Notification

Icon
Error

MEGA Chrome Extension Vulnerability

Posted: Thursday, September 6, 2018 1:25:43 PM(UTC)
Esben.D

Esben.D

Member Administration Original PosterPosts: 1,565
1
Like
The Chrome extension of MEGA was recently compromised to steal user credentials. MEGA released the following statement on their official blog:

Quote:
On 4 September at 14:30 UTC, an unknown attacker managed to hack into MEGA's Google Chrome web store account and upload a malicious version 3.39.4 of an extension to the web store, according to a blog post published by the company. Upon installation or auto-update, the malicious extension asked for elevated permissions to access personal information, allowing it to steal login/register credentials from ANY websites like Amazon, Github, and Google, along with online wallets such as MyEtherWallet and MyMonero, and Idex.market cryptocurrency trading platform. The trojanized Mega extension then sent all the stolen information back to an attacker's server located at megaopac[.]host in Ukraine, which is then used by the attackers to log in to the victims' accounts, and also extract the cryptocurrency private keys to steal users' digital currencies.

To discover devices in your network which might be vulnerable, do the following:
Add the following registry key to your Lansweeper installation by using custom registry scanning:

  • Key: HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings
  • Value: bigefpfhnfcobdlfbedofhhaibnlghod
    Please note that if you have multiple Chrome profiles, you might have to modify the registry key get accurate results.
Rescan the assets in your network and run the report below.

You can find a guide on how to add this report to your Lansweeper installation here.

If assets in your environment have the extension installed, it is recommend to ensure they have been updated to the latest version or simply uninstall it.

Code:
Select Top 1000000 tsysOS.Image As icon,
  tblAssets.AssetID,
  tblAssets.AssetName,
  tblAssets.Domain,
  tblAssets.Username,
  tblAssets.Userdomain,
  tblAssets.IPAddress,
  tblAssets.Firstseen,
  tblAssets.Lastseen,
  tblAssets.Lasttried,
  TsysLastscan.Lasttime As LastRegistryScan,
  Case
    When TsysLastscan.Lasttime < GetDate() - 1 Then
      'Last registry scan more than 24 hours ago! Scanned registry information may not be up-to-date. Try rescanning this machine.'
  End As Comment,
  Case
    When SubQuery1.Valuename Is Not Null And SubQuery1.Valuename <> ''
    Then 'Yes'
    Else 'No'
  End As MEGAExtensionFound,
  SubQuery1.Regkey,
  SubQuery1.Valuename,
  SubQuery1.Value,
  SubQuery1.Lastchanged
From tblAssets
  Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
  Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
  Inner Join TsysLastscan On tblAssets.AssetID = TsysLastscan.AssetID
  Inner Join TsysWaittime On TsysWaittime.CFGCode = TsysLastscan.CFGcode
  Left Join (Select Top 1000000 tblRegistry.AssetID,
        tblRegistry.Regkey,
        tblRegistry.Valuename,
        tblRegistry.Value,
        tblRegistry.Lastchanged
      From tblRegistry
      Where
        tblRegistry.Regkey Like
        '%Software\Google\Chrome\PreferenceMACs\Default\extensions.settings' And
        tblRegistry.Valuename = 'bigefpfhnfcobdlfbedofhhaibnlghod') SubQuery1 On
    SubQuery1.AssetID = tblAssets.AssetID
Where tblAssetCustom.State = 1 And TsysWaittime.CFGname = 'registry'
Order By tblAssets.Domain,
  tblAssets.AssetName

Active Discussions

Lansweeper NEW TAB
by  TinyTunerz   Go to last post Go to first unread
Last post: Today at 1:39:19 PM(UTC)
Lansweeper Force SNMP?
by  JacobH  
Go to last post Go to first unread
Last post: Today at 1:11:46 PM(UTC)
Lansweeper LSAgent has forgotten x64 Windows applications
by  thoughtmonkey   Go to last post Go to first unread
Last post: Today at 8:06:40 AM(UTC)
Lansweeper Lsremote "No supported authentication methods!"
by  Duiker  
Go to last post Go to first unread
Last post: Today at 7:52:24 AM(UTC)
Lansweeper Scan Uptime.
by  TimAlex   Go to last post Go to first unread
Last post: Today at 7:32:41 AM(UTC)
Lansweeper Performance scanning - incorrect values
by  Richard_Lan  
Go to last post Go to first unread
Last post: Yesterday at 4:26:02 PM(UTC)
Lansweeper Windows firewall rules
by  pryan67   Go to last post Go to first unread
Last post: Yesterday at 2:56:52 PM(UTC)
Lansweeper Run outside of our domain?
by  pryan67  
Go to last post Go to first unread
Last post: Yesterday at 2:53:05 PM(UTC)