Researchers at Awake Security have made news over the past 24 hours exposing a scheme in which some 79 malicious Google extensions were found on the Chrome Web Store as recently as the first week of May. While much of the news focused on the malicious Chrome extensions, security pros were scratching their heads over how the attackers managed to circumvent cloud-based security tools that researchers and security analysts have used for a decade or more.
Reuters first broke the story, reporting that users of the Chrome browser – the world’s leading browser by far with 2 billion users – downloaded the malicious Chrome extensions nearly 33 million times.
Google has since taken down the extensions from the Chrome Web Store and said when they are alerted of extensions that violate its policies, they take action and use those incidents as training material to improve its automated and manual analyses.
Gary Golomb, co-founder and chief scientist at Awake Security, said the attackers hid behind thousands of malicious domains housed at GalComm, an Israel-based registrar. According to the Awake Security report, of the 26,079 reachable domains registered through GalComm, 15,160 domains – or nearly 60 percent -- were malicious or suspicious. He said the malicious extensions could take screenshots, read the clipboard, harvest credential tokens stored in cookies and grab users keystrokes, including passwords.
While Golomb could not report any specific financial damages caused by the malicious extensions, he did say it does expose an “unintended consequence” of cloud computing. Golomb said the attackers created a way to bypass the cloud-based reputation services or virus scans used by most researchers and enterprise security teams. So if a security researcher suspected one of the domains on the GalComm registry and inspected it with one of the standard cloud-based reputation services, it would look normal to them.
“This creates a real problem for security teams because they have to be 110 percent sure that something is wrong before they can take away somebody’s laptop for the day,” Golomb said. “The attackers took away the ability of security teams to make a case. They also showed that in bypassing all the cloud-based tools used by security researchers, they could circumvent normal detection. What’s to stop a group from setting up their own registry and launching yet another campaign?’
While GalComm has publicly denied any wrongdoing, Golomb was less sure, saying that he didn’t think anything this substantial could be done without the registrar’s knowledge. He said at worst they were complicit, but could have also just “looked the other way.” He also said that ICANN, the major international domain registry organization, does “very little” to police these kinds of activities.
“While the domain organizations are loosely governed by ICANN, there’s very little active oversight,” Golomb said. “We believe that registrars like GalComm can effectively function like cyber arms dealers, providing a platform through which criminals and nation-states can deliver malicious sites, tools and extensions without consequences.”
Boris Cipot, senior security engineer at Synopsys, said the research by Awake Security brings out that that there’s an unfortunate byproduct of a software development ecosystem (the cloud) that chooses to relax the rules in favor of greater quantities of software offerings.
“There’s no doubt then that malicious actors will take advantage of this to distribute malicious code,” Cipot said.
Cipot said companies have to train users to be aware of the software they use. This includes, not only main assets such as Office 365 or the Chrome Browser, but also the extensions that are installed with those assets. He said they are all a part of the inventory list of software used and should get tracked and handled appropriately.
Security teams need to ask some basic questions: Who’s the developer? What does the software do? Where does the data go? What can the software access? Are the software extensions well-maintained? Are there any existing vulnerabilities to be wary of?
“Companies should be aware of these issues and enforce strict, but otherwise simple rules,” Cipot said.
“For example, do not access banking details from the same computer where you read your emails. In other words, employees in accounting should be given a specially hardened computer with no other functionalities other than to complete their accounting and banking tasks," he said. "Answering emails and browsing the web can be conducted on another computer. While companies may incur additional costs to offer extra computers, the cost is significantly cheaper than if they were to fall victim to a cyberattack.”