020 report examining credential exposure identified that 28% of users recycle at least one password across more than one account. Perhaps the credential captured by the brand impersonating web page is utilized across multiple (perhaps even work-related) accounts.  Now the attacker has another password to add to a list used to attempt to brute-force these other accounts.

Determine the logical location of a pre-identified target of interest

Those cyber bullies need direction, and on the Internet we call it an IP address. If the target is the Research and Development section for a major automobile manufacturer, for example, a quick records search of the company’s domain name will give the threat actor an idea of where to start. The adversary will however need more inside information with regard to what the internal network looks like before they get very far with attempts to move laterally and explore more systems within the network after cracking the initial access vector. The IP address of a system the hacker knows belongs to a particular individual within that department is probably a good place to start building out the network map. If the hacker can determine the internal IP address of a user known to likely have administrative access to other high-interest systems, then that criminal may have just hit the jackpot — from your extension-laden computer while you work on, unaware.      

Escalate privileges on a system by exploiting a vulnerability in software or hardware platforms in use

If an adversary has an exploit in their possession that matches up with a vulnerability in a hardware or software component of the intended target, then watch out. Sometimes hackers send phishing emails, wait for users to land on their credential harvesting site, or use some other means to enable that initial access but that ends up not being enough to garner the sought-after results.  Collecting information such as installed software packages and versioning information from an intrusive extension might provide the perfect way for the bad actor to identify vulnerabilities, marry them up with exploits at their disposal, and make hacking magic happen.  

Be careful what you click!

Some people would suggest that the idea of an advanced threat actor using browser extensions as a means to gather open source intelligence on intended targets is unlikely because of the distinct need for action on the part of an end-user, not just to click a pop-up box to accept a download, but to drive them them to seek out the extension in the first place.  It does not make sense for a threat actor who is interested in a very narrow target set to sit back and hope that their intended victim installs the exact browser extension that is needed in order to enable the perfect access. Certainly only less skilled, and therefore less worrisome, actors would resort to this style of laissez-faire collection, right? I would propose that they do not. 

The fact that data collection from extensions has occurred on an unprecedented scale, and been made available for purchase, is well documented. Presuming that a non-attributable method for purchasing this information could be set up, this is the logical first stop for an actor willing to commit the resources necessary to acquire access to the dataset and devote time searching for the nuggets they need. 

A second method I propose could be better tuned to attempt to ensnare a more granular target set. A quick search for “IP targeting for advertising” will give anyone plenty of options for advertising firms willing to help them direct an online ad to their targeted population segment. Since determining the IP space for a targeted company is not a difficult task these days, a threat actor can easily create an advertisement for the extension they want their targeted victims to download — that is, the employees of the company for which they have already determined IP ranges. Presto. They now have the key data points they need to start building a  campaign. 

To test the theory that extension creators would resort to ads to attempt to drive up download numbers, I turned the ad blocker off in my browser, and performed the following quick search:

Within my next couple clicks through search results, I noted a very simple advertisement that read “Convert files quickly and easily” and “Download safely from the Chrome Web Store” with a giant green “Continue” button.  

After clicking, I was provided with “3 Easy steps” to install the extension. What could go wrong there? I don’t know that this ad was delivered to me simply because my web traffic is coming from an IP address attributable to IronNet Cybersecurity, but the fact is, it could have been.

Imagine an actor with the resources to perform this type of activity at scale, creating dozens — or maybe even more — extensions with the capability to gather targeting information from carefully selected populations. This data, collected from unwitting end users, could be funneled back to what is essentially a command and control server, where it is processed, database, and made searchable by the threat actor. 

What have we seen as cybersecurity analysts?

Through a combination of IronNet analytics and skilled investigation by threat hunters in our Cyber Operations Center and Threat Research team, IronNet has recently identified nearly 200 unique browser extensions that incorporate permissions deemed risky for use within a corporate environment.  These extensions have been observed in use on systems within both the finance and energy sectors. Closer analysis of extensions with the most intrusive permissions has at times identified layers of anti-analysis techniques, presumably for the purposes of hindering both static and dynamic code analysis and to evade detection by antivirus. It is clear that the authors in these cases are interested in concealing as much as possible, what the extensions are capable of doing. 

Additionally, further research has on occasion identified ties to companies with known track records for developing malware. We are only beginning to unravel what appears to be a tangled web of extensions with expansive permissions, including several groups of different extensions that seem to be related to each other, continuously popping up in the same networks but on different systems. 

Where do we go from here?

There is a way to fight back: creating a policy of whitelisting browser extensions that are acceptable for use in a corporate environment should be a critical component of a company’s risk management strategy. IronNet recommends evaluating extensions on a case-by-case basis. This should include consideration of what permissions are granted to an extension, who the developer is, and whether or not they appear to actively maintain the extension, and how necessary the extension is in order to solve a business problem. Many resources are available to aid in this decision making process, some of which include assigning risk scores and providing detailed breakdowns of extension permissions and the implications of each. 

Today, we’re all cyber defenders. Stopping a threat actor early in the kill chain should be top-of-mind for everyone, and doing so has to include a clear understanding of all the avenues of information gathering necessary prior to an actual attack ever taking place. As we understandably try to make our own jobs as employees, parents, caregivers, at-home educators and more easier, don’t make hackers’ jobs easier, too. Mind those browser extensions! 

Learn more about our CyOC threat hunting.