There are many avenues of attack a threat actor can take. The ones that have increased in recent years are user-centric applications. Instead of focusing on a better-protected administrator account, attackers target apps or extensions that a user can easily install without IT intervention.

One example is the proliferation of extensions, such as those in Chromium-based browsers. Although not the first of its kind, a a recent example is the Rilide malware strain. Trustwave identified this malware, which disguised itself as a Google Drive extension.

After installation, the extension allowed hackers to monitor browser history, take screenshots and inject malicious scripts targeting cryptocurrency exchanges.

Also, the cybersecurity giant, Kaspersky, recently identified 34 Malicious Chrome Extensions with over 87 million downloads. Multiple malicious extensions target user installations, leading to real danger of data exfiltration and system compromise.

The danger of uncontrolled user control

A big change happened years ago when users went from running the main as administrators to running with least privileges. This change reduced the attack surface that malicious applications or attacks could exploit. In the event of an attack, the damage can be limited to the profile of this user and to the data to which he could access.

Although a compromised user account can lead to a compromised administrative account, separating the two provides significantly improved security. But, because users feel relatively safe with this separation and may feel embarrassed asking IT to install software, there has been a proliferation of user apps and extensions.

Examples include extensions in Chromium-based browsers or developer tools like Visual Studio Code. Users may need to take a closer look at the installation process, as these extensions are downloaded from traditionally trusted sources, such as Google and Microsoft’s Visual Studio Code extension repository.

Due to this lack of attention, more and more attacks occur via user profile tool extensions or installations. Other examples include supply-side attacks from PyPi packages Or malicious npm package facilities.

Previously legitimate extensions or packages can be sold to an unscrupulous group that allows a user to be silently compromised from a formerly trusted source.

Prevent user profile extensions and packages from damaging

What can an IT department and a user do to protect themselves? One approach is to check extensions and packages and use allowlists to proactively limit what a user can install. This way users and administrators can feel safer and it ensures that only safe packages are used.

IT administrators should monitor authorized extensions and packages for ownership changes and files that may signal danger, especially if done by a third party. Since an extension can attempt to read data that a user profile can see, including files, it is especially important for users who have stored a password in a file to exercise caution.

This highlights the importance of multi-factor authentication (MFA) to prevent further breaches, as a password alone would not be enough to gain access to a sensitive system.

Of course, in the event of an attack, it is crucial to clean up and reset a user’s account quickly. The user profile attack can leverage the data it contains, which means that phishing emails or emails sent from a legitimate user’s account could be used to further spread an attack.

Attack mitigation with Specops uReset

Use tools like uReset Specificationswhich leverages multiple weighted factors to ensure that only the correct user can reset a password, provides a secure and fast method for a help desk to quickly take control of a bad situation.

• Reset passwords from a web browser, Windows login screen, or mobile app.
• Improve the help desk with a specific interface to verify users, unlock accounts and create temporary passwords.
• In-depth auditing and reporting of authentication events.
• Multiple ID services such as SMS, Email, Fingerprint Readers, Trusted Network Locations, Manager Verification, Dua, Okta, Symantec VIP, Microsoft and Google Authenticator, Google, Facebook, Twitter, Twitter, etc.

User Profile Dangers and Mitigation

Although there has been a shift from prolific administrator accounts to limited user accounts, an evolving threat exists from apps that users can install themselves. These apps can range from extensions to packages that can update automatically and look legitimate.

Therefore, it is crucial for IT organizations to proactively control what can be installed and used by their users.

In the event of an attack, it is crucial for an organization to quickly verify the user’s identity and reset their credentials using tools such as uReset Specifications. By doing so, the attack can be stopped in its tracks, and the user’s account and system can be quickly cleaned to prevent any future problems.

Sponsored and written by Specops software