• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Press Release
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Jigsaw Ransomware Resurrected in a Lokibot Phishing Campaign
May 4, 2020
Rewterz Threat Alert – Cerberus Variant Using MDM As Infection Vector
May 4, 2020

Rewterz Threat Alert – CursedChrome Extension Turns Browser into a Hacker’s Proxy

May 4, 2020

Severity

Medium

Analysis Summary

Last week, a security researcher published a proof-of-concept Chrome extension that turns Chrome browsers into proxy bots, allowing hackers to navigate the web using an infected user’s identity. The tool, named CursedChrome, was created by security researcher Matthew Bryant, and released on GitHub as an open-source project. It consists of a client-side component (the Chrome extension itself) and a server-side counterpart (a control panel where all CursedChrome bots report).

cursedchrome-diagram.png

Once the extension has been installed on a few browsers, the attacker can log into the CursedChrome control panel and establish a connection to each infected host. The link between the extension and the control panel is a simple WebSocket connection that works as a classic HTTP reverse proxy. This means that once the attacker has connected to an infected host, they can then navigate the web using the infected browser, and by doing so, hijack logged-in sessions and online identities to access forbidden areas, such as intranets or enterprise apps. 
Weaponizing CursedChrome requires that attackers either (1) host the extension on the Chrome Web Store or (2) install it via an enterprise policy or via Chrome’s developer mode. The second scenario requires the attacker have access to a company’s network, by which point they already have full control and access to everything else anyway.

Impact

  • Hijacking of logged-in sessions
  • Authentication bypass
  • Information Theft

Remediation

  • Strictly control what employees can install in their browsers.
  • IT admins can use Chrome Galvanizer to allow or block Chrome extensions from accessing certain URLs and the data associated with it. It generates enterprise policies that can be installed on all of a company’s workstations.
  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.