From 55884c795d1194884d8c052a83159d6a6a5817ed Mon Sep 17 00:00:00 2001 From: ptm Date: Fri, 22 May 2026 20:09:16 +0200 Subject: [PATCH] Add browser-extension object template New object for browser extension supply chain threat intelligence. Captures compromised or malicious extension release events including permission escalation diffs, C2 infrastructure, and analysis verdicts. Attributes (20): - Identification: id, name, ecosystem, publisher, store-url - Version diff: version-malicious, version-clean - Manifest: manifest-version, permissions-added, host-permissions-added - Payload: malicious-file, crx-sha256 - Infrastructure: c2-url, exfil-url - Analysis: attack-pattern, verdict, confidence, analysis-source, first-seen, description ATT&CK: T1195.002, T1185, T1539, T1567, T1036 Motivated by the 2024-2026 wave of Chrome/Firefox extension supply chain attacks (Cyberhaven, Trust Wallet, RedDirection, Operation Phantom Enigma, Nx Console) affecting millions of users. --- objects/browser-extension/README.md | 107 ++++++++++++++++ objects/browser-extension/definition.json | 145 ++++++++++++++++++++++ 2 files changed, 252 insertions(+) create mode 100644 objects/browser-extension/README.md create mode 100644 objects/browser-extension/definition.json diff --git a/objects/browser-extension/README.md b/objects/browser-extension/README.md new file mode 100644 index 00000000..1b207e39 --- /dev/null +++ b/objects/browser-extension/README.md @@ -0,0 +1,107 @@ +# browser-extension + +**Category:** misc +**UUID:** 7749dcb5-57d7-4337-99e1-1d9448f1739e +**Version:** 1 + +Browser extension supply chain threat intelligence. Captures compromised or malicious extension release events, including permission escalation diffs, C2 infrastructure, and analysis verdicts. + +## Motivation + +Browser extensions are an established and escalating supply chain attack surface. Threat actors compromise extensions through phishing developer accounts, leaked store API keys, and purchasing legitimate extensions outright — then push silent malicious updates to millions of users through the official store update mechanism, bypassing endpoint controls that treat signed store updates as trusted. + +**Documented incidents (2024–2026):** + +- **December 2024 — Cyberhaven + 35 extensions (~2.6M users):** A phishing attack against Cyberhaven's developer account enabled a malicious Christmas Eve update. The campaign simultaneously compromised ~35 other Chrome extensions (Internxt VPN, Lumos, ParrotTalks, and others), replacing legitimate builds with versions that exfiltrated session cookies and identity tokens to attacker infrastructure. +- **December 2025 — Trust Wallet v2.68 (~$8.5M stolen):** A leaked Chrome Web Store API key allowed attackers to bypass internal release controls and push a malicious update (v2.68) to ~1M users. The update drained cryptocurrency from 2,520 wallet addresses within hours of publication. +- **2025 — RedDirection campaign (~2.3M users):** 18 Chrome and Edge extensions — including verified, long-standing tools such as colour pickers and volume controls — were silently converted to malicious versions after their developer accounts were compromised. Extensions hijacked browsing sessions, tracked all visited URLs, and redirected users to phishing pages. +- **June 2025 — Operation Phantom Enigma:** Targeted campaign against Brazilian banking customers; malicious extensions bypassed 2FA and exfiltrated banking credentials from 722 confirmed victims. +- **May 2026 — Nx Console VS Code extension:** Malicious version published for 11–18 minutes before takedown; during that window ~3,800 GitHub internal repositories were exfiltrated via stolen developer credentials. + +Socket's threat intelligence programme ([socket.dev/blog/the-growing-risk-of-malicious-browser-extensions](https://socket.dev/blog/the-growing-risk-of-malicious-browser-extensions)) documents over 3.2M users impacted by malicious extensions in 2024–2025 alone, with attack capabilities including full webRequest interception, keylogging, screen capture, and TOTP seed theft. + +**The intelligence gap:** No existing MISP object captures extension-level threat intelligence. Analysts sharing IoCs for these attacks currently resort to generic `url`, `domain`, or `file` objects, losing the structural context that makes the intelligence actionable: which permissions were added, which version introduced the malicious behaviour, what the attacker infrastructure looks like, and whether this is a store-compromise or a purchase-and-weaponise pattern. + +This object enables structured sharing of: +- Compromised extension release events (version A clean → version B malicious) +- Permission escalation diffs (`permissions-added`, `host-permissions-added`) +- C2 and exfiltration infrastructure linked to a specific extension update +- Verdict and confidence from automated or manual analysis + +## Attributes + +| Attribute | Type | Multiple | Description | +|-----------|------|----------|-------------| +| `id` *(required)* | text | | Extension store ID (Chrome Web Store item ID or Firefox AMO slug) | +| `name` | text | | Human-readable extension name | +| `ecosystem` | text | | Distribution channel: `chrome`, `firefox`, `edge` | +| `version-malicious` | text | | First version with malicious behaviour | +| `version-clean` | text | | Last known-clean version | +| `publisher` | text | | Developer account name | +| `store-url` | url | | Link to the store listing | +| `manifest-version` | text | | `mv2` or `mv3` | +| `permissions-added` | text | ✓ | Permissions newly granted in the malicious version | +| `host-permissions-added` | text | ✓ | New host permission patterns (e.g. ``) | +| `malicious-file` | filename | ✓ | Files inside the CRX/XPI with malicious code | +| `c2-url` | url | ✓ | C2 URL contacted by the extension | +| `exfil-url` | url | ✓ | Exfiltration endpoint (if distinct from C2) | +| `attack-pattern` | text | | Short attack label (e.g. `webRequest credential intercept`) | +| `crx-sha256` | sha256 | | SHA-256 of the malicious CRX/XPI | +| `verdict` | text | | `suspicious`, `malicious`, `clean`, `insufficient_data` | +| `confidence` | float | | 0.0–1.0 confidence score | +| `analysis-source` | text | | `manual`, `automated`, `vendor` | +| `first-seen` | datetime | | When the malicious version was first observed | +| `description` | text | | Free-text threat summary | + +## ATT&CK Mapping + +| Technique | ID | Relevance | +|-----------|----|-----------| +| Supply Chain Compromise: Software Supply Chain | T1195.002 | Malicious update pushed through official store | +| Browser Session Hijacking | T1185 | webRequest interception of authenticated sessions | +| Steal Web Session Cookie | T1539 | Cookie exfiltration via content script | +| Exfiltration Over Web Service | T1567 | HTTPS exfil to attacker-controlled endpoint | +| Masquerading | T1036 | Legitimate extension name concealing malicious payload | + +## Example + +A compromised `productivity-helper` v1.5.1 silently gained `` host permission and a service worker that POSTs all web request bodies to an attacker endpoint: + +```json +{ + "name": "browser-extension", + "meta-category": "software", + "description": "Compromised Chrome extension — productivity-helper v1.5.1", + "Attribute": [ + {"object_relation": "id", "value": "abcdefghijklmnop"}, + {"object_relation": "name", "value": "productivity-helper"}, + {"object_relation": "ecosystem", "value": "chrome"}, + {"object_relation": "version-malicious", "value": "1.5.1"}, + {"object_relation": "version-clean", "value": "1.5.0"}, + {"object_relation": "publisher", "value": "prodtools-dev"}, + {"object_relation": "manifest-version", "value": "mv3"}, + {"object_relation": "permissions-added", "value": "webRequest"}, + {"object_relation": "permissions-added", "value": "webRequestBlocking"}, + {"object_relation": "host-permissions-added", "value": ""}, + {"object_relation": "malicious-file", "value": "bg.js"}, + {"object_relation": "c2-url", "value": "https://collect.attacker.example.com/beacon"}, + {"object_relation": "attack-pattern", "value": "webRequest full-body intercept and exfiltration"}, + {"object_relation": "verdict", "value": "malicious"}, + {"object_relation": "confidence", "value": "0.95"}, + {"object_relation": "analysis-source", "value": "automated"}, + {"object_relation": "first-seen", "value": "2024-12-25T00:00:00Z"} + ] +} +``` + +## Relationships + +Suggested object relationships: + +| Related object | Relationship verb | Notes | +|---------------|-------------------|-------| +| `domain` / `url` | `communicates-with` | C2 or exfil endpoint | +| `file` | `drops` | CRX/XPI via `crx-sha256` | +| `threat-actor` | `attributed-to` | Actor behind the compromise | +| `vulnerability` | `related-to` | If a browser API vuln was exploited | +| `software` | `related-to` | The legitimate extension being impersonated | diff --git a/objects/browser-extension/definition.json b/objects/browser-extension/definition.json new file mode 100644 index 00000000..efa7facc --- /dev/null +++ b/objects/browser-extension/definition.json @@ -0,0 +1,145 @@ +{ + "name": "browser-extension", + "meta-category": "misc", + "description": "Browser extension supply chain threat intelligence. Captures compromised or malicious extension release events, including permission escalation diffs, C2 infrastructure, and analysis verdicts.", + "uuid": "7749dcb5-57d7-4337-99e1-1d9448f1739e", + "version": 1, + "attributes": { + "id": { + "misp-attribute": "text", + "ui-priority": 0, + "description": "Extension store identifier — Chrome Web Store item ID or Firefox AMO slug. Use the raw ID, not the full store URL, to enable deduplication across events." + }, + "name": { + "misp-attribute": "text", + "ui-priority": 10, + "description": "Human-readable extension name as shown in the store." + }, + "ecosystem": { + "misp-attribute": "text", + "ui-priority": 20, + "disable_correlation": true, + "description": "Distribution channel for the extension.", + "sane_default": [ + "chrome", + "firefox", + "edge" + ] + }, + "version-malicious": { + "misp-attribute": "text", + "ui-priority": 30, + "disable_correlation": true, + "description": "First version observed with malicious behaviour." + }, + "version-clean": { + "misp-attribute": "text", + "ui-priority": 40, + "disable_correlation": true, + "description": "Last known-clean version immediately before the malicious update." + }, + "publisher": { + "misp-attribute": "text", + "ui-priority": 50, + "description": "Publisher or developer account name as shown in the store." + }, + "store-url": { + "misp-attribute": "url", + "ui-priority": 60, + "description": "Direct link to the extension's store listing page." + }, + "manifest-version": { + "misp-attribute": "text", + "ui-priority": 70, + "disable_correlation": true, + "description": "Chrome extension manifest version of the malicious release.", + "sane_default": [ + "mv2", + "mv3" + ] + }, + "permissions-added": { + "misp-attribute": "text", + "ui-priority": 80, + "multiple": true, + "description": "Permission strings newly introduced in the malicious version. One entry per permission; use the canonical permission string as defined in the browser extension API (e.g. webRequest, tabs, cookies)." + }, + "host-permissions-added": { + "misp-attribute": "text", + "ui-priority": 90, + "multiple": true, + "description": "Host permission patterns newly introduced in the malicious version (MV3 host_permissions or MV2 match patterns). One entry per pattern. Tracked separately from permissions because broad host access is the primary exfiltration enabler." + }, + "malicious-file": { + "misp-attribute": "filename", + "ui-priority": 100, + "multiple": true, + "description": "File within the extension package containing malicious code, as the path appears inside the CRX/XPI archive (e.g. background.js, content_scripts/inject.js)." + }, + "c2-url": { + "misp-attribute": "url", + "ui-priority": 110, + "multiple": true, + "description": "Command-and-control URL contacted by the malicious extension." + }, + "exfil-url": { + "misp-attribute": "url", + "ui-priority": 120, + "multiple": true, + "description": "Data exfiltration endpoint if distinct from the C2 URL." + }, + "attack-pattern": { + "misp-attribute": "text", + "ui-priority": 130, + "description": "Short label describing the primary attack technique (e.g. webRequest credential intercept, session cookie theft, postinstall beacon, content-script keylogger)." + }, + "crx-sha256": { + "misp-attribute": "sha256", + "ui-priority": 140, + "description": "SHA-256 hash of the malicious CRX or XPI package file." + }, + "verdict": { + "misp-attribute": "text", + "ui-priority": 150, + "disable_correlation": true, + "description": "Analysis verdict for the malicious version.", + "values_list": [ + "suspicious", + "malicious", + "clean", + "insufficient_data" + ] + }, + "confidence": { + "misp-attribute": "float", + "ui-priority": 160, + "disable_correlation": true, + "description": "Analyst or automated confidence score for the verdict (0.0 to 1.0)." + }, + "analysis-source": { + "misp-attribute": "text", + "ui-priority": 170, + "disable_correlation": true, + "description": "Origin of the verdict.", + "sane_default": [ + "manual", + "automated", + "vendor" + ] + }, + "first-seen": { + "misp-attribute": "datetime", + "ui-priority": 180, + "description": "Timestamp when the malicious version was first observed in the wild." + }, + "description": { + "misp-attribute": "text", + "ui-priority": 190, + "disable_correlation": true, + "description": "Free-text summary of the threat behaviour and impact." + } + }, + "requiredOneOf": [ + "id" + ] +}