Browser Extensions (T1176) v2

Written By Jeremy Pickett
Cybersecurity is a shared responsibility, and it boils down to this: in cybersecurity, the more systems we secure, the more secure we all are.
— Jeh Johnson

The MITRE ATT&CK technique "Browser Extensions" (Technique ID: T1176) refers to the misuse of browser extensions to maintain persistence, execute malicious code, or exfiltrate data. This technique leverages high-level permissions within the user's browsing environment.

These steps are a basic steps for remediation for Windows, OSX, Linux, AWS, GCP, and Azure. As tool change, remediation advice changes. This entry maps to the MITRE code referenced in the entry. Please check back regularly for updates to this library entry.

Overview

Browser extensions, while often beneficial, can be misused by threat actors to maintain persistence, execute malicious code, or exfiltrate data. This technique exploits the high-level permissions granted to extensions within the user's browsing environment.

Key Attacks and Campaigns

1. Stantinko Botnet (2017)

  • Timeline: Active since at least 2012, discovered in 2017

  • Threat Actor: Stantinko Group

  • Description: Installed malicious browser extensions for click fraud and credential theft, masquerading as legitimate utilities.

  • Distribution: Via pirated software and adult content sites

  • Impact: Modified search results, injected ads, and collected user credentials

  • Source: ESET's 2017 report

2. SilentFade Attack (2019)

  • Timeline: Discovered in 2019

  • Threat Actor: Unspecified Chinese threat actors

  • Description: Used malicious browser extensions to hijack Facebook sessions and run unauthorized ads

  • Distribution: Through Facebook

  • Impact: Extracted cookies and session tokens for unauthorized actions on Facebook accounts

  • Source: Facebook's security blog

3. Adrozek Malware Campaign (2020)

  • Timeline: Discovered mid-2020

  • Threat Actor: Unattributed

  • Description: Distributed browser-modifying malware injecting ads and stealing credentials

  • Target Browsers: Chrome, Firefox, Edge, and Yandex

  • Impact: Interfered with legitimate ads, redirecting revenues to attackers

  • Source: Microsoft's research article

Notable Threat Actors

1. Stantinko Group

  • Primary Activities: Ad injection and credential theft

  • Tactics: Install extensions disguised as legitimate software within widely-used browsers

2. Unknown Chinese Threat Actors

  • Primary Activities: Campaigns like SilentFade, hijacking social media sessions for fraudulent activities

  • Tactics: Exploit social media networks to propagate and maintain malicious extensions

Timeline of Notable Events

  • 2012: Stantinko Botnet initiates operations

  • 2017: Stantinko's use of malicious extensions documented

  • 2019: SilentFade attack documented by Facebook

  • 2020: Adrozek malware campaign disclosed by Microsoft

Remediation: On-Prem

windows

Mitigating Unauthorized Browser Extensions

1. Disable Unauthorized Extensions

  • Open your preferred browser (e.g., Google Chrome, Firefox, Microsoft Edge)

  • Access the extensions menu:

    • For Chrome: Settings > Extensions or navigate to chrome://extensions

    • For Firefox: Menu > Add-ons and Themes

    • For Edge: Settings and more (...) > Extensions

  • Carefully review the list of installed extensions

  • Remove any unapproved or suspicious extensions

2. Implement Group Policy Enforcement

  • Open Group Policy Management Console (GPMC)

  • Navigate to User Configuration > Policies > Administrative Templates > Google > Google Chrome > Extensions

  • Enable the policy "Configure the list of force-installed apps and extensions"

  • Configure a list of approved extensions

3. Utilize Antivirus/Endpoint Protection

  • Ensure your endpoint protection software is up-to-date

  • Perform a full system scan to detect and remove any malicious extensions

  • Consider using specialized browser security tools that can detect malicious extensions

4. Conduct Regular Audits

  • Schedule and perform regular audits of browser extensions across your organization

  • Develop and use scripts to automate the collection of extension data for efficient inspection

  • Compare installed extensions against a whitelist of approved extensions

5. User Education

  • Educate users about the risks of installing unknown extensions

  • Provide guidelines for identifying legitimate extensions

  • Establish a process for users to request new extensions

6. Centralized Management

  • For enterprise environments, consider using centralized management tools:

    • Chrome Enterprise for Google Chrome

    • Group Policy for Microsoft Edge

    • Firefox ESR (Extended Support Release) for Mozilla Firefox

macOS

Safari Extension Management:

  • Open Safari and go to Preferences > Extensions.

  • Review and uninstall suspicious extensions.

Security Preferences:

  • Navigate to System Preferences > Security & Privacy.

  • Set "Allow apps downloaded from" to "Mac App Store and identified developers."

Endpoint Protection Software:

  • Install reputable endpoint protection software for macOS.

  • Run a full system scan for harmful extensions.

Regular System Audits:

  • Perform regular audits and maintain an inventory of browser extensions.

  • Use management tools like Jamf for policy enforcement.

linux

Browser Extension Inspection and Removal:

  • For Chrome-based browsers: Access chrome://extensions.

  • For Firefox: Access about:addons.

  • Remove unapproved extensions.

System Package Management:

  • Update browser via package management commands.

  • sudo apt-get update && sudo apt-get upgrade

Security Enhanced Linux (SELinux):

  • Utilize SELinux to restrict browser actions.

Conduct Regular System Audits:

  • Use tools like Lynis to scan and report on extensions.

  • Review and update an inventory list of extensions.

Remediation: Cloud

Amazon aWS

IAM Policies for Users:

  • Implement IAM policies to restrict access.

  • Prevent unauthorized software installation.

Amazon WorkSpaces Configuration:

  • Control extension policies via Group Policy or configuration profiles.

Centralized Logging and Monitoring:

  • Enable Amazon CloudWatch for logging.

  • Set up alerts for changes in installed software and extensions.

Regular Security Reviews:

  • Conduct regular security reviews.

  • Automate data collection using AWS Lambda and AWS Config.

Google GCP

Google Admin Console:

  • Enforce Chrome policies across managed users.

  • Set policies to control extension installation.

Security Command Center:

  • Configure Security Command Center to report on extension issues.

Identity and Access Management (IAM):

  • Restrict permissions to change extension policies.

Continuous Monitoring:

  • Use GCP monitoring tools for unauthorized extension alerts.

  • Schedule regular compliance audits.

Azure

Azure AD Policies:

  • Implement Conditional Access policies.

  • Ensure use of managed devices.

Microsoft Intune:

  • Enforce policies for browser extensions.

  • Configure settings to control specific extensions.

Azure Security Center:

  • Monitor resources with Azure Security Center.

  • Set up alerts for software and extension changes.

Regular Security Audits:

  • Use Azure Security Center and Compliance Manager for audits.

  • Review and document installed browser extensions.

Jeremy Pickett
Previous

Uninstall System Defense Software T1562.001 v2
Next

Unauthorized User Scan (T1012) v2