Data Exfiltration Enabled by Google Chrome Sync ExtensionFake Forcepoint Extension Exfiltrated Data Using Legitimate Tools
Hackers used a fake Forcepoint extension, leveraging the Google Chrome Sync feature, to exfiltrate data and send commands to infected browsers, according to Bojan Zdrnja, a Croatian security researcher writing for the SANS Institute, a cybersecurity training organization.
He found attackers exfiltrating data and using the channel for command and control communication. "Some of the methods observed in analyzed code were pretty scary - from a defender’s point of view," Zdrnja says.
The Google Chrome Sync feature helps make users’ browsing experience consistent across platforms. It can sync apps; auto-fill information, bookmarks, extensions, omni-box history, password, settings and themes; and open tabs.
Zdrnja found that a hacker dropped a malicious extension on the compromised system. The researcher did not reveal the initial attack vector.
"Malicious extensions are nothing new - there was a lot of analysis about such extensions, and Google regularly removes dozens of them from Chrome Web Store, which is the place to go to in order to download extensions," Zdrnja notes.
In this attack, however, the hackers did not use Chrome Web Store, but dropped the extension locally in a folder and loaded it directly from Chrome on a compromised workstation. Zdrnja says this approach is a legitimate function in Chrome and can be loaded via browsers' Developer Mode.
The attacker then created a malicious add-on, an extension that pretended to be the Forcepoint Endpoint Chrome Extension for Windows, which abused Google Chrome’s sync feature and allowed attackers to control the infected browser.
"The extension had nothing to do with Forcepoint - the attackers just used the logo and the name," Zdrnja notes. Forcepoint endpoint solutions are designed to help protect users against web-based threats and data theft while on and off the corporate network.
Zdrnja notes that hackers' goal was to manipulate data in an internal web application to which the victim had access.
"While they also wanted to extend their access, they actually limited activities on this workstation to those related to web applications, which explains why they dropped only the malicious Chrome extension, and not any other binaries. That being said, it also makes sense - almost everything is managed through a web application today, be it your internal CRM, document management system, access rights management system or something else," Zdrnja notes.
Zdrnja says that the extension used chrome.storage.sync.get and chrome.storage.sync.save methods (instead of chrome.storage.local). All the values were automatically synced to Google’s cloud by Chrome, under the context of the user logged in Chrome.
"In order to set, read or delete these keys, all the attacker has to do is log in with the same account to Google, in another Chrome browser (and this can be a throwaway account), and they can communicate with the Chrome browser in the victim’s network by abusing Google’s infrastructure," Zdrnja says.
In December 2020, researchers at the security firm Avast found 28 malicious third-party browser extensions used with Google Chrome and Microsoft Edge that had been downloaded about 3 million times. (see: Malicious Browser Extensions Downloaded 3 Million Times).
In June, Awake Security discovered 70 Chrome extensions could be used to steal users' credentials and security tokens, which were then removed.
In February, Google removed 500 Chrome extensions from its online store after researchers found that attackers were using them to steal browser data (see: Google Removes 500 Chrome Extensions Tied to Malvertising).
Google, in October 2019, updated its security and privacy requirements for developers who want to post new extensions in the company's official online store.