Cybersecurity Today: Browser Exploits, U.S. Treasury Breach & CrowdStrike's Comeback: Monday, January 6, 2024

Jim Love

A new double click exploit bypasses browser protections. Another compromise affects extensions downloaded by millions of Chrome users. U.S. treasury workstations were breached in an attack linked to Chinese hackers, and CrowdStrike bounces back from the largest IT outage in history. This is cybersecurity today. I'm your host, Jim Love. As Elvis once said, it's good to be back. If you use Google Chrome or any browser really, you might want to think twice before you double click. Security researchers are warning of two alarming hacks making the rounds right now, both of which exploit users trust in everyday browser operations. This holiday season, cybersecurity researchers at Cyberhaven discovered that its own Chrome extension had been compromised through a vulnerability in Chrome's developer authentication system. Ironically, Cyberhaven's extension is supposed to enhance security by preventing users from entering sensitive information. But Cyberhaven was only one of the developers affected. Attackers spearfished extension developers, stealing credentials and uploading malicious versions of popular browser add ons. And at least 33 extensions were infected, hitting an estimated 2.6 million devices. The malicious updates automatically install, meaning users didn't need to do anything but open Chrome. John Tuckner, founder of Secure Annex, reports the attackers relied on custom lookalike domains. He said the same group likely compromised at least 19 other extensions, leading to a total of 1.46 million suspicious downloads. In a separate development application, security researcher Paulo Zabello uncovered a brand new double clickjacking exploit that doesn't rely on specific browsers like Chrome. It can also strike Edge and Safari essentially anywhere you double click. Traditional clickjacking was largely blocked by modern browsers, which layer in security to prevent invisible iframes from capturing clicks. But Yabello found that by timing two clicks in quick succession, hackers can slip in malicious authorizations without users even knowing. This might trick you into granting permissions you didn't realize you were giving or disabling security settings in the blink of an eye. Together, these discoveries highlight a major challenge for browser security. Whether it's malicious extensions leveraging trusted developer credentials or invisible popups waiting for a double click, attackers are finding creative ways around existing defenses. The double clickjack effectively reopens a clickjacking threat surface that many believed was dead. Meanwhile, the extension hijacks show how something you trust like a well known plugin can turn against you once a developer's account is compromised. Experts are saying organizations should consider stricter browser extension controls, using so called asset management lists that allow only pre approved add ons. And until in browser mitigations are released, you somehow have to get the message out to be cautious with double click actions, especially if a prompt seems unusual or appears to come out of nowhere. Apple, Google and Microsoft have yet to issue detailed fixes for double clickjacking, but I'm betting all of them are Investigating Solutions A major cybersecurity incident has hit the US Department of the treasury, where attackers reportedly stole certain unclassified documents after gaining unauthorized access to treasury workstations. Treasury officials say that the operation bears the hallmarks of a Chinese state sponsored hacking group, marking yet another supply chain breach targeting the US Government. The attack focused on a remote support key issued by Beyond Trust, a third party service provider. On December 8, Beyond Trust notified the treasury that a threat actor had obtained a key used to secure cloud based technical support for treasury workstations. Armed with that stolen key, the attackers bypassed normal security procedures and made off with unclassified data before the breach was detected. Treasury labeled the incident major and attributed it to a Chinese state sponsored advanced persistent threat or apt, actor. While the data accessed was unclassified, the implications are still significant. Attackers could be gathering intelligence, laying groundwork for future operations, or testing the resilience of government defenses. The breach underscores the risks of third party software in the federal tech stack. When a vendor's security fails, it can provide hackers with an open door to US Government systems. Treasury says it's taken the affected service offline. The cybersecurity and infrastructure security agency cisa, the FBI and intelligence agencies are investigating along with forensic experts. Beyond Trust, for its part, found suspicious behavior on December 2, confirmed it three days later and and revoked the compromised key. The company has patched two new vulnerabilities, one critical and one medium, and is providing updates as the investigation continues. A 30 day supplemental report from treasury is expected to reveal more about how the attackers breached the system and how widespread the impact may be. The incident follows reports from before Christmas of how Chinese hackers had infiltrated the US Telecommunications systems and other stories about how deeply hackers have penetrated other key infrastructure. The Wall Street Journal reported that the Chinese hack last year compromised even more US telecoms than previously known. In addition to AT&T and Verizon, the hackers got into Lumen and T Mobile. According to the same story, hackers also exploited unpatched network devices from security vendor fortnet and compromised large network routers from Cisco Systems. The big question Are these breaches a rehearsal for something even more disruptive? And on the good news front, CrowdStrike has staged a remarkable comeback just months after causing what some called the biggest IT meltdown ever. The cybersecurity company recently regained more than $30 billion in market value that it lost when a routine software update went horribly wrong in July. Just to refresh you on the story, CrowdStrike, known for protecting some of the biggest names in finance, healthcare and aviation, pushed out an update to its flagship Falcon security software. Almost immediately, millions of Windows PCs and servers started crashing, leaving airline passengers stranded, hospital appointments canceled, broadcasters thrown off the air. It was so massive that U.S. house Homeland Security Committee Chair Mark Green dubbed it the largest IT outage in history. For a while, things looked really grim for CrowdStrike. Their share price dropped by more than a third, and yet CEO George Kurtz insists customer trust didn't take a permanent hit. He told the Financial Times, customers are staying with us and reported one client, comparing this to the experience of a broken bone that heals stronger. There's no doubt that after the initial stumbles, I'm certain there were a ton of lawyers who were freaking out. But CrowdStrike went for total honesty. They admitted their error, made a complete apology, and gave what one analyst called a master class in terms of owning up to the incident. What a novel concept for business, eh? Be honest, admit mistakes, people will trust you. That's not to say everybody's happy. Delta Airlines said the fiasco costed more than $500 million, leading to the airline suing CrowdStrike. CrowdStrike's lawyers argue that their responsibility is capped by contract terms that have pushed back against the scale of Delta's claims. So despite all this, CrowdStrike reported impressive earnings for the quarter, bringing in about $1 billion in revenue, a 29% increase compared with the same period last year. And it kept 97% of its customers, according to analysts. It's more evidence that big enterprises consider CrowdStrike too essential to ditch over a single even if a painful crisis. Or maybe they think that CrowdStrike's learned its lesson and it may be more risky to go to somebody who hasn't. Also, interestingly, some point the blame towards Microsoft's Windows operating system. Unlike Apple's macOS, which blocks outside access to the core software kernel, Windows let CrowdStrike's update in deep enough to cause wide scale damage. That's sparked fresh debates about how much access third party security tools should have. Looking ahead, CrowdStrike's next real test comes in the fourth quarter, when many big contracts are up for renewal. The company has already doled out 60 million in what it calls customer commitment packages. Think free subscription extensions add on features just to maintain goodwill. And given how intertwined CrowdStrike tools can be once they're in place, most analysts still don't see a mass exodus. So for now, CrowdStrike seems to have pulled off the turnaround story of 2024. There is a question about whether it can keep this momentum going. But maybe even more important, once we take the focus off CrowdStrike and what was surely a stupid error, we need to think about how fragile our interconnected systems are and how dependent we are on them. And maybe, just maybe, start thinking about how we can make them more resilient. That's our show for today. You can find links to reports and other details in the show notes@technewsday.com check it out. We have a cool new look for our podcast page. We welcome your comments, tips, and the occasional bit of constructive criticism@editorialechnewsday.ca. i'm your host, Jim Love. Thanks for listening.