Rewterz Threat Alert – Jigsaw Ransomware Resurrected in a Lokibot Phishing Campaign
May 4, 2020Rewterz Threat Alert – Cerberus Variant Using MDM As Infection Vector
May 4, 2020Severity
Medium
Analysis Summary
Last week, a security researcher published a proof-of-concept Chrome extension that turns Chrome browsers into proxy bots, allowing hackers to navigate the web using an infected user’s identity. The tool, named CursedChrome, was created by security researcher Matthew Bryant, and released on GitHub as an open-source project. It consists of a client-side component (the Chrome extension itself) and a server-side counterpart (a control panel where all CursedChrome bots report).
Once the extension has been installed on a few browsers, the attacker can log into the CursedChrome control panel and establish a connection to each infected host. The link between the extension and the control panel is a simple WebSocket connection that works as a classic HTTP reverse proxy. This means that once the attacker has connected to an infected host, they can then navigate the web using the infected browser, and by doing so, hijack logged-in sessions and online identities to access forbidden areas, such as intranets or enterprise apps.
Weaponizing CursedChrome requires that attackers either (1) host the extension on the Chrome Web Store or (2) install it via an enterprise policy or via Chrome’s developer mode. The second scenario requires the attacker have access to a company’s network, by which point they already have full control and access to everything else anyway.
Impact
- Hijacking of logged-in sessions
- Authentication bypass
- Information Theft
Remediation
- Strictly control what employees can install in their browsers.
- IT admins can use Chrome Galvanizer to allow or block Chrome extensions from accessing certain URLs and the data associated with it. It generates enterprise policies that can be installed on all of a company’s workstations.