Browsers are one of the most used methods of accessing organization and personal online resources. As more resources move to the cloud, the use of browsers to access sensitive information steadily increases. Attackers often take advantage of this via the use of malicious browser extensions. Managing extension use across an organization is a critical part of any security program.
What Are Browser Extensions?
Browser extensions are small blocks of code that run in the browser.They provide additional functionality to users. Some extensions, like uBlock OriginOpens a new window , help protect users. Â
Users usually download extensions from official browser provider sites.These include the Google Chrome Web Store, Mozilla Firefox Browser Add-ons, and Microsoft Edge Add-ons. Extensions are also downloaded from other sites, including those infected with malware that installs malicious extensions without the users’ knowledge. Â
Google, Mozilla, and Microsoft try to prevent hosting malicious extensions. However, the processes used are not perfect. Attackers can sometimes bypass vendor security processes. When users install malicious extensions, personal and business-sensitive information becomes available to cyber-criminals. Attackers can install malicious extensions in two ways: via download from official browser extension sites and via drive-by downloads.
A Downloadable Malicious Extension
One recent malware included in extensions is CacheFlow. Jessica Haworth writesOpens a new window that attackers used CacheFlow in Google Chrome and Microsoft Edge extensions for at least three years. The attack, documented by AvastOpens a new window , likely affected more than three million users who downloaded infected extensions. Figure 1 is from a blogOpens a new window by Jan Vojtesek and Jan Rubin. It details how the CacheFlow attack works.
Figure 1 (from Decoded.avast.ioOpens a new window )
The CacheFlow extension attack collects users’ personal information and redirects them to malicious sites. Vojtesek and Rubin list the extensions found to include the CacheFlow malware. They have been removed from both the Microsoft and the Chrome extension download sites.
While attackers relied on users downloading infected extensions from official browser sites, attackers install other infected extensions when they visit a malicious or infected website.
Learn More: What Is Browser Isolation? Definition, Technology Components, and VendorsÂ
Drive-by Malicious Extension
Another recent attack did not rely on users to download infected extensions. Instead, attackers dropped a malicious extension directly into users’ browsers. Tara Seals writesOpens a new window that the extension targeted Chrome with a fake extension called Forcepoint Endpoint Chrome Extension for Windows. Using the Forcepoint logo, it appears as a valid extension. Â
The attackers drop the extension into a folder on the user’s computer and then install it into Chrome. The user is not notified of the installation. Once installed, the extension connects to the attacker C&C server. It then starts to steal email content and user access tokens.
In this articleOpens a new window , MITRE lists other identified browser extension malware.
Malicious Extension Defense
Three approaches for managing extensions include training users, managing extension installation, and discovering and managing installed extensions.
1. User training
One way to prevent the download of malicious extensions is to write a policy addressing what extensions users should install in their browsers.The organization then relies on training and user behavior to prevent extension infections. Reliance on user behavior should be the last line of defense for any information resource. Â
2. Manage extension installation
Firefox allows administrators to disable the installation of any extensions via the Windows registry and group policy. Tony Perez suppliesOpens a new window detailed steps for managing Firefox extensions within the Windows registry.
Mozilla publishesOpens a new window group policy templates for setting a variety of Firefox settings. Also, extension whitelisting and blacklisting capabilities are provided by downloading Mozilla policy templates from GitHub. Be aware that the GitHub site includes a warning about compatibility with newer versions of Firefox. Â
Managing Chrome and Edge (Chromium) extensions do not require downloading any policy templates. Perez writes that an admin can block all extensions, use a blacklist to block known malicious extensions, or use a whitelist approach. The use of group policy is the best approach for Edge. Using the Edge policy, an admin can whitelist or blacklist extensions. He can also force the installation of required extensions.
In addition to using group policy, Chrome Enterprise enables centralized management of extensions. Extensions and other chrome settings apply to users or enrolled browsers. Microsoft Intune provides centralized management for Edge extensions.Â
These extension installation management recommendations are excellent ways to prevent further installations of unwanted extensions. Many organizations, however, will have to manage extensions users have already installed. One way is to reimage all user devices, but this is not practical for larger businesses. Â
3. Extension discovery
As part of managing extensions, businesses must understand what is installed and manage extensions known to be malicious or questionable for business use. NirSoft’s BrowserAddonsViewThis allows security teams to scan each Windows workstation to find all extensions installed across Chrome, Firefox, and Edge browsers. Â
BrowserAddonsViewThis is a workable solution for organizations to spot check problematic devices for problem extensions. It can also be part of an overall effort to remove all extensions not on their extension whitelist for organizations with sufficient resources.
A centralized discovery solution for Chrome is Chrome Enterprise. In addition to managing what users can install, it also shows admins what is already installed. Per Larsen writesOpens a new window about how admins can use Microsoft Intune to discover installed extensions for Edge.
Another centralized discovery tool is BetterCloud. Among other useful management tools, this SaaS solution allows security teams to understand what extensions are installed throughout an enterprise on multiple operating systems.
Learn More: The Problem With Storing Passwords in Your Browser (and How to Fix It)Â
Assessing Extension Risk
Organizations also need a tool to understand the risk associated with installed extensions or before adding a Chrome extension to a whitelist. EXcavator by DUO Security (now part of Cisco) is a free tool that enables this. A security analyst can enter either an extension name or an extension ID to execute the analysis. See Figure 2.
Figure 2
Finally, organizations should standardize on a single browser. Attempting to manage extensions across multiple browsers will take up more resources than necessary. Further, several browsers do not have centralized or individual workstation management tools to prevent or allow the installation of extensions or to understand what extensions are installed.Â
Conclusion
As browser use for running a business increases, browsers and their extensions become more appealing as attack vectors. Organizations must include extension management in their risk management processes. This includes standardizing on one or two browsers that are centrally managed, understanding what extensions are installed, and controlling extension installation.
What steps have you taken to mitigate the risks of malicious browser extensions?  Comment below or let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!