Software plugins/extensions should be part of your threat model

Over the last few months we’ve seen multiple cases of warnings about plugins and extensions for various software packages threatening the security of users.  We’ve recently seen the Copyfish and and Web Developer Chrome plugins compromised and used to push malware to users.

While Chrome is likely safe and should probably not be considered a threat, perhaps your plugins should be.  Plugins are developed by potentially malicious third parties. Even if your plugin developers are not themselves malicious, they have security concerns just like everyone else.  And make no mistake about it: when understanding software supply chain issues, their security is your security.

So how do you evaluate the security of a third party plugin developer?  This is a hard problem.  Start by only installing plugins from the authorized locations.  To some extent, there is also some safety in only installing popular plugins.At least anecdotally, popular plugins are likely to have more review and with that less chance of being malicious. While plugin repositories like the Chrome Web Store scan plugins for obvious malware, it is demonstrably possible to get malicious plugins distributed through authorized channels.

How are malicious plugins even a thing?

The Web Developer plugin was compromised via a phishing email to the programmer.  Even if you evaluated the security of the plugin when you first installed it, if the plugin is later compromised your system will be infected when the plugin is updated.  Whether we are talking about a plugin or regular software, it is inconceivable that any organization could seriously perform security evaluations on each new release of the software.  If an attacker compromises an update, it is likely to compromise the end user’s machine.

Mitigating malicious plugins with monitoring

So what should organizations do to combat this threat?  The answer is security monitoring.  If you aren’t doing security monitoring (preferably 24×7) you’re doing it wrong.  Today’s computers are always on and always targets.  We all know antivirus is unlikely to protect us from maliciously updated plugins.  If anything, antivirus is likely to detect the threat days to weeks to months after the infection.  But security monitoring can discover the new command and control (C2) channels as soon as the infected software is installed.  Simply put, monitoring will ensure that any attacker’s dwell time in a network is minimized.

If your organization is ready for security monitoring, but not sure where to start, reach out to Rendition Infosec for help.  Rendition has trained staff to assist with monitoring and incident response, a 24×7 security operations center in Augusta, GA, and attractive pricing plans customized to suit your needs.  Rendition’s expert staff can get you up and running quickly, usually at a price point that allows customers to avoid a capital expenditure budgeting cycle.