Google Chrome Sync Feature can be Abused for C&C and Data Exfiltration
upstart writes in with an IRC submission:
Google Chrome sync feature can be abused for C&C and data exfiltration:
Threat actors have discovered they can abuse the Google Chrome sync feature to send commands to infected browsers and steal data from infected systems, bypassing traditional firewalls and other network defenses
[...] Bojan Zdrnja, a Croatian security researcher, said on Thursday that during a recent incident response, he discovered that a malicious Chrome extension was abusing the Chrome sync feature as a way to communicate with a remote command and control (C&C) server and as a way to exfiltrate data from infected browsers.
Zdrnja said that in the incident he investigated, attackers gained access to a victim's computer, but because the data they wanted to steal was inside an employee's portal, they downloaded a Chrome extension on the user's computer and loaded it via the browser's Developer Mode.
The extension, which posed as a security add-on from security firm Forcepoint, contained malicious code that abused the Chrome sync feature as a way to allow attackers to control the infected browser.
[...] Malicious code found in the extension suggested that the attacker was using the malicious add-on to create a text-based field to store token keys, which would then be synced to Google cloud servers as part of the sync feature.
[...] In this way, the extension could be used as an exfiltration channel from inside corporate networks to an attacker's Chrome browser instance or as a way to control the infected browser from afar, bypassing local security defenses.
Once an adversary gets physical access to your computer it's pretty much game over.
Read more of this story at SoylentNews.