"In order to set, read or delete these keys, all the attacker has to do is log in with the same account to Google, in another Chrome browser (and this can be a throwaway account), and they can communicate with the Chrome browser in the victim's network by abusing Google's infrastructure," he said.ĭata stored in the key field could be anything, Zdrnja said. Malicious code found in the extension suggested that the attacker was using the malicious add-on to create a text-based field to store token keys, which would then be synced to Google cloud servers as part of the sync feature. "While they also wanted to extend their access, they actually limited activities on this workstation to those related to web applications, which explains why they dropped only the malicious Chrome extension, and not any other binaries," Zdrnja said in a report published on Thursday.
Zdrnja said the goal of this particular attacker was to use the extension to "manipulate data in an internal web application that the victim had access to." The extension, which posed as a security add-on from security firm Forcepoint, contained malicious code that abused the Chrome sync feature as a way to allow attackers to control the infected browser. Zdrnja said that in the incident he investigated, attackers gained access to a victim's computer, but because the data they wanted to steal was inside an employee's portal, they downloaded a Chrome extension on the user's computer and loaded it via the browser's Developer Mode. Chrome sync feature was recently abused in the wildīojan Zdrnja, a Croatian security researcher, said on Thursday that during a recent incident response, he discovered that a malicious Chrome extension was abusing the Chrome sync feature as a way to communicate with a remote command and control (C&C) server and as a way to exfiltrate data from infected browsers. The feature is used to sync these details between a user's different devices, so the user always has access to his most recent Chrome data wherever they go. Threat actors have discovered they can abuse the Google Chrome sync feature to send commands to infected browsers and steal data from infected systems, bypassing traditional firewalls and other network defenses.įor non-Chrome users, Chrome sync is a feature of the Chrome web browser that stores copies of a user's Chrome bookmarks, browsing history, passwords, and browser and extension settings on Google's cloud servers. We review Apple's M1 Ultra-powered Mac StudioĬan digital dollars be as anonymous as cash? Ukrainian developers share stories from the war zone
When the boss gets angry at employees' Teams habits
0 kommentar(er)
