Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

Stop Modern Identity-Based Attacks in Chrome

Published 07/20/2022

Stop Modern Identity-Based Attacks in Chrome

This blog was originally published by CrowdStrike here.

Written by Eamonn Ryan, Matthew Puckett, and Liviu Arsene of CrowdStrike.

  • A novel technique that reduces the overhead in extracting sensitive data from Chromium browser’s memory was recently found by researchers from CyberArk Labs
  • Existing access to the targeted system is required before leveraging the technique
  • Successful use of the technique can lead to multifactor authentication (MFA) bypass by extracting valid authentication tokens from the web browser’s memory
  • Organizations need a platform that helps identify, prevent and detect memory-based vulnerabilities and protect customers from modern identity-based attacks

Recent research from CyberArk Labs presents a new technique for extracting sensitive data from the Chromium browser’s memory. However, existing access to the targeted system is required before leveraging the technique to extract the sensitive data. The technique could enable identity-based attacks involving authentication bypass using Oauth cookies that have already passed an MFA challenge.

Organizations need to build defensive capabilities to protect customers from similar post-compromise attacks leveraging this novel technique for extracting valid authentication tokens from the Chromium browser’s memory.

The right cybersecurity solutions will help identify, prevent and detect memory-based vulnerabilities, and enable customers to stay safe from identity-based attacks by enforcing Zero Trust on the endpoint, the identity and the data.

According to the CrowdStrike Falcon OverWatch™ threat hunting team, 80% of breaches are now identity-driven. Stopping the adversary in real time and preventing attacks from progressing requires a unified approach to security that delivers native identity protection capabilities, halts adversaries and stops breaches.

About the Research and the Technique

The research and proof of concept (POC) demonstrate how sensitive information is extracted by a non-elevated process running on the local machine and performs direct access to Chrome’s memory using OpenProcess + ReadProcessMemory APIs.

While existing access to the targeted system is required before leveraging the technique, the extracted sensitive data could be used in subsequent identity-based attacks that can bypass MFA using Oauth cookies or enable lateral movement using extracted credentials.

The presented technique takes a novel approach in reducing the overhead involved in extracting valid Oauth tokens from web browser memory by reading the Chromium browser’s memory and monitoring for specific login URLs. A snapshot is taken of specific memory buffer regions, both before and after login and authentication. This significantly reduces the amount of memory that needs to be dumped and scanned. Additionally, the technique reduces the amount of time necessary to extract the token and increases the window of opportunity for an attacker before the token expires.

In essence, an attacker could hijack an authenticated user’s browser session, get access to restricted information, and most significantly, bypass MFA without knowing any of the victim’s credentials.

For more detailed technical information on the research and POC, check out the research here.

Share this content on your favorite social network today!