8. Пользователи и приложения переходят в облака
49%
рабочих мест
мобильны
82%
подключений не
используют
VPN
70%
роста в
использовании
SaaS
70%
филиалов
имеют прямой
доступ в
Интернет
Контроль ИБ
сдвигается в
облака
ИБ должна тоже
16. Найдите разницу
• Клонирование сайта
осуществляется за минуты
• Клон размещается на
заранее купленном домене и
крадет информацию
(логины/пароли)
• В клон можно внедрять
вредоносный код для
заражения пользователей
17. А тут можете найти разницу?
• Возможность использования разных кодировок,
невнимательность пользователей и ошибки при наборе с
клавиатуры
18. Утечка через DNS (через имя поддомена)
Нормальное распределение длин поддоменов Аномалии в названии поддоменов
log.nu6timjqgq4dimbuhe.3ikfsb---отредактировано---cg3.7s3bnxqmavqy7sec.dojfgj.com
log.nu6timjqgq4dimbuhe.otlz5y---отредактировано---ivc.v55pgwcschs3cbee.dojfgj.com
Что скрывается в этой строке на 231 символ?
23. • Rovnix использует текст из
американской декларации
независимости как вход для
DGA:
• Kingwhichtotallyadminis[.]biz
• thareplunjudiciary[.]net
• townsunalienable[.]net
• taxeslawsmockhigh[.]net
• transientperfidythe[.]biz
• inhabitantslaindourmock[.]cn
• thworldthesuffer[.]biz
• Matsnu использует для DGA
существительные и глаголы из
словаря на 1300 слов для
формирования 20+ символьных фраз:
• monthboneplatereferencebreast[.]com
• accidentassistriskchallenge[.]com
• fieldcowtowelstorerecommend[.]com
• productpageprofilereactside[.]com
• pollutionboarddeallandmarch[.]com
• seasonbathrentinfluencebeing[.]com
Злоумышленники не стоят на месте
26. 70-90%
вредоносного кода
уникально – AV не
спасает
DNS нельзя
запретить на МСЭ,
а 49%
пользователей
работают за
пределами МСЭ
Сканеры
уязвимостей ищут
дыры, а DNS-ВПО
использует
стандартные
функции
VPN частично
решает проблему,
но 69% филиалов
подключается
напрямую
А что с традиционной защитой?
27. Zbot
ZeroAccess
njRAT
Regi
n
Gh0st
Storm
Pushdo/Cutwail DarkComet
Bifrose
Lethic
Kelihos
Gameover Zeus
CitadelTinba
Hesperbot
Bouncer (APT1)
Glooxmail
(APT1)
Longrun (APT1)
Seasalt
(APT1)
Starsypound (APT1)
Biscuit (APT1)PoisonIvy
Tinba
НЕ-WEB C2 ПРИМЕРЫ
DNS
WEBНЕ-WEB
IP IP
миллионы
уникальных
семплов ВПО из
ЛВС за последние 2
года
Lancope Research
(сейчас Cisco)1
15%C2 не использует
Web-порты 80 & 443
миллионы
уникальных семплов
ВПО загружены в
песочницу за
последние 6 месяцев
Cisco AMP Threat
Grid Research2
91%C2 может быть
блокировано на DNS
уровне
Почему традиционные решения не спасают?
28. DNS = Domain Name System
• Первый шаг в подключении к
Интернет
• Используется на всех устройствах
• Не зависит от порта
Быстрый взгляд на DNS
Umbrella
cisco.com 72.163.4.161
29. Мониторинг DNS
Защищает доступ к Интернет везде
Вредонос
C2-соединения
Фишинг
HQ
Sandbox
NGFW
Proxy
Netflow
AV AV
ФИЛИАЛ
Router/UTM
AV AV
ROAMING
AV
Первая
линия
Все это начинается
с DNS
DNS используется всеми
устройствами
Защита от вредоносов,
фишинга и общения с C2
Получение контроля над
всеми устройствами и
пользователями в
Интернет
30. Данные записей WHOIS
Атрибуция ASN
Геолокация IP
Репутация доменов и IP
Анализ вредоносных файлов
Связи между доменами
Обнаружение аномалий (DGA, FFN)
Шаблоны запросов DNS
База пассивного DNS
Что нужно для расследования?
31. Записи WHOIS
• Контактные данные
владельца домена
• Корреляция с другой
вредоносной
активностью
Чем помогает DNS при расследовании?
32. Связи
• Другие домены
запрашиваются сразу
до или после
• Другие домены,
связанные с атакой
Чем помогает DNS при расследовании?
Записи WHOIS
• Контактные данные
владельца домена
• Корреляция с другой
вредоносной
активностью
33. IP & ASN
• Хостинговая
инфраструктура
домена
• Анализ
инфраструктуры хакера
Чем помогает DNS при расследовании?
Связи
• Другие домены
запрашиваются сразу
до или после
• Другие домены,
связанные с атакой
Записи WHOIS
• Контактные данные
владельца домена
• Корреляция с другой
вредоносной
активностью
35. • Через вложение Email в
фишинговой рассылке
• Шифрует и
переименовывает файлы
с .locky расширением
• Примерно 90,000 жертв в
день
• Выкуп порядка 0.5 – 1.0
BTC (1 BTC ~ $601 US)
• Связан с операторами
Dridex
Чувствуете Locky?
36. Locky: обнаружение инфраструктуры
злоумышленника
СЕНТЯБРЬ 12-26 ДНЕЙ
DNS
АВГУСТ 17
LOCKY
*.7asel7[.]top
?
Domain → IP
Ассоциация
?
IP → Sample
Ассоциация
?
IP → Network
Ассоциация
?
IP → Domain
Ассоциация
?
WHOIS
Ассоциация
?
Network → IP
Ассоциация
52. Первая линия защиты против Интернет-угроз
DNS
Видеть
Видеть все для
защиты везде
Предсказывать
Видеть атаки до того, как
они будут запущены
Блокировать
Остановить угрозы до
того, как начнется атака
Talking Points:
Meet Michelle. She’s a sales rep for a technology company.
Michelle is always on the go
Sometimes she’s in the office (either headquarters or a branch office)
Sometimes she’s remote (working on the airplane, in coffee shops, hotels, etc.)
Today she’s wrapping up some work at headquarters before catching a flight to Miami for a customer meeting at the field office
Talking Points:
When you look at what she does every day:
She creates presentations and customer proposals in SaaS applications like Google Drive.
Talking Points:
And she shares that content with partners and customers using Box.
Talking Points:
She manages her sales opportunities and customer contacts in salesforce.com.
Talking Points:
She downloads a 3rd party app that her colleague recommended to help create project timelines.
Talking Points:
And wherever she is, whatever network she’s on, she’s always online browsing the internet.
Sound familiar? You probably do very similar things. And your customers’ users do too.
Captured here are challenges Umbrella has helped organizations like you to address - related to these changes in the IT landscape and beyond.
Specifically:
Gaps in visibility and coverage
Organizations have more locations and devices to protect, and threats are using many different ports to try to gain access or exfiltrate data. Companies need complete visibility into all internet activity.
Securing cloud apps like Office 365 and Box
- Employees use more cloud applications— some sanctioned, some unsanctioned.
Organizations need to know which ones are being used and need to protect the data in those apps.
Complex and siloed security tools
Security teams are often understaffed and struggle with complex, siloed systems that do not integrate or share information/intelligence in a programmatic way.
These teams need solutions that are easy to deploy, simple to manage, can scale exponentially, and can integrate with other tools.
Malware and ransomware continue
This is the number one challenge we hear from customers like you.
Despite the existing security products deployed — everything from firewalls to web proxies to email security to endpoint products —companies still face too many malware infections and phishing attacks.
Security teams spend a lot of time and effort trying to detect threats and remediate after the fact.
Organizations need to stop threats before they get onto the network or endpoints, reduce the number of infections, and more easily detect devices that have already been infected for faster remediation.
Captured here are challenges Umbrella has helped organizations like you to address - related to these changes in the IT landscape and beyond.
Specifically:
Gaps in visibility and coverage
Organizations have more locations and devices to protect, and threats are using many different ports to try to gain access or exfiltrate data. Companies need complete visibility into all internet activity.
Securing cloud apps like Office 365 and Box
- Employees use more cloud applications— some sanctioned, some unsanctioned.
Organizations need to know which ones are being used and need to protect the data in those apps.
Complex and siloed security tools
Security teams are often understaffed and struggle with complex, siloed systems that do not integrate or share information/intelligence in a programmatic way.
These teams need solutions that are easy to deploy, simple to manage, can scale exponentially, and can integrate with other tools.
Malware and ransomware continue
This is the number one challenge we hear from customers like you.
Despite the existing security products deployed — everything from firewalls to web proxies to email security to endpoint products —companies still face too many malware infections and phishing attacks.
Security teams spend a lot of time and effort trying to detect threats and remediate after the fact.
Organizations need to stop threats before they get onto the network or endpoints, reduce the number of infections, and more easily detect devices that have already been infected for faster remediation.
Captured here are challenges Umbrella has helped organizations like you to address - related to these changes in the IT landscape and beyond.
Specifically:
Gaps in visibility and coverage
Organizations have more locations and devices to protect, and threats are using many different ports to try to gain access or exfiltrate data. Companies need complete visibility into all internet activity.
Securing cloud apps like Office 365 and Box
- Employees use more cloud applications— some sanctioned, some unsanctioned.
Organizations need to know which ones are being used and need to protect the data in those apps.
Complex and siloed security tools
Security teams are often understaffed and struggle with complex, siloed systems that do not integrate or share information/intelligence in a programmatic way.
These teams need solutions that are easy to deploy, simple to manage, can scale exponentially, and can integrate with other tools.
Malware and ransomware continue
This is the number one challenge we hear from customers like you.
Despite the existing security products deployed — everything from firewalls to web proxies to email security to endpoint products —companies still face too many malware infections and phishing attacks.
Security teams spend a lot of time and effort trying to detect threats and remediate after the fact.
Organizations need to stop threats before they get onto the network or endpoints, reduce the number of infections, and more easily detect devices that have already been infected for faster remediation.
Captured here are challenges Umbrella has helped organizations like you to address - related to these changes in the IT landscape and beyond.
Specifically:
Gaps in visibility and coverage
Organizations have more locations and devices to protect, and threats are using many different ports to try to gain access or exfiltrate data. Companies need complete visibility into all internet activity.
Securing cloud apps like Office 365 and Box
- Employees use more cloud applications— some sanctioned, some unsanctioned.
Organizations need to know which ones are being used and need to protect the data in those apps.
Complex and siloed security tools
Security teams are often understaffed and struggle with complex, siloed systems that do not integrate or share information/intelligence in a programmatic way.
These teams need solutions that are easy to deploy, simple to manage, can scale exponentially, and can integrate with other tools.
Malware and ransomware continue
This is the number one challenge we hear from customers like you.
Despite the existing security products deployed — everything from firewalls to web proxies to email security to endpoint products —companies still face too many malware infections and phishing attacks.
Security teams spend a lot of time and effort trying to detect threats and remediate after the fact.
Organizations need to stop threats before they get onto the network or endpoints, reduce the number of infections, and more easily detect devices that have already been infected for faster remediation.
Captured here are challenges Umbrella has helped organizations like you to address - related to these changes in the IT landscape and beyond.
Specifically:
Gaps in visibility and coverage
Organizations have more locations and devices to protect, and threats are using many different ports to try to gain access or exfiltrate data. Companies need complete visibility into all internet activity.
Securing cloud apps like Office 365 and Box
- Employees use more cloud applications— some sanctioned, some unsanctioned.
Organizations need to know which ones are being used and need to protect the data in those apps.
Complex and siloed security tools
Security teams are often understaffed and struggle with complex, siloed systems that do not integrate or share information/intelligence in a programmatic way.
These teams need solutions that are easy to deploy, simple to manage, can scale exponentially, and can integrate with other tools.
Malware and ransomware continue
This is the number one challenge we hear from customers like you.
Despite the existing security products deployed — everything from firewalls to web proxies to email security to endpoint products —companies still face too many malware infections and phishing attacks.
Security teams spend a lot of time and effort trying to detect threats and remediate after the fact.
Organizations need to stop threats before they get onto the network or endpoints, reduce the number of infections, and more easily detect devices that have already been infected for faster remediation.
Captured here are challenges Umbrella has helped organizations like you to address - related to these changes in the IT landscape and beyond.
Specifically:
Gaps in visibility and coverage
Organizations have more locations and devices to protect, and threats are using many different ports to try to gain access or exfiltrate data. Companies need complete visibility into all internet activity.
Securing cloud apps like Office 365 and Box
- Employees use more cloud applications— some sanctioned, some unsanctioned.
Organizations need to know which ones are being used and need to protect the data in those apps.
Complex and siloed security tools
Security teams are often understaffed and struggle with complex, siloed systems that do not integrate or share information/intelligence in a programmatic way.
These teams need solutions that are easy to deploy, simple to manage, can scale exponentially, and can integrate with other tools.
Malware and ransomware continue
This is the number one challenge we hear from customers like you.
Despite the existing security products deployed — everything from firewalls to web proxies to email security to endpoint products —companies still face too many malware infections and phishing attacks.
Security teams spend a lot of time and effort trying to detect threats and remediate after the fact.
Organizations need to stop threats before they get onto the network or endpoints, reduce the number of infections, and more easily detect devices that have already been infected for faster remediation.
We mentioned before how Umbrella excels at preventing command & control callbacks.
Attackers have evolved their techniques substantially over the years to stay ahead of blacklists and reputation systems.
Ultimately, the less attackers hard-code into the payload the harder it is to discover and disrupt.
While they started with simple IP connections, they moved to DNS requests and fast fluxed the DNS record so that IP-focused blocking struggled to stay ahead.
But there’s also ways to discover & disrupt the domains, so they moved to algorithms to generated the domains used for DNS requests.
The first famous example of such a DGA was Conficker back in 2007, but Cryptolocker used one in 2013
and today the large number of payloads & infrastructures leverage on DGAs.
Captured here are challenges Umbrella has helped organizations like you to address - related to these changes in the IT landscape and beyond.
Specifically:
Gaps in visibility and coverage
Organizations have more locations and devices to protect, and threats are using many different ports to try to gain access or exfiltrate data. Companies need complete visibility into all internet activity.
Securing cloud apps like Office 365 and Box
- Employees use more cloud applications— some sanctioned, some unsanctioned.
Organizations need to know which ones are being used and need to protect the data in those apps.
Complex and siloed security tools
Security teams are often understaffed and struggle with complex, siloed systems that do not integrate or share information/intelligence in a programmatic way.
These teams need solutions that are easy to deploy, simple to manage, can scale exponentially, and can integrate with other tools.
Malware and ransomware continue
This is the number one challenge we hear from customers like you.
Despite the existing security products deployed — everything from firewalls to web proxies to email security to endpoint products —companies still face too many malware infections and phishing attacks.
Security teams spend a lot of time and effort trying to detect threats and remediate after the fact.
Organizations need to stop threats before they get onto the network or endpoints, reduce the number of infections, and more easily detect devices that have already been infected for faster remediation.
Talking Points:
No matter where users travel, Umbrella provides the first line of defense against threats on the internet. Umbrella uses the Domain Name System, or DNS, as the first point of inspection. Every time you connect to the internet, the first step that happens is a DNS request — Umbrella sees if you’re trying to connect to a malicious site and will stop you — that means its stopping threats before they ever reach a customer’s network or endpoints. And because DNS is used by all devices, customers gain complete visibility into internet activity for all users and locations.
- All of this intelligence is available in a single, correlated source with Cisco Umbrella Investigate.
- One of the biggest differentiators with this tool is that we are bringing together many pieces of information.
- Without Investigate’s aggregate intelligence, organizations would need to try to get this information from many other places, which is time consuming and only shows one piece of the puzzle. Security teams are then left to figure out the correlations and connections manually.
Additional Notes:
Passive DNS = historical DNS data (other vendors: FarSight)
Domain reputation (other vendors: Webroot)
ASN Attribution (IP-> ASN) (other vendors: Team Cymru)
IP Geo Location (other vendors: Maxmind)
IP reputation (other vendors: Norse)
Domain co-occurrences (no one else provides this)
Anomaly detection- DGA/fast flux detection
- Let’s talk a bit more about what internet wide visibility means. Your visibility today probably only shows a very small glimpse into all that’s happening on the internet. For example, you might be able to see the IP addresses that your endpoints are connecting to….but how do you get additional context about those IPs? For example, is it a known-bad or suspicious IP? Should you be concerned that your users are connecting there? What domains are connected to that IP?
- What if you could see this view instead? [CLICK] Instead of just seeing the initial IP, what if you had internet-wide visibility and the ability to expand to see all of the domain names and autonomous system numbers (ASN) associated with that IP? With our view you can.
- Cisco Umbrella Investigate provides the most complete view into the relationships and evolution of internet domains, IPs, ASNs and file hashes. Investigate helps to pinpoint and map out attackers’ infrastructures and even predict future attack origins.
- For example, here, instead of just seeing the IPs, we can see what domains it hosts and which ASNs it’s associated with it, and their reputation. The fact that the domain “igloofire.com” is hosted by an IP that also hosts a lot of domains that are currently serving up malware makes it very suspicious. igloofire.com is more likely to be malicious, if not now, potentially in the future.
Just a little background on the Locky
- It’s usually delivered via an email attachment in a phishing campaign
- Operates by encrypting and renaming the infected device’s important files with .locky extension
- Targets approximately 90K victims per day
- And many have their hands tied and end up paying between .5-1 BTC, equivalent to $422 USD!
Let’s look now at a real-world example of a Ransomware attack, and how Umbrella works to block the threat before launched.
Leveraging our in-depth understanding of Internet infrastructure and statistical models we are able to map and block attackers infrastructure before attackers use it to launch the attack.
Details:
We start the process with domain already blocked by Umbrella based on our statistical models and is linked with Locky ransomware.
Umbrella predictive intelligence blocked by this domain 26 days earlier than a first submission appeared on VT by community
As we have a very broad view of the Internet infrastructure we can leverage this and see if we can find more IPs/domains etc. that relate to Locky or other ransomware leveraging various relationships that naturally exists in the Internet.
The internet itself has many built–in relationships that we can leverage to quickly map attackers infrastructure. We start with one domain and get very quickly to 1000.
Details:
Domain to IP association - based on DNS information we learn that the domain resolves to two IP address. Both IPs are blocked.
Let’s now see what domains are hosted on 185.101.218.206 via IP to Domain association –>more then 1000 DGA like domains linked with Cerber.
Looks like Locky and Cerber share the infrastructure.
Umbrella and AMP TG integration gives is IP-Sample mapping.->more than 600 samples clearly marked as Cerber ransomware.
Focus on 2nd IP 91.223.89.201 and explore new association – IP to Autonomous Systems (for simplicity we refer AS as network). Every public IP belongs to an network typically owned by ISP or large enterprise like Facebook or Google.
The IP 91.223.89.201 belongs to network 197569 which is owned by Russian service provider ENERGOMONTAZH ltd.
Let’s see what other domains are within the network AS 197569 have been recently spotted by our alg.
Our statistical models were able to identify and block 2 domains that were generated by DGA alg. several days before the domain has been even register thus eliminating the damage that could be done. This is specially critical for ransomware.
Details:
What we are doing now is looking what other malicious domains have been recently spotted within this network range.
Not very surprisingly two additional domains which clearly look like generated with DGA alg.
Compare when Umbrella marked the domains as malicious vs. first evidence available in Virus Total
Both domains are related to Locky ransomware.
The first domain was registered on July and immediately blocked based using our DGA detection alg. The first evidence on VT was 7days later.
The 2nd domain highlights our predictive capabilities even more – 26days earlier.
Notice this domain was blocked 4days before it was registered by the attacker
With predictive intelligence malicious infrastructures can be blocked in advance to significantly cripple malware operations.
With WHOIS we can see domain ownership, including the email address used to register the given domain, and how many domains are tied to that email address.
You can even uncover how many of those domains are malicious.
Investigate is also integrated with Cisco AMP Threat Grid. Similar to how Investigate provides intelligence about the relationships between domains, IPs and ASNs, Threat Grid provides intelligence about malware files so security teams can quickly understand what malware is doing or attempting to do, how large a threat it poses, and how to defend against it.
In Investigate, you can query by file hash (SHA256, SHA1, or MD5) , domain, IP, or ASN. And get more insight into which are file hashes calling out to a given domain with associate samples, their threat score, behavioral indicators, and other file analysis data.
Threat Grid license holders can even pivot directly into Threat Grid with a click of a button
Malicious browser extensions can steal information, and they can be a major source of data leakage. Every time a user opens a new webpage with a compromised browser, malicious browser extensions collect data. They are exfiltrating more than the basic details about every internal or external webpage that the user visits. They are also gathering highly sensitive information embedded in the URL. This information can include user credentials, customer data, and details about an organization’s internal APIs and infrastructure.
Across the 45 companies in our sample, we determined that in every month we observed more than 85 percent of organizations were affected by malicious browser extensions—a finding that underscores the massive scale of these operations. Because infected browsers are often considered a relatively minor threat, they can go undetected or unresolved for days or even longer—giving adversaries more time and opportunity to carry out their campaigns.
Malicious browser extensions can steal information, and they can be a major source of data leakage. Every time a user opens a new webpage with a compromised browser, malicious browser extensions collect data. They are exfiltrating more than the basic details about every internal or external webpage that the user visits. They are also gathering highly sensitive information embedded in the URL. This information can include user credentials, customer data, and details about an organization’s internal APIs and infrastructure.
Across the 45 companies in our sample, we determined that in every month we observed more than 85 percent of organizations were affected by malicious browser extensions—a finding that underscores the massive scale of these operations. Because infected browsers are often considered a relatively minor threat, they can go undetected or unresolved for days or even longer—giving adversaries more time and opportunity to carry out their campaigns.
Malicious browser extensions can steal information, and they can be a major source of data leakage. Every time a user opens a new webpage with a compromised browser, malicious browser extensions collect data. They are exfiltrating more than the basic details about every internal or external webpage that the user visits. They are also gathering highly sensitive information embedded in the URL. This information can include user credentials, customer data, and details about an organization’s internal APIs and infrastructure.
Across the 45 companies in our sample, we determined that in every month we observed more than 85 percent of organizations were affected by malicious browser extensions—a finding that underscores the massive scale of these operations. Because infected browsers are often considered a relatively minor threat, they can go undetected or unresolved for days or even longer—giving adversaries more time and opportunity to carry out their campaigns.
Malicious browser extensions can steal information, and they can be a major source of data leakage. Every time a user opens a new webpage with a compromised browser, malicious browser extensions collect data. They are exfiltrating more than the basic details about every internal or external webpage that the user visits. They are also gathering highly sensitive information embedded in the URL. This information can include user credentials, customer data, and details about an organization’s internal APIs and infrastructure.
Across the 45 companies in our sample, we determined that in every month we observed more than 85 percent of organizations were affected by malicious browser extensions—a finding that underscores the massive scale of these operations. Because infected browsers are often considered a relatively minor threat, they can go undetected or unresolved for days or even longer—giving adversaries more time and opportunity to carry out their campaigns.
Malicious browser extensions can steal information, and they can be a major source of data leakage. Every time a user opens a new webpage with a compromised browser, malicious browser extensions collect data. They are exfiltrating more than the basic details about every internal or external webpage that the user visits. They are also gathering highly sensitive information embedded in the URL. This information can include user credentials, customer data, and details about an organization’s internal APIs and infrastructure.
Across the 45 companies in our sample, we determined that in every month we observed more than 85 percent of organizations were affected by malicious browser extensions—a finding that underscores the massive scale of these operations. Because infected browsers are often considered a relatively minor threat, they can go undetected or unresolved for days or even longer—giving adversaries more time and opportunity to carry out their campaigns.
Malicious browser extensions can steal information, and they can be a major source of data leakage. Every time a user opens a new webpage with a compromised browser, malicious browser extensions collect data. They are exfiltrating more than the basic details about every internal or external webpage that the user visits. They are also gathering highly sensitive information embedded in the URL. This information can include user credentials, customer data, and details about an organization’s internal APIs and infrastructure.
Across the 45 companies in our sample, we determined that in every month we observed more than 85 percent of organizations were affected by malicious browser extensions—a finding that underscores the massive scale of these operations. Because infected browsers are often considered a relatively minor threat, they can go undetected or unresolved for days or even longer—giving adversaries more time and opportunity to carry out their campaigns.
Malicious browser extensions can steal information, and they can be a major source of data leakage. Every time a user opens a new webpage with a compromised browser, malicious browser extensions collect data. They are exfiltrating more than the basic details about every internal or external webpage that the user visits. They are also gathering highly sensitive information embedded in the URL. This information can include user credentials, customer data, and details about an organization’s internal APIs and infrastructure.
Across the 45 companies in our sample, we determined that in every month we observed more than 85 percent of organizations were affected by malicious browser extensions—a finding that underscores the massive scale of these operations. Because infected browsers are often considered a relatively minor threat, they can go undetected or unresolved for days or even longer—giving adversaries more time and opportunity to carry out their campaigns.
Malicious browser extensions can steal information, and they can be a major source of data leakage. Every time a user opens a new webpage with a compromised browser, malicious browser extensions collect data. They are exfiltrating more than the basic details about every internal or external webpage that the user visits. They are also gathering highly sensitive information embedded in the URL. This information can include user credentials, customer data, and details about an organization’s internal APIs and infrastructure.
Across the 45 companies in our sample, we determined that in every month we observed more than 85 percent of organizations were affected by malicious browser extensions—a finding that underscores the massive scale of these operations. Because infected browsers are often considered a relatively minor threat, they can go undetected or unresolved for days or even longer—giving adversaries more time and opportunity to carry out their campaigns.
Malicious browser extensions can steal information, and they can be a major source of data leakage. Every time a user opens a new webpage with a compromised browser, malicious browser extensions collect data. They are exfiltrating more than the basic details about every internal or external webpage that the user visits. They are also gathering highly sensitive information embedded in the URL. This information can include user credentials, customer data, and details about an organization’s internal APIs and infrastructure.
Across the 45 companies in our sample, we determined that in every month we observed more than 85 percent of organizations were affected by malicious browser extensions—a finding that underscores the massive scale of these operations. Because infected browsers are often considered a relatively minor threat, they can go undetected or unresolved for days or even longer—giving adversaries more time and opportunity to carry out their campaigns.
Malicious browser extensions can steal information, and they can be a major source of data leakage. Every time a user opens a new webpage with a compromised browser, malicious browser extensions collect data. They are exfiltrating more than the basic details about every internal or external webpage that the user visits. They are also gathering highly sensitive information embedded in the URL. This information can include user credentials, customer data, and details about an organization’s internal APIs and infrastructure.
Across the 45 companies in our sample, we determined that in every month we observed more than 85 percent of organizations were affected by malicious browser extensions—a finding that underscores the massive scale of these operations. Because infected browsers are often considered a relatively minor threat, they can go undetected or unresolved for days or even longer—giving adversaries more time and opportunity to carry out their campaigns.
Malicious browser extensions can steal information, and they can be a major source of data leakage. Every time a user opens a new webpage with a compromised browser, malicious browser extensions collect data. They are exfiltrating more than the basic details about every internal or external webpage that the user visits. They are also gathering highly sensitive information embedded in the URL. This information can include user credentials, customer data, and details about an organization’s internal APIs and infrastructure.
Across the 45 companies in our sample, we determined that in every month we observed more than 85 percent of organizations were affected by malicious browser extensions—a finding that underscores the massive scale of these operations. Because infected browsers are often considered a relatively minor threat, they can go undetected or unresolved for days or even longer—giving adversaries more time and opportunity to carry out their campaigns.
Malicious browser extensions can steal information, and they can be a major source of data leakage. Every time a user opens a new webpage with a compromised browser, malicious browser extensions collect data. They are exfiltrating more than the basic details about every internal or external webpage that the user visits. They are also gathering highly sensitive information embedded in the URL. This information can include user credentials, customer data, and details about an organization’s internal APIs and infrastructure.
Across the 45 companies in our sample, we determined that in every month we observed more than 85 percent of organizations were affected by malicious browser extensions—a finding that underscores the massive scale of these operations. Because infected browsers are often considered a relatively minor threat, they can go undetected or unresolved for days or even longer—giving adversaries more time and opportunity to carry out their campaigns.