Blog Post

Man in the Browser: Lateral Movement for the Cloud Era

Recently we have seen a substantial spike in data exfiltration attempts using a plethora of widely popular web browsers like Chrome and Firefox. If you follow the recent news and articles, personal data has been stolen by web browser add-ons from close to 4M users in plain sight. We also have seen in the recent news that Russian Cyber-espionage Hackers group named Turla use sophisticated techniques (patching Google Chrome and Firefox binaries) to intercept TLS-encrypted communications and act as a MiTM attack vector. In fact, Chrome Extensions and other browser plugins can easily be used for credential theft and lateral movement to web and cloud applications.

We have seen cases where attackers install malicious browser addons to execute some code in the context of the user while they browse high profile websites—from customer relationship management (CRM) systems and employee portals to source code repositories and intranet sites. It is a common misconception, in a world with so many attack vectors, that unwanted browser extensions are low-risk. However, the access afforded to a browser is quite significant, especially when considering the enterprise trend of migrating critical assets to the cloud.

In this day and age where most applications of consequence run within the browser, this kind of threat can result in significant damage to the organization. In many ways, this can be the equivalent of a malicious code running on an Administrator’s machine. In fact, the bar for the latter may be higher since the threat actors need special tools to navigate and exploit the business. In a cloud world, the threat actors are able to do that using simple HTTP(s) requests.

For instance, consider a browser extension running within the browser of an AWS administrator for your organization. An attacker with this kind of access can cause all kinds of havoc, including having the ability to:

  • Instantiate workloads and use those for purposes such as cryptomining or for hosting illegal services
  • Access your private S3 Buckets
  • Take a backup of your AWS Database and exfiltrate it
  • Take a snapshot of EC2 instances and steal data from it
  • Delete all the instances
  • Delete your AWS account
  • Host a malicious web application to steal data from your customers
  • Create an admin user and have “shadow” control of your network
  • Create an EC2 instance with elevated privileges, that can then be used to perform further malicious actions

Importantly, in our experience, attackers prefer these browser extensions, since end users can be easily tricked into installing them through social engineering or by impersonating a legitimate extension. They also deliver persistence and command and control capabilities that often go unnoticed to endpoint detection solutions.

It is also worth noting that the usage of TLS encryption for browsing provides no security assurance in this case. Since the extension sits within the browser, i.e. before the data hits the network, it has access to sensitive data irrespective of the protocol being used—much like the equivalent of a keystroke logger.

Abusing Google Chrome Browser Extensions

To demonstrate the impact of this attack we built a quick proof-of-concept that uses the Google Chrome APIs to:

  • Steal credentials from popular domains like Amazon AWS, DigitalOcean, Dropbox, Salesforce, Office 365 and GitHub when the user logs on to these services
  • Communicate to a command and control (C2) server as a beacon through WebRequests
  • Upload all collected data to an attacker-controlled cloud instance in the background via the affected web browser itself

The video below illustrates how this process could work to steal sensitive information from an unsuspecting victim.

In conclusion, this threat is significant since the bar to get an extension installed is very low, i.e. this does not require administrative access to the machine. In addition, from a threat modeling perspective, the browser extension operates much like the actual user with all of his/her access to websites. This is especially significant in this day and age where so many lines of business and corporate applications are browser-based. Effectively, this technique gives the attacker access to all of those.

Note: I’d like to thank my fellow researchers David Pearson and McEnroe Jeyakumar for their useful contribution to this research.

Sujit Ghosal
Sujit Ghosal

Sr. Threat Researcher