From Threatpost, we read this:
Google removed 106 Chrome browser extensions Thursday from its Chrome Web Store in response to a report that they were being used to siphon sensitive user data. In the research, also published Thursday, Awake Security alleged millions of Chrome users have been targeted by threat actors. The attackers used the Google Chrome browser extensions to not only steal data, but also to create persistent footholds on corporate networks.
The browser extensions were free and designed to either alert users to questionable websites or to convert files. In total, Awake Security estimates the extensions were downloaded 32 million times.
If I had to choose one of the most overlooked aspects of security in the workplace, browser extension control would be a top choice. Nobody thinks about them – all those colorful little icons dancing around at the top of your screen, and many users install them without knowing or thinking about it.
But like any other software download, it’s just another entry point for malicious actors to either exfiltrate data, or infiltrate with data of their own.
While Google has long policed its Chrome Web Store for rogue browser extensions, what is unique about this malicious effort was that it was allegedly part of a coordinated and “massive global surveillance campaign.”
…“In the past three months alone, we have harvested 111 malicious or fake Chrome extensions using GalComm domains for attacker command and control infrastructure and/or as loader pages for the extensions,” researchers wrote. “These extensions can take screenshots, read the clipboard, harvest credential tokens stored in cookies or parameters, grab user keystrokes (like passwords), etc.”
Cybersecurity incidents have come a long way from ILOVEYOU, which was created by two simple programmers and released to run wild on it’s own. Malicious actors of today are frequently part of larger organizations coordinating on widespread exploitation and compromise for the purposes of making big money on a lot of small targets, rather than putting in the work on fishing for major targets.
Browser extensions, which nobody seems to think about – for some psychological reason worthy of a term paper, I’m sure – are an excellent way for a malicious actor to get something into your corporate network. They just need to release their fake extension and bide their time.
How can this be addressed? There are a few ways to control extensions and it also depends on the browser:
1. Standardize your company web browser. Another oft-overlooked aspect of corporate IT use, the company should settingle on a single browser for all internet use. I tend to think Chrome is the best all-purpose business browser, although there are a million opinions. Just find a browser that most users can use without pulling their hair out and stick with it, so that you can manage the browsers the same way across the environment.
2. Enterprise Control Platform. Almost every major browser has some options offered by the developer to centrally control browser options. Google, for instance, has Chrome Browser Management – a paid cloud platform in which you can manage Chrome policies across the entire company. This is an excellent method to control who can install extensions, and which extensions are allowed.
3. Group Policy. Good ol’ GPO. Build out the right GPO (if you’re in an on-premises domain environment, that is) and you can maintain tight control over extension installation across all major browsers. This article, for example, shows how to deply a GPO for Chrome control.