Google Chrome sync feature can be abused for C&C and data exfiltration

A security researcher has found a malicious Chrome extension in the wild abusing the Chrome Sync process.

Chrome Sync

Image: Catalin Cimpanu

Threat actors have discovered they can abuse the Google Chrome sync feature to send commands to infected browsers and steal data from infected systems, bypassing traditional firewalls and other network defenses.

For non-Chrome users, Chrome sync is a feature of the Chrome web browser that stores copies of a user's Chrome bookmarks, browsing history, passwords, and browser and extension settings on Google's cloud servers.

The feature is used to sync these details between a user's different devices, so the user always has access to his most recent Chrome data wherever they go.

Chrome sync feature was recently abused in the wild

Bojan Zdrnja, a Croatian security researcher, said on Thursday that during a recent incident response, he discovered that a malicious Chrome extension was abusing the Chrome sync feature as a way to communicate with a remote command and control (C&C) server and as a way to exfiltrate data from infected browsers.

Zdrnja said that in the incident he investigated, attackers gained access to a victim's computer, but because the data they wanted to steal was inside an employee's portal, they downloaded a Chrome extension on the user's computer and loaded it via the browser's Developer Mode.

The extension, which posed as a security add-on from security firm Forcepoint, contained malicious code that abused the Chrome sync feature as a way to allow attackers to control the infected browser.

exchrome2.png

Image: Bojan Zdrnja

Zdrnja said the goal of this particular attacker was to use the extension to "manipulate data in an internal web application that the victim had access to."

"While they also wanted to extend their access, they actually limited activities on this workstation to those related to web applications, which explains why they dropped only the malicious Chrome extension, and not any other binaries," Zdrnja said in a report published on Thursday.

Malicious code found in the extension suggested that the attacker was using the malicious add-on to create a text-based field to store token keys, which would then be synced to Google cloud servers as part of the sync feature.

"In order to set, read or delete these keys, all the attacker has to do is log in with the same account to Google, in another Chrome browser (and this can be a throwaway account), and they can communicate with the Chrome browser in the victim's network by abusing Google's infrastructure," he said.

Data stored in the key field could be anything, Zdrnja said.

It could be data the malicious extension gathered about the infected browser (such as usernames, passwords, cryptographic keys, or more) or commands the attacker wanted the extension to execute on the infected workstation.

In this way, the extension could be used as an exfiltration channel from inside corporate networks to an attacker's Chrome browser instance or as a way to control the infected browser from afar, bypassing local security defenses.

Malicious operations hide in legitimate Chrome traffic

Since the stolen content or subsequent commands are sent via Chrome's infrastructure, none of these operations would be inspected or blocked in most corporate networks, where the Chrome browser is usually allowed to operate and transmit data unhindered.

"Now, if you are thinking on blocking access to clients4.google.com be careful – this is a very important web site for Chrome, which is also used to check if Chrome is connected to the Internet (among other things)," Zdrnja warned.

Instead, the researcher urged companies to use Chrome's enterprise features and group policy support to block and control what extensions can be installed in the browser, preventing the installation of rogue extensions like the one he investigated.