How to stop malicious browser add-ons from taking root
Researchers at Malwarebytes discovered several new browser extension threats. Discover how to avoid and properly removed malicious add-ons with expert Nick Lewis.
The exploding ecosystem of apps, add-ons and integrations makes it significantly more difficult for end users and enterprises to evaluate everything that touches their sensitive data or systems. While this situation is not necessarily new, it seems to be increasing in complexity with the development of new cloud services.
Endpoints are particularly problematic with add-ons -- at times, they do not even require administrative access to install, and end users could even accidentally install an add-on. Many enterprises are struggling to keep up with the explosion of cloud services, so evaluating browser add-ons is probably only going to happen at companies that support add-ons and integrations. This means an enterprise should be prepared to respond when an unapproved or malicious browser add-on is identified.
In this tip, we'll discuss malicious browser add-ons and enterprise responses.
Malicious browser add-ons
Malicious browser add-ons are not new, so it's likely your enterprise is already aware of the risk. Recently, Malwarebytes reported a new malicious browser add-on for Chrome and Firefox.
The Chrome version of the extension is advertised to improve audio on the web and is installed when the user is socially engineered into adding the extension through the use of confusing dialogues and mislabeled buttons. The Firefox version of the add-on is pushed by malicious ads that claim it is a manual update for the browser.
Both versions drive up clicks on YouTube videos or hijack search engines to generate revenue for the attacker. They also take steps to make it difficult to remove the add-ons by redirecting or disabling the configuration pages for Firefox and Chrome.
Taking the appropriate action to remove the add-ons is important, as the worst case is that the malicious add-on could be turned into a jumping off point to compromise the security of the entire endpoint.
Enterprise responses to malicious browser add-ons
Responding to a malicious browser add-on, like responding to adware, may be annoying for the user and enterprise security team, especially if sensitive data isn't involved. It may be equally annoying to home users who may not have access to all of the options available to the enterprise team to respond to malicious add-ons.
Luckily, it's unlikely that these malicious add-ons can escape the browser, as Malwarebytes didn't identify the malware as trying to infect the operating system. However, that doesn't mean that other malicious add-ons won't try to take that next step.
Once a new malicious add-on is identified, it may be necessary to investigate how the add-on was installed on the system to determine what improvements need to be made to the security controls to prevent future infections and to identify how far into the system it penetrated. Enterprises may also want to report malicious browser add-ons to the web browser or endpoint security solution vendor so they can incorporate them into their protections. For example, Malwarebytes provides removal instructions for the two malicious browser add-ons.
At some point, enterprises need to determine when to use the nuclear option and reinstall a system.
If browser add-ons are not required for enterprise apps, companies should look into disabling them. Having an automated reinstall process will help lower the cost of responding and will make it significantly easier to respond rather needing to dedicate the time to manually removing the malware.
Enterprises may also want to investigate their endpoint security solution to see why the malicious add-on wasn't blocked or if the web browser is outdated.
If an enterprise doesn't want to reinstall an entire system, it may want to rebuild the Windows profile for the affected user, set up a new browser profile or completely reset all the browser settings. Each of these steps assumes the existence of a secure default image, including the use of the latest version of the web browser.
Enterprises may also want to investigate their endpoint security solution to see why the malicious add-on wasn't blocked or if the web browser is outdated.
The value of an endpoint security solution is obvious, and it is more than just a traditional signature-based antivirus tool. Most traditional antivirus vendors have made the change from just blacklists, but not all enterprises have implemented the new features. More effectively using your endpoint security tool may be all that is necessary to stop malicious add-ons, as noted by Malwarebytes. Malwarebytes also included indicators of compromise for the malicious add-ons that can be incorporated into other security tools to block or identify infected systems.
The risk of malicious add-ons is low, and enterprises probably have much higher risk activities to address. However, because of their annoying behavior and impact on web browser use, it is necessary to respond to and clean up malicious browser add-ons. Using a malicious add-on as an exercise to identify improvements in endpoint security could bring some value, but it is still an annoyance.
