This is a public service announcement from the Wordfence team regarding a security issue that has a wide impact. During the past 3 months, eight Chrome browser extensions were compromised and the attacker used them to steal Cloudflare credentials and serve up malicious ads.
This post discusses exactly what happened, how to protect yourself and what the wider implications are of this supply chain attack.
How the Chrome Extensions Were Compromised
In June, July and August, developers of the following Chrome extensions had their login credentials stolen through a phishing attack. The extensions affected are:
- Web Developer – Versions 0.4.9 affected
- Chrometana – Version 1.1.3 affected
- Infinity New Tab – Version 3.12.3 affected
- CopyFish – Version 2.8.5 affected
- Web Paint – Version 1.2.1 affected
- Social Fixer 20.1.1 affected
- TouchVPN appears to have been affected but the version is unclear
- Betternet VPN also appears to have been affected but no version was provided
Based on total installs for these extensions, the attackers targeted a total of 4.8 million users. The developers of these Chrome extensions all had their account credentials compromised. They received an email that looked like this:
The link in the email used the bit.ly URL shortener to redirect the developer to a fake login page which harvested their credentials and allowed the malicious actor to take control of the chrome extension developer’s account.
How the Attackers Modified Affected Chrome Extensions
This allows an attacker to perform any action as the victim. This includes accessing any website the victim is signed into and modifying the content of any web page that the victim views. Once an attacker has control of one of your Chrome extensions, they own your web browser.
How Cloudflare Credentials Were Stolen
Once a victim installed a compromised Chrome extension, the extension would steal Cloudflare credentials if the victim has a Cloudflare account. The extension did this by making a request to a URL on Cloudflare to get an API key.
Once the attacker’s compromised extension gets the API key, it sends that and the user email to the attacker website. The code that does this is shown below:
Why Cloudflare Credentials Were Stolen
Once the attacker has a site owner’s Cloudflare credentials, they can perform a variety of malicious actions. This includes modifying a website’s DNS entry to point the site at the attacker’s own server. The API call they would make to do this is the “Update DNS record” function in the Cloudflare API.
This is an example request showing how the user email and API key is used in Curl from the command line to update a DNS record:
At this time we have no reports of websites having their traffic redirected by the attacker. They may have collected credentials for a future attack.
Attackers Engaged in Malvertising
In addition to stealing Cloudflare credentials, the attackers engaged in ‘malvertising’. The malicious Chrome extension code served up ads belonging to the attacker.
They did this by hijacking ads from well known ad networks and replacing those ads with their own ads. Most of the substitutions occurred for ads being served from adult websites.
Many of the ads were a fake alert telling the browser owner they need to repair their PC. They were then redirected to an affiliate program which the attacker profited from.
How to Protect Yourself
1. Even the Pros get Phished
Lesson number one from this attack is that, as we have reported in the past, even those of us who are seasoned online professionals can fall victim to a phishing or spear phishing attack. Make absolutely sure that if you receive an email, you verify the origin and think before you click or download.
- Never click on a link if you don’t recognize a sender.
- Never click a link in an email and sign in to a service. Instead, if you are presented with a sign-in page, go back to the email and look at the email sender including their domain and look at the URL of the link you clicked very carefully.
- Never download an attachment in an email and open it unless you verify the sender. Even then, considering asking your sender to use a service like Google Docs that doesn’t require you to download attachments.
2. Get rid of browser extensions you don’t need
Lesson two is that browser extensions sometimes get hacked. When they do, it can be a catastrophe for you. If you don’t absolutely have to have a browser extension, get rid of it.
Alternatively, deactivate extensions until you need them. Then activate them, use the extension and deactivate it again. This isn’t ideal, but it will reduce your risk if an extension is compromised for a few days.
That screenshot utility? If you don’t use it daily, dump it. That quote-of-the-day extension? Ditch it if you don’t need it.
In 2010, Chrome hit 10,000 extensions. Today, 7 years later, they probably have well over 100,000 extensions available for the Chrome browser. That many extensions create a large attack surface for malicious actors. Make sure you minimize your risk by removing those you don’t use.
Supply Chain Attacks on the Rise
The NotPetya ransomware attacks we reported on recently started with an accounting firm in Ukraine, a company called M.E. Doc, having their software distribution system compromised. This allowed an attacker to distribute ransomware out to customers of M.E. Doc.
This kind of attack is known as a supply chain attack – when an attacker targets an upstream provider of hardware or software, compromises their systems, and infects their customers.
This attack on the developers of Chrome Extensions is another example of a supply chain attack in action.
If you are a developer, it is important to be aware that as these attacks become more popular, you are more likely to be targeted because you are a gateway to infecting a much larger group of people: your customers.
Attacks targeting site owners are also a supply chain attack. You supply your large audience with content. By controlling your website and serving up a browser exploit, an attacker can take control of a large number of workstations in a single attack.
As site owners it is our responsibility to be more cautious than most when it comes to our security. We have an obligation to our customers and site visitors to stay secure.
Thanks to Risky Biz and Pat Gray who alerted me to this attack on his podcast this morning. We’re a sponsor of Risky Biz which is an awesome security podcast that I highly recommend you subscribe to if you are in the security industry.
And then Kafeine at Proofpoint has covered this story in detail. I have borrowed images in the post above from Proofpoint, so thanks to them for that and the excellent research.
And PhishMe has written about how the Chrome Extension authors were phished. (Nice booth at Black Hat guys! We paid you a visit while our team was there last month.)
If you are a website owner, please share this public service announcement with your community to help create awareness of these kinds of supply chain attacks that target developers and website owners.