In the past years, malicious browser extensions have been on the rise and are more popular to be used as part of cyberattacks. With the use of malicious extensions, it is possible to gain data/ cookies or gain initial access via the given permissions as part of the extension or use it just as a connection to a C&C server.
Browser extensions are already for years a risk, with the default user enabled it is still possible by default without restrictions to install any extension from the Chrome web store/ Edge Webstore.
Recently some security reports noticed that a couple of malicious browser extensions potentially exposed over 600.000 users to steal data and perform credential theft attacks via the collected identity or cookie.
Recently many extensions were detected as compromised; examples;
- Where is Cookie?
- Web Mirror
- ChatGPT App
- Hi AI
- Web3Password Manager
- YesCaptcha assistant
- Bookmark Favicon Changer
- And many more!!
Tip; the website extensiontotal.com is tracking the malicious extensions and the affected IDs as part of the extension. A good example is related to the Cyberhaven incident; https://www.extensiontotal.com/cyberhaven-incident-live
Recent attack example;
On December 24, a phishing attack compromised a Cyberhaven employee’s access to the Google Chrome Web Store. The attacker used this access to publish a malicious version of the extension, this malicious version was 24.10.4.
More information: Cyberhaven’s Chrome extension security incident and what we’re doing about it
Interesting in the Cyberhaven attack was the phishing e-mail, this e-mail was customized and included real information related to the extension with the steps. While the button “go to policy” was redirecting to the phishing page.
Once the employee clicked on the email, they were taken to the standard Google authorization flow for adding a malicious OAUTH Google application called “Privacy Policy Extension”. The authorization page was part of Google and the users were granted access to the third-party Google applications, which gives permissions to see, edit, update, or publish the Chrome Web Store extensions.
More information (must read on how the attack was performed, this is typical and quite common since the past months to be used via a malicious payload and C&C server: Cyberhaven’s preliminary analysis of the recent malicious Chrome extension
During the cyberhaven extension attack, the main motive was to target Facebook Ads accounts, to collect the cookie data/ credentials. The extension was targeting Facebook.com, where the malicious path was collecting the Facebook access token, user ID, and account information via the API. All data was sent to the C&C server.
This is similar to the Application Consent attack in the Microsoft eco-system while granting OAuth applications.
Long story short, protection against malicious extensions is important. And of course; to restrict the possibility of installing any extensions by any user. Ideally, there is sort of a whitelist/ blocklist where extensions are allowed (more on this later)
How to block the initial OAuth/ Application consent flow?
OAuth apps are still an important target for attackers to misuse in organizations. Since the MFA baseline is improved with number matching and additional controls attackers are finding new ways to gain access to environments/ and collect data. One of the upcoming identity attacks is based on tokens and OAuth apps. With the use of the token/ OAuth apps, it is possible to gain access without any MFA. One example of such attacks, where applications are leveraged, is the ‘OAuth consent grant’ attack.
Earlier created blogs to control and limit this type of Attack;
How to get visibility in the installed extensions?
With the use of Microsoft Defender for Endpoint, it is possible to view all installed extensions as part of the browsers. To use the browser extension assessment it is needed to have the Microsoft Defender Vulnerability Management Standalone license or when you have already a Microsoft Defender for Endpoint Plan 2 environment, the Defender Vulnerability Management add-on.
Tip; When using Defender for Servers P2 in Defender for Cloud the Vulnerability Management add-on is included, all this is only targeting servers and not Endpoints. Trial is available for 90-days.
Browsers in scope
Currently, the following browsers are in scope for the browser extension assessment:
- Microsoft Edge
- Firefox
- Chrome
Currently, only Windows is in scope for collecting installed extensions via the MDE sensor.
View browser extensions
- Go to Microsoft Defender> Vulnerability Management> Inventories
- Select Browser extensions in the menu
With the filters, it is possible to view and filter extensions for a particular browser. Each extension is filled with more information like; permissions risk/ requested permissions and devices with the extensions installed/ installed versions.
The Requested Permissions and Permissions risk columns provide more specific information on the number of permissions requested by the extension. A critical permission risk level indicates that many {important} permissions are granted.
Select a browser extension to open its flyout pan, including more information and details. The store ID can be used in the policy to block or allow the extension.
More information: Browser extensions assessment
KQL
When the add-on is enabled it will send data directly to the Advanced hunting/ KQL dataset of Defender in the following tables:
- DefenderTVMBrowserExtensions
- DefenderTVMBrowserExtensionsKB
Example of a query to show the Top 100 devices with the most installed extensions:
DeviceTvmBrowserExtensions
| summarize
TotalinsalledExtensions = dcount(ExtensionId),
ExtensionNames = make_set(ExtensionName)
by DeviceId
| join DeviceInfo on DeviceId
| project DeviceName, TotalinsalledExtensions, ExtensionNames
| top 100 by TotalinsalledExtensions
Block extensions via policy
It is possible to block extensions for the browser. Via GPO or Intune the settings can be pushed where the extension list is controlled. In this specific example, I will explain Microsoft Edge and Google Chrome (Firefox is similar) . Via Intune, it is possible to use the settings catalog to block all extensions or allow specific extensions/ block specific extensions.
Block Google Chrome extensions with Intune
To block Google Chrome extensions, a new profile in Intune is needed. Use the following information:
- Platform: Windows 10 and later
- Profile type: Settings catalog
Give the policy a good name and optional description.
Click on add settings and search for the following setting in the setting picker of the cloud catalog store:
- Configure extension installation blocklist
And click on Google Google Chrome Extensions, and toggle Configure extension installation blocklist
In the settings Enable the Configure extension installation blocklist to Enabled and add a wildcard for the ID *
With the use of the * all extensions will be blocked. This blocks all extensions to be installed and removes installed extensions from the devices.
Result: No extension is allowed and all extensions are blocked
Block all and Add exceptions
when extensions are used it is recommended to block all extensions and add some exceptions. This will allow us to define extensions, which can be installed by the user. The exception is based on the extension ID, which can be found at the chromewebstore.
For the exception list, we can use the same policy as above, only we need to exclude the extension. Search in the settings picker for; Configure extension installation blocklist and add the following setting:
Extension IDs to exempt from the blocklist (device)
Toggle Configure extension installation allow list to Enabled
In the settings Enable the Configure extension installation allow list to Enabled and add the extension IDs, each ID can be added on a single rule.
To find the extension ID; Go to the Google Chrome Webstore https://chromewebstore.google.com/ and search for the extension. In the URL of the extension page copy the ID, an example of the ID format is; nngceckbapebfimnlniiiahkandclblb
Block Microsoft Edge extensions with Intune
Microsoft Edge is similar; for Microsoft Edge use the following settings in the catalog. For the settings catalog of Microsoft Edge extensions, search for Microsoft Edge in the settings picker and select the Microsoft Edge\Extensions category.
With the Allow Specific extensions to be installed it is possible to only Allow specific extensions to be installed, with this you can allow specific extensions to be installed.
With the wildcard * it is possible to block all extensions to be installed and with the Allow specific extensions you can whitelist specific extensions to be installed:
There are many ways to block or whitelist extensions to be installed for the Microsoft Edge profiles, there are quite some blogs on the internet that explain the include/ block process for multiple browsers, all you know the trick; with the settings catalog/ GPO or even PowerShell it is possible.
Block extensions via MDE custom detections
It is possible to block via Advanced Hunting/ Custom detection the hash of the extension. Steven Lim shared on LinkedIn a good example of a KQL query (tip to follow Steven Lim for KQL-related stuff)
With the use of KQL, it is possible to find the extensions, based on the extensionID and the DeviceFileEvents based on the filename extension name. One of the benefits of the KQL way; it does not need to have the add-on for vulnerability management to get insights into the malicious ones, since it is part of the DeviceFileEvents table.
With the use of the KQL query, it is possible to block the hash of the file.
With the use of the actions in the custom detections, it is possible to automatically block the SHA1 hash as part of the detected extensions in the query. So this; automatically blocks the hash when the extension is detected, of course; with the Intune/ GPO way it is better to block the direct installation – it is a good method to block on a large scale just the malicious extensions, without affecting the normal ones.
To block the hash, set the action on files to the following:
Sources
Microsoft: Browser extensions assessment