URLs with internal hostnames would be considered sensitive data and should not be exfiltrated from our network. Immediately, we became suspicious about the extension because its name hijacked a popular tool.Īnother of our engineers downloaded the extension, did some reverse engineering and de-obfuscation and discovered that the extension was indeed exfiltrating URL information that was XOR'ed with 6332 (0x18BC). This definitely isn't the Postman that is popular for testing REST APIs and doing web development. We archived these packets for investigation and retention purposes.īy examining the packets using Wireshark, we found that the HTTP traffic included a header from a Chrome extension called Postman. We also used our own ExtraHop packet capture appliances to archive all the packets from the time the extensions were installed. The second user was not in the office either, so the same operation happened again the machine was unplugged and the user was forcibly logged out of all accounts.īecause ExtraHop gathers flow records and makes them easy to search through, this part of the investigation was simple.įlow records for the suspicious connection, detected by ExtraHop. One was a second machine from the first user and a machine from a second user. Using these records, we discovered two other machines with the exact same traffic, presumably a second copy of the extension. We also had an Indicator of Compromise (IOC) the extension always seemed to send the data over port 6332.ĮxtraHop keeps flow records for all IP transactions. We had found one machine that was definitely exfiltrating data of some kind. Our IT staff jumped immediately into action and disabled the machine that had this persistent connection. We investigated with our own ExtraHop tools and found plaintext HTTP traffic that was clearly obfuscated being emitted from an employee's computer. The detector immediately showed a long lived persistent HTTP websocket connection to an external IP address on a strange port (6332). On one of our engineers deployed an experimental new detector to our Reveal(x) security product. Since we like to eat our own dogfood, we used ExtraHop gear for the full investigation response to this potential threat, which only took a couple of hours to confidently resolve. The extension was attempting to aggregate and exfiltrate data from our environment, but was detected by ExtraHop Reveal(x) in time to prevent any data loss. We recently uncovered a Chrome extension that was using the name of a popular Chrome App that developers use to test their REST APIs. Quick! Before you start! There's a really interesting discussion going on over at Hacker News around this whole deal, and as of this update the fake Postman extension has been removed from the Chrome extension store.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |