Remotely stealing Windows credentials with help from Google Chrome

A security researcher has demonstrated how to remotely steal a user’s Windows credentials through Google Chrome. I expect this will be seen in real world hacks soon, so take some simple preventative measures now.

The attack proceeds as follows:

  1. The user visits a malicious website using Google Chrome.
  2. A file (.SCF format) is automatically downloaded to the users computer with no interaction required.
  3. When the user opens their Downloads folder, a prompt for user credentials will automatically be presented. At this point, the user is being tricked into entering their credentials. The credential prompt is from a remote server on the Internet, and this will then collect the entered crendentials.
  4. If the user entered their credential in Step 3, the user’s credentials are now available to the attacker. The password can then be cracked offline (clearly password length and complexity help thwart this final step).

Timeline:

Published on the 15th of May 2017

Who is at risk?

The vulnerability applies to Google Chrome used on any version of Windows. A sample of antivirus vendors did not pick up on the attack. Patch levels are not relevant to the attack.

What is the potential impact?

A user’s credentials will be made available to an attacker. The impact will then depend on the services that can be exploited with those credentials; e.g. email, remote access services.

What should you do?

There are a few options depending on the capability of your IT infrastructure.

  • Filter SCF files on Internet proxies. I can’t thing of any reasons a user would need to download this from the Internet. For good measure, filter the file from email traffic also.
  • Block SMB connections (TCP ports 139 and 445) out of your network to the public Internet (the credential prompt uses SMB).

The challenge is protecting travelling or remote users who use the Internet. If you have a cloud based firewall then all good. If you do not have a cloud based firewall the following options are available:

  • Disabling automatic downloads in Google Chrome – The file can still be downloaded, but now it will need user interaction, and this may be enough for a user to tell something suspicious is occurring. If not done already, this might be the time to get across Google Chrome policy templates.
  • Consider SMB signing. This will prevent the credential prompt appearing to users as the signing negotiation will fail.

Leave a Reply