Zero-day vulnerability in Chrometana (Chrome extension)

Backdoor

The browser extension was hijacked on Google Web Store. That update included alert10.js, malware that opens popups saying you have a virus.

Vulnerability details

Advisory: SB2017081611 - Backdoor in Chrometana Google Chrome extension

Vulnerable component: Chrometana (Chrome extension)

CVE-ID:

CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C

CWE-ID: CWE-798 - Use of Hard-coded Credentials

Description:

The vulnerability allows a remote attacker to gain unauthorized access to victim's browser.

The vulnerability exists due to presence of backdoor code in Chrometana Google Chrome extension 1.1.3, distributed via Google Web Store.


Known APT campaigns:

Attack against Google Web Store developer accounts

Accounts of several developers of Google Chrome extensions were compromised. The malicious actors published new version of Chrome extension, which contained backdoor code. The campaign has started approximately in March 2017 and continued in August 2017. The total verified number of compromised extensions equals 6. Approximate number of affected victims - 4.1 million, according to Proofpoint.
https://www.proofpoint.com/us/threat-insight/post/threat-actor-goes-chrome-extension-hijacking-spree

External links:

http://chrometana.theo.li/2017/06/google-account-compromised-malware-shipped-chrometana-1-1-3/

About zero-day vulnerabilities

Zero-day vulnerability is an undisclosed vulnerability in software that hackers can exploit to compromise computer programs, gain unauthorized access to sensitive data, penetrate networks, etc. We consider vulnerability a zero-day when there is no solution provided from software vendor and the vulnerability is being actively exploited by malicious actors.

Zero-day candidate is a potential zero-day vulnerability in software which might have been used in targeted attacks, however there is no evidence to support this suggestion.