fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Malicious Extension Abuses Chrome Sync To Steal Users’ Data

Malicious Extension Abuses Chrome Sync To Steal Users’ Data

The Google Chrome Sync feature can be abused by threat actors to harvest information from compromised computers using maliciously-crafted Chrome browser extensions.

Google’s infrastructure is also up for misuse as a command-and-control (C2) communication channel to exfiltrate the stolen data to attacker-controlled servers as security consultant Bojan Zdrnja discovered.

Chrome Sync is a browser feature designed to automatically synchronize a user’s bookmarks, history, passwords, and other settings after they log in with their Google account.

Bypassing Chrome Web Store security checks

While malicious Chrome extensions are a dime a dozen with Google removing hundreds of them each year from the Chrome Web Store, this one was special due to the way it was deployed.

The attacker’s malicious addon was camouflaged as the Forcepoint Endpoint Chrome Extension for Windows and installed directly from Chrome (bypassing the Chrome Web Store installation channel) after enabling Developer mode.

Malicious Chrome extension
Malicious Chrome extension (Bojan Zdrnja)

Also Read: Basic Info On How Long To Keep Accounting Records in Singapore?

Once installed, the extension dropped a background script designed to check for oauth_token keys in Chrome’s storage which would then get automatically synced to the user’s Google cloud storage.

To get access to the synced sensitive data, the threat actor would only have to log into the same Google account on another system running the Chrome browser since third-party Chromium-based browsers are not allowed to use the private Google Chrome Sync API.

This would then allow them to “communicate with the Chrome browser in the victim’s network by abusing Google’s infrastructure,” Zdrnja revealed.

“While there are some limitations on size of data and amount of requests, this is actually perfect for C&C commands (which are generally small), or for stealing small, but sensitive data – such as authentication tokens.”

Extension malicious code
Extension malicious code (Bojan Zdrnja)

The keys to the kingdom

The threat actor focused the attack on manipulating the data web app data and didn’t attempt to extend their malicious activity to the underlying system. The reasoning for this behavior is quite simple according to Zdrnja.

“While they also wanted to extend their access, they actually limited activities on this workstation to those related to web applications, which explains why they dropped only the malicious Chrome extension, and not any other binaries,” Zdrnja explained.

“That being said, it also makes sense – almost everything is managed through a web application today, be it your internal CRM, document management system, access rights management system or something else [..].”

Blocking the malicious extension from exfiltrating data would require also blocking servers used by Google for various legitimate purposes (such as clients4.google.com), so this isn’t the proper way to defend from similar attacks.

“Now, if you are thinking on blocking access to clients4.google.com be careful – this is a very important website for Chrome, which is also used to check if Chrome is connected to the Internet (among other things),” Zdrnja said.

Also Read: Deemed Consent PDPA: How Do Businesses Comply?

To block attackers abusing Google Chrome’s Sync API for harvesting and exfiltrating data from corporate environments, Zdrnja recommends group policies to create a list of approved Chrome extensions and block all others who haven’t been checked for red flags.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us