News Wrap: Malicious Chrome Extensions Removed, CIA ‘Woefully Lax’ Security Policies Bashed

insider threat

Insider threats, the CIA’s bad security policies, and malicious Chrome extensions were the topics of discussion during this week’s news wrap podcast.

For the week ended June 19, Threatpost editors Lindsey O’Donnell Welch, Tom Spring and Tara Seals break down the top cybersecurity stories. This week’s top news stories include:

  • Google removing 106 Chrome browser extensions from its Chrome Web Store in response to a report that they were being used to siphon sensitive user data.
  • An internal investigation into the 2016 CIA breach condemning the agency’s security measures, saying it “focused more on building up cyber tools than keeping them secure.”
  • How the insider threat landscape is changing due to work from home – a topic that Threatpost will continue to discuss in its webinar coming up next week (register here).

For the full podcast listen below, or download here.

Below find a lightly edited transcript of the podcast.

Lindsey O’Donnell-Welch: Welcome back to the Threatpost podcast. It is the week ended June 19. And you’ve got the Threatpost team here, myself, Lindsey O’Donnell-Welch, Tom Spring and Tara Seals. Tom and Tara, how’s your week been?

Tom Spring: Busy, busy, but I’m glad it’s coming to a close here.

Tara Seals: It’s been a really busy week.

Lindsey: Definitely. I know there’s been a ton of news, there are a lot of vulnerabilities that were disclosed, like flaws in D-Link routers and Netgear, and the Ripple20 flaws. One big story that caught my attention was one that you covered, Tom. Google yanked over 100 Chrome malicious extensions from its Chrome Web Store. That was a big move by Google, what went into that?

Tom: Yeah, no, this was this is really interesting. You know, this story about Google Chrome browser extensions, being malicious is something that we’ve all heard for a while. I mean, it’s not like “Oh, wow, malicious Google browser extension,” you know, it hardly makes a headline anymore. But this one, this one was really interesting in the sense that it was it was a really it was a really extensive campaign that was it calculated in a sense that it was, that it had impacted a number of different industries. And it was able to really have, the campaign itself, the threat actor, unknown at this time, or at least not disclosed, was able to have persistence on a lot of the networks that it was sitting on and its impact was was widespread – 106 Chrome extensions were kicked off of the the official Chrome Web Store and the downloads on the Chrome extensions were in the order of 36 million if I remember correctly. But what really made it interesting not only was it the extent of the Chrome browser’s usage and the persistence that they were able to have on these networks, but it was also what the researcher said was the use or abuse of a domain register who I need to be very clear who says they have nothing to do with it, and they have no complicity. And that they really washed their hands and have cooperated with all investigations. And that is  CommunityGal Communications LTD., shorthand, GalCom. And in what happened was that these extensions use this domain registrar to to basically use it as a way of obfuscating some of the security or should I say blocking some of the security precautions that a company would have to prevent this type of abuse of their users’ browsers. And they also use a number of domains and quite a few domains as a matter of fact, to use as a way to communicate with the actual browser extensions. So there’s a lot of blame to go around. Still some mystery and intrigue in terms of who was behind it. But definitely, this was extremely widespread, and pretty calculated and ongoing for quite some time. But then again, I know, Lindsey that you wrote about 500 Google Chrome browser extensions, they were also secretly uploading private browsing data to attacker controlled servers in February. So, you know, this is an ongoing issue and would be interesting to see if Google has any permanent solutions to this reoccurring problem.

Lindsey: Yeah, it kind of does put into question Google’s kind of its policies and how it is able to use automated and manual analyses of different extensions, just because, you know, as you mentioned, we have, 106 Chrome browser extensions in question here. And then we had the 500 browser extensions earlier in February. So it kind of makes you scratch your head and wonder, how can Google better track these types of extensions that are being used for malicious purposes, to kind of weed out the ones that are malicious. I’m curious going forward, if they’ll kind of amp up their policies or, you know, use more automated procedures or otherwise.

Tom: I kind of feel like it’ll slowly come to the conclusion that browser extensions are trash. The researcher behind the report, and we got to give Awake Security a plug here, because they’re actually the ones that did the research. They’re calling browser extensions, the new malware saying that critical business applications like Microsoft 365, Salesforce Zoom, and Google’s own services, all run on the browser. And this type of vulnerability is just unacceptable, really, when you’re thinking about how much the browser’s incorporated into your business day to day. And I know we’re going to get into it, I know we’re going to touch on it, but do you consider the work from home trend? And how many people are using their own personal laptops or personal desktops to do their work and they’ve got their browser extensions for sharing Netflix videos or just doing all sorts of the little utility type of functions. It really it really becomes a dangerous mix of consumer tech and enterprise tech, and it’s problematic.

Lindsey: Speaking of work from home, I think a big theme this week has been how work from home is creating a crop of new security issues across different organizations, from small businesses to large enterprises, and how they’re trying to deal with impact employees who are working from home and all the new security threats that that introduces. And so we’ve been one one angle that that we’ve really been discussing a lot is kind of the insider threat aspect of that. Tara, you have a webinar coming up next Wednesday. And so that’s, that’s been kind of top of mind, just for our team in general. With that coming up, and, you know, there was a related news story this week, that kind of discussed insider threats that we were looking at as well. And that was about a new report on the CIA that stemmed from the CIA’s 2016 data breach, that basically said, they have “woefully lax” security measures in place and that’s essentially what else was in part allowing the 2016 data breach which was an insider threat where someone within the organization went and took data and released it. So, you know that this whole insider threat angle I think is very interesting.

Tara: So it was like an Edward Snowden thing where the person felt like they needed to, you know, expose the security weakness, or was it more like they wanted to expose the tools themselves for other nefarious purposes?

Lindsey: What the situation was, was that there was a former CIA employee named Joshua Schulte, and he is right now being accused of stealing the CIA’s hacking tools and giving them to WikiLeaks. Now the question of why is up for debate, I know WikiLeaks said it happened because they wanted to raise policy questions to the public instead of behind the scenes, whereas prosecutors say he was a disgruntled employee who didn’t feel that management took his complaints seriously.

I think the the bigger focus of the story in the report was really like, from the CIA’s perspective, how could they have prevented something like this from happening, regardless of whether it was a disgruntled employee or someone whose email had been compromised or something, and it wasn’t necessarily a malicious act by the employee themselves, how could they have stopped this from happening? And the report found various issues with the CIA; systems that had sensitive data were not equipped with user activity monitoring historical data was available to users indefinitely. So there were a ton of security controls that were missing. And even at the most basic level, you know, they found that sensitive cyber weapons weren’t being compartmentalised. And that you know, researchers were sharing system administrator passwords with each other, it was all very shocking and eye opening to see that some of the most basic security measures just weren’t in place here.

Tara: Yeah, it’s kind of fascinating. I mean, the government, you know, kind of once a year gets into trouble for their lack of security measures when they do these audits every year, that were established under the Obama administration. And, you know, there’s always the headline that they’re lagging behind industry in general, and they have all of these issues, but particularly the insider threat aspects of this. I mean, you would think that that would be sort of job one, right?

Lindsey: Yeah, and I know too, that they had been lacking those controls for weeding out those insider threats. So, you know, there wasn’t that user activity monitoring if someone happened to log in on, you know, Sunday night, and when they weren’t usually working, they might not have been able to track that. And there weren’t kind of the server audit capabilities for the network. And I’m sure, Tara, that’s something you’ll be talking a little bit about on the webinar next week. But those are necessary things for any company or organization to have in place to kind of ensure that this doesn’t ever happen, especially with remote work.

Tara: Right. Yeah, absolutely. And that’s going to be one of the main thrusts of the webinar was taking place on Wednesday at 2pm EST, next Wednesday, June 24th. And so so yeah, we’re gonna have a panel discussion, a roundtable discussion, about how insider threats are evolving and changing, and then the work from home situation that we find ourselves in with a pandemic. And you know, what the different, you know, areas that insider threat are and then pivot from there and talking about some strategies for gaining visibility into whether or not that activity is happening. And some of the challenges that are new when you consider that you have all these people working home and so it’s difficult to get eyes on what people are doing when they’re using their home networks and their home devices. As Tom pointed out, maybe some of those devices have, you know, Google Chrome extensions that are malicious

Tom: I think we’re all working from home and I think my insider threat at home is my son like hopping on my laptop when I’m not on. And, again, you know, maybe downloading a malicious Chrome extension without any malice or just deleting or doing something… I do think it’s really interesting how we redefine an insider threat when most of us are now working from home, what is an insider threat? And how do we define an insider threat? And what are those threats?

Lindsey:Right. I think that’s a really good point time like, for instance, when the Verizon data breach investigations report came out earlier this year, one of the highlights was the fact that, you know, insider threat is not always, you know, this, this employee who’s being like persuaded by someone from the outside to, you know, release data or something that sometimes a lot of the times is just, you know, defined as someone who clicks on a phishing email or something, or it’s just, you know, someone who is downloading these malicious extensions or plugins or third party apps or whatever, and just unintentionally opening up the organization from within to some to kind of an external threat.

Tom, Tara: Yeah.

Tom: I wonder how much of that is just good security versus somebody who’s, you know, maliciously you know, grabbing files or opening up access or, you know, what, in a traditional sort of insider threat sort of definition?

Tara: Yeah, it’s interesting, because the two sides of it, obviously are just poor security hygiene, right. So, you know, low user has this poor half of behavioral habits, as you pointed out, which is something that, you know, technical platforms can sort of act as a fail safe measure for right. But you also mean weight training and stuff like that. And that even extends to simple stuff like misconfigurations and whatnot. And then you do have this other malicious aspect, the disgruntled employee, etc., and the work from home era, I was talking to somebody about this and they were pointing out the fact that you have you have workers at home that might be dealing with reduced compensation, or fewer hours, or you know, an expectation that they have to get everything done while also homeschooling their kids. And the dissatisfaction of those of us that still have our jobs, you know, might be a little higher than it would be in a normal kind of work scenario. And so therefore, maybe that opens up the possibility that you’re going to have more malicious activity or people that might be more tempted, you know, to act as an ally for an outsider.

Tom: You always hear the stories about you know, somebody who’s giving two weeks notice or some somebody who feels like they’re gonna lose their job and they start, grabbing files and, either doing things that are malicious or doing things that are they’re taking, you know, IP off of the servers or taking client names off of the databases. And I don’t know if it gets easier or harder for a security team to lock somebody out of, you know, to limit access and lock somebody out of those their systems and processes when  – the old thing where it’s like, we’re gonna have to lay you off, you know, we’re downsizing, there’s an economic pressure on us – pack up your stuff, and please leave the building. I mean, right, you, if your employer calls you and says that’s it, we gotta let you go – you don’t pack up your stuff and leave the building. You’re sitting in front of your corporate laptop with your VPN connection and maybe some other hardware that your company has you set up to work from home with.  So I mean, it’s really interesting to see how the insider threat is kind of a moving target and there needs to be a redefinition.

Lindsey: Well, to all our listeners, be sure to if you’re interested in learning more about kind of the insider threat and how that’s changing because of remote work, definitely tune in to the webinar that Tara will be spearheading on June 24, which is next Wednesday, and that will be at 2pm EST. And yeah, I’m excited to kind of learn more about everything that goes on there.

Tara: Yeah, thanks for the highlight. Lindsey. I appreciate it.

Lindsey: Yeah, I think that is most of the big stories there this week. Tom and Tara, thanks so much for coming on to the news wrap today to discuss the malicious Chrome extensions and the insider threat theme of the CIA’s report that came out this week, and I’m sure that we’ll have much more to cover today.

Tom: Thank you, Lindsey.

Tara: Have a great weekend, you guys.

Lindsey:  You too. And to all our listeners, if you have any thoughts or comments on insider threats or anything that we’ve talked about here today or any stories that we’ve covered, please feel free to comment on our Twitter account @Threatpost. We want to hear from you and if not, catch us next week on the Threatpost podcasts.

Also, check out our podcast microsite, where we go beyond the headlines on the latest news.

Suggested articles