SHOW NOTES

Red Canary’s Tre Wilkins presents his recent research on detecting malicious browser extension updates using a unique open-source approach.

Tre and Keith discuss the growing threat of compromised browser extensions, particularly following incidents like the CyberHaven compromise in late 2024. The research explores using AssemblyLine, an open-source malware analysis framework, combined with statistical methods like entropy analysis and z-scores to automatically detect suspicious extension updates. The solution aims to reduce threat dwell time by identifying malicious updates before they become widely known.

Tre demonstrates how his work successfully detected 58% of known malicious extensions from a dataset of 50 compromised extensions, including the ability to identify unusual code changes, new command and control domains, and suspicious JavaScript patterns. The discussion also covers practical aspects of extension inventory management using EDR tools and the challenges organizations face with extension oversight, given that customer environments typically have around 30 extensions installed, with some exceeding 3,000.

Timestamps:

• 00:00 – Introduction
• 01:27 – Welcome to SecOps Weekly!
• 02:00 – Detection malicious browser extensions intro
• 03:17 – Browser extensions: An overlooked security risk
• 04:23 – Why adversaries target browser extensions
• 11:30 – Research question: Can an in-house, open source system on standard hardware detect suspicious browser extension updates to reduce threat dwell time?
• 13:34 – AssemblyLine
• 16:00 – Statistical methods
• 17:23 – Cyberhaven supply chain attack (2024)
• 23:02 – Analysis & key findings
• 24:27 – Conclusion & questions from the audience