Podcast Summary: Talkin' About [Infosec] News, Powered by Black Hills Information Security

Episode: News 2025-03-17 - Malicious Browser Plugins will Destroy us ALL!!!!!
Release Date: March 19, 2025
Host/Authors: Black Hills Information Security Team (John, Corey, Joff, Mary, Ralph, Jeff, Bronwyn, Erica)

1. Introduction to the Episode's Main Topic

The episode kicks off with a casual conversation among the hosts, briefly touching on personal hobbies and transitioning smoothly into the primary focus: the escalating threat posed by malicious browser plugins. The discussion sets the stage for an in-depth exploration of browser security vulnerabilities and the sophisticated methods attackers employ to exploit them.

2. Malicious Browser Plugins: Risks and Techniques

Chromium Architecture and Process Separation

Jeff delves into the intricacies of Chromium-based browsers, highlighting their multi-process architecture designed to silo and protect different browser components. Despite these protections, the addition of functionalities like JavaScript and WebAssembly has inadvertently expanded the attack surface. Jeff notes, "[...] there is this web code virtual engine that kind of runs and executes a lot of this JavaScript [...] as we add additional functionality, naturally, we are going to expand the attack surface" (09:04).

Polymorphic Extensions and Plugin Impersonation

Corey and the team discuss the emergence of polymorphic browser extensions capable of impersonating legitimate plugins. Mary explains, "They can basically impersonate other extensions... it's a watering hole attack" (23:29). These malicious extensions can disable legitimate plugins and create backdoors, analogous to the Stuxnet virus's method of wrapping and forwarding legitimate functions while introducing malicious ones.

Social Engineering Tactics for Plugin Installation

The hosts emphasize the role of social engineering in deploying malicious plugins. Corey remarks, "You can just say, this is a great password manager that's free and just get 30,000 people to install it" (24:44). The ease of publishing extensions on platforms like the Chrome Web Store, coupled with ineffective reporting mechanisms, allows attackers to distribute malicious plugins widely before detection.

Comparison to Stuxnet

Jeff draws a parallel between modern browser plugin attacks and the Stuxnet virus, stating, "It's like the Stuxnet virus... they took over Siemens PLC Dynamic Link libraries" (13:12). This comparison underscores the sophistication of current browser-based attacks, which can infiltrate and manipulate trusted systems seamlessly.

Challenges in Detection and Prevention

Ralph and Mary discuss the difficulties in detecting malicious plugins within enterprise environments. Ralph points out, "A lot of your EDRs are not looking in your browser at all" (26:24), highlighting the gaps in current security solutions that treat browsers as monolithic processes, thereby missing nuanced plugin behaviors.

3. Security Measures and Browser Store Vulnerabilities

Critique of Chrome Web Store Security

The team criticizes the Chrome Web Store's lax security measures. Ralph states, "The Chrome Web Store is a mess... making malicious extensions is super easy" (14:37). The absence of rigorous reviews and the inefficacy of reporting mechanisms allow malicious extensions to proliferate unchecked.

Problems with Reporting Mechanisms

Corey elaborates on the ineffectiveness of existing reporting systems: "Reporting it is like a very non-effective mechanism for these" (14:37). This inefficacy enables attackers to evade detection and maintain persistence within users' browsers.

Watering Hole Attacks

Mary highlights the strategic advantage of watering hole attacks through malicious plugins: "It's a legitimate extension that just impersonates other extensions... it's a watering hole attack" (23:29). Such attacks exploit trusted channels to infiltrate broader networks without immediate suspicion.

Enterprise Management of Plugins

The discussion touches on the challenges enterprises face in managing browser plugins. Mary and Ralph note that many organizations do not enforce strict browser management policies, leading to vulnerabilities: "Most people aren't using managed browsers" (25:57).

4. Advanced MFA Bypassing Techniques

Phishing Resistant MFA vs. Traditional MFA

The hosts examine the limitations of traditional Multi-Factor Authentication (MFA) methods in the face of advanced phishing techniques. Mary articulates, "All of these attacks rely on granting authentication tokens to an untrusted third party" (55:51). They advocate for phishing-resistant MFA solutions like Yubikeys and passkeys, which offer enhanced protection by mitigating session token theft.

Session Tokens and Their Vulnerabilities

Corey explains how session tokens, issued after MFA completion, can be exploited by attackers: "Session tokens function as authentication information and they can be stolen" (55:51). This vulnerability underscores the necessity for more robust authentication mechanisms.

Discussion on Yubikeys and Passkeys

Ralph and Mary discuss the practicality and implementation challenges of deploying Yubikeys and passkeys across organizations. They acknowledge that while effective for high-privilege accounts, widespread adoption remains limited: "We only recommend it for high privilege accounts... having a Yubikey is really overkill" (57:36).

5. Case Study: Volt Typhoon and Power Grid Compromise

Background on Volt Typhoon’s Attack

Mary presents a case study involving Volt Typhoon, a Chinese-affiliated threat actor targeting the Littleton Electric Light and Water Departments in Massachusetts. The attackers employed techniques like SMB traversal and RDP lateral movement to infiltrate the power grid: "They were just gathering data... this is the persistence part" (37:04).

Techniques Used: SMB Traversal and RDP Lateral Movement

The breach involved exploiting SMB traversal vulnerabilities and leveraging Remote Desktop Protocol (RDP) for lateral movement within the network. Mary speculates, "Are we talking Internet bound SMB traversal?... I imagine it was probably that bad" (37:04).

Importance of Network Monitoring and Solutions like Dragos

Corey and Mary emphasize the critical role of network monitoring in detecting such intrusions. Mary commends the utility for seeking Dragos' solutions through a government grant, stating, "These products are expensive because they're really advanced... it's just a cool, unique thing" (41:56). They advocate for comprehensive security architectures to prevent and mitigate such sophisticated attacks.

6. Miscellaneous Infosec News

6G Technology and Privacy/Security Implications

The hosts briefly discuss the impending rollout of 6G technology, highlighting its potential for advanced room scanning and telemetry. Corey warns, "6G can scan the room like the equivalent of Batman... building layouts where people are positioning even with your phone in your pocket" (46:04). They express concerns over the privacy and security ramifications of such pervasive scanning capabilities.

Bank of America's Physical Data Breach

Mary humorously recounts Bank of America's minor data breach, where sensitive documents were left in a trash can outside: "It was literally just in a trash can outside... affects two customers" (50:00). This anecdote underscores that not all breaches are high-tech; simple oversights can also compromise data security.

DDoS Attacks Against X (Formerly Twitter)

The conversation touches on a Distributed Denial of Service (DDoS) attack against X, critiquing the oversimplified attribution often presented in media reports. Corey notes, "Attribution is really hard... always take it with a grain of salt" (53:04), emphasizing the complexities in accurately identifying the perpetrators behind such attacks.

7. Concluding Thoughts on Current Infosec Challenges

In wrapping up, the hosts reiterate the importance of comprehensive security strategies that extend beyond traditional measures. They advocate for enhanced visibility, robust authentication mechanisms, and proactive monitoring to safeguard against evolving threats. Corey concludes with a call to action: "If you need to get hacked, afraid to get hacked... Black Hills Information Security is there for all of your hacking needs" (55:23), highlighting their commitment to providing advanced security solutions.

Notable Quotes:

• Jeff (09:04): "There is this web code virtual engine that kind of runs and executes a lot of this JavaScript... as we add additional functionality, naturally, we are going to expand the attack surface."

• Mary (23:29): "It's a legitimate extension that just impersonates other extensions... it's a watering hole attack."

• Ralph (14:37): "The Chrome Web Store is a mess... making malicious extensions is super easy."

• Corey (23:29): "Basically a watering hole attack."

• Corey (55:19): "What are some techniques that we use to kind of walk and get around MFA in organizations."

• Mary (55:51): "Session tokens function as authentication information and they can be stolen."

Conclusion

This episode of Talkin' About [Infosec] News provides a comprehensive examination of the rising threat of malicious browser plugins, the vulnerabilities within browser architectures, and the sophisticated techniques attackers use to exploit these weaknesses. Through detailed discussions and real-world case studies, the Black Hills Information Security team underscores the necessity for robust, multifaceted security strategies in an increasingly complex digital landscape.