I am being inundated with stories about historically benign browser extensions that are suddenly turning into malware infostealers overnight. After the articles a few months ago about around 38 doing this, I now saw something that another 100 turned to the dark side. Then I just saw even more flipped affecting over 2 million users!
This is very dangerous because they are pre-installed and have probably not been recently evaluated.
Please note that I cannot reasonably or directly protect you from rogue browser extensions. Infostealers steal your credentials. The bad guys then don't have to hack. They just have to sign on with the credentials your user gave them to the systems they unknowingly gave the hacker access to.
Additionally, MFA defenses are ineffective if the attacker is physically present on your network and intercepts the user's MFA session token. This is the 3% of the time that MFA fails to protect.
Microsoft has no meaningful defense against token theft, except for keeping the bad guys off the machine with the user.
That is scary.
To the best of your ability, you must harden every browser that is deployed in your environment.
That starts with the timely patching of every browser.
That starts with not allowing unapproved browsers to be installed or acquiescing to the fact that you must manage every major browser to prevent security gaps.
It also includes evaluating and removing every unnecessary and unvetted browser extension, and blocking your users from installing any browser extensions without your permission.
This is a daunting task.
You must control this aspect of your network security and remain vigilant in maintaining control over your browsers.
Some of this can be done programmatically via Group Policy controls.
Google Admin does a great job of controlling browser extensions for devices under its control.
Our CyberCNS Vulnerability Advisory Service does an amazing job of fully documenting all the browser extensions on all your devices in a way that makes it easy to visualize and manage.
It also features Application Baseline functionality, which allows you to flag endpoints that do not meet your standards, enabling you to quickly identify devices with excessive or insufficient software items, including browser extensions.
This attack vector appears to be easily manipulated by malicious actors for malicious purposes. It is hard for you to manage.
That makes it the perfect attack surface.
You must address this weakness and manage it effectively.
Failing to do so can lead to a very unfavorable outcome.
There is at least partial mitigation of this vulnerability beyond our CyberCNS Vulnerability Advisory Service offering. A SOC monitoring your network, and more specifically, your firewall and cloud services like M365 or Google Apps, will detect anomalies such as unusual traffic, traffic to known malicious sites, and "impossible travel" logins, where a user is logged in from your district and then suddenly logs on from Serbia or California.
If you'd like to explore a more effective way to address this significant weakness in your overall cyber defense strategy, please give us a call.
Scott Quimby
Senior Technical Advisor, vCISO, CISSP
You must be logged in to post a comment.