Google Chrome browse has Malicious Extensions
The Cybersecurity experts have identified 5 malicious Google Chrome browser extensions. These extensions pretend to be HR and ERP services such as Workday, NetSuite, and SuccessFactors. These extensions are intended to enable control of user accounts through trickery. Kush Pandya, a security researcher at Socket, recently published a report outlining how these extensions collaborate to steal authentication tokens, disable incident response capabilities, and enable complete account takeovers via session hijacking.
The recognized extensions are made up of:
DataByCloud Access (Published by: databycloud1104) - 251 Installs
Tool Access 11 (Published by: databycloud1104) - 101 Installs
DataByCloud 1 (Published by: databycloud1104) - 1,000 Installs
DataByCloud 2 (Published by: databycloud1104) - 1,000 Installs
Software Access (Published by: Software Access) - 27 Installs
As of the time of writing, the removal status of the others is completed except for Software Access. However, they are currently available on third-party sites like Softonic. The add-ons are touted to be productivity tools offering access to advanced tools on different platforms such as Workday, NetSuite, and others. The DataByCloud 1 and DataByCloud 2 add-ons were first released on August 18, 2021.
The campaign is found to be an orchestrated attack based on common functionality and infrastructure. It involves, among other things, the exfiltration of cookies to an attackers-controlled distant server, the manipulation of the Document Object Model tree to prevent the visit to the security administration page, and the facilitation of session hijacking through the injection of cookies. Once installed, the DataByCloud Access Chrome Extension requests permissions on cookies, management, scripting, storage, and declarativeNetRequest on the Workday, NetSuite, and SuccessFactors domains.
It then collects authentication cookies for a specific domain every 60 seconds and sends the cookies to the "api.databycloud[.]com" domain. According to Pandya, the Tool Access 11 (v1.4) disables access to 44 administrative pages on the Workday system. The functions you cannot perform using this tool include managing authentication, managing the use of the security proxy, managing IP, and managing the session control interfaces. "DOM manipulation serves this purpose, and the extension maintains an observed list of page titles.
The blocking component of 'Data By Cloud 2' has additionally protected 56 pages, incorporating vital services such as changing passwords, disabling accounts, handling 2FA devices, and accessing security audit logs." Its intention is to target production environments, in addition to the Workday Testing Environment in the "workdaysuv[.]com" sandbox. Data By Cloud 1, on the other hand, has replicated the same functionality as DataByCloud Access with integration capabilities for code inspection prevention using web browser developer tools by leveraging the open source DisableDev tool library.
Data transmission between command and control (C2) servers for these two plugins is encrypted. The most progressed variant of the lot is Software Access. It combines cookie theft with the ability to get stolen cookies from “api.software-access[.]com” and inject them into the browser for direct session hijacking. It also has the feature of protecting password input fields against users analyzing the entered credentials. The function, according to Socket, clears any existing cookies for the domain and then goes through the provided list of cookies to inject them via chrome.cookies.set().
This directly puts the victim's authenticated state into the threat actor's browser session. Information Technology Security Something that deserves to be highlighted that links all five extensions would be that each of them includes a common set of 23 security-related Chrome extensions, such as EditThisCookie, Cookie-Editor, ModHeader, Redux DevTools, and SessionBox, that are supposed to monitor and alert the threat actor of their presence. This is, according to Socket, likely an attempt to test whether any tools on the web browser might interfere with their intended goals of gathering cookies or whether their actions are detected.
Moreover, the existence of this same list of similar extension IDs on all five extensions suggests the existence of either the same malicious operator, who has released these extensions under different publishers or the same toolkit. Users of Chrome who have already downloaded and installed any of the above-mentioned add-ons are advised to remove them and reset their password. They should also monitor if there has been unauthorized access from any new iPads/IP Addresses. "A combination of continuous credential theft, administrative interface lockdowns, and session hijacks makes it impossible for security teams to not only not detect the unauthorized activity but also unable to mitigate it through traditional means," said Socket.