Researchers have found a CSRF vulnerability within the core of the Yandex browser that allowed attackers to steal users browsing data. The vulnerability was discovered by Ziyahan Albeniz at Netsparker, and if exploited would have allowed an attacker to steal the victim’s browser history, passwords, and autocomplete information. Dr Christopher Kruegel, Co-Founder and CEO at Lastline commented below.
Dr Christopher Kruegel, Co-Founder and CEO at Lastline:
“In March of 2016, Lastline published “Three interesting changes in malware activity over the past year”. Though not specifically centered on the study of Yandex’s specific browser, one of the three largest trends centered on the browser as an attack plane overall.
Our sandbox tracks a wide variety of behaviors that could be interpreted as suspicious or unwanted. These behaviors are typically generic: we are less interested in how a specific malware achieves a goal, but rather, we want to capture what malware is doing. This approach is what fulfills the promise of zero-day detection capabilities: we don’t need to have seen a particular piece of code in the past, when it shows unwanted behaviors in our sandbox, we will flag it as bad.
When looking at these behaviors, we observed an interesting increase in the number and fraction of samples that modified browser settings. We track modifications for many important and security-relevant browser configuration files, for all major browsers (Internet Explorer, Chrome, Firefox, Opera, Safari). We also track changes to relevant Windows registry keys that influence the behaviors of these browsers. The increase in the number of samples that change browser settings (and – in gray – the trend) can be seen in Figure 2 (attached).
Digging deeper into the data, we found that much of the increase of the observed behaviors was because malware samples changed the browsers’ proxy settings. For Internet Explorer, these modifications can be done by changing the AutoConfigURL registry setting. When looking around a bit, one can find reports that show malware that has targeted browser proxy settings (and AutoConfigURL in particular) appearing already many years ago. (Here’s an example from late 2013.)
By changing proxy settings, an attacker can redirect all browser traffic, or traffic for selected URLs only, to go through a machine that the attacker controls. By putting himself into the path between the victim and a legitimate website (such as a bank), the attacker can launch man-in-the-middle attacks and crack open traffic even when it is encrypted. This allows miscreants to steal bank credentials or interfere with financial transactions (even when two factor authentication is used, since the attacker is manipulating an actual transaction that a user carries out). In fact, the first malware to popularize the trick to tamper with browser proxy settings were Brazilian bank Trojans.
While the basic technique of tampering with proxy settings is certainly not novel, we found the significant increase that we observed in our data troublesome. It seems that man-in-the-middle attacks are not necessarily limited to banking malware anymore. Instead, as encrypted web traffic (HTTPS) becomes ubiquitous, malware authors increasingly include components into their programs that allow them to hijack browser traffic.”