Notification

Icon
Error

MEGA Chrome Extension Vulnerability

Posted: Thursday, September 6, 2018 1:25:43 PM(UTC)
Esben.D

Esben.D

Member Administration Original PosterPosts: 1,960
1
Like
The Chrome extension of MEGA was recently compromised to steal user credentials. MEGA released the following statement on their official blog:

Quote:
On 4 September at 14:30 UTC, an unknown attacker managed to hack into MEGA's Google Chrome web store account and upload a malicious version 3.39.4 of an extension to the web store, according to a blog post published by the company. Upon installation or auto-update, the malicious extension asked for elevated permissions to access personal information, allowing it to steal login/register credentials from ANY websites like Amazon, Github, and Google, along with online wallets such as MyEtherWallet and MyMonero, and Idex.market cryptocurrency trading platform. The trojanized Mega extension then sent all the stolen information back to an attacker's server located at megaopac[.]host in Ukraine, which is then used by the attackers to log in to the victims' accounts, and also extract the cryptocurrency private keys to steal users' digital currencies.

To discover devices in your network which might be vulnerable, do the following:
Add the following registry key to your Lansweeper installation by using custom registry scanning:

  • Key: HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings
  • Value: bigefpfhnfcobdlfbedofhhaibnlghod
    Please note that if you have multiple Chrome profiles, you might have to modify the registry key get accurate results.
Rescan the assets in your network and run the report below.

You can find a guide on how to add this report to your Lansweeper installation here.

If assets in your environment have the extension installed, it is recommend to ensure they have been updated to the latest version or simply uninstall it.

Code:
Select Top 1000000 tsysOS.Image As icon,
  tblAssets.AssetID,
  tblAssets.AssetName,
  tblAssets.Domain,
  tblAssets.Username,
  tblAssets.Userdomain,
  tblAssets.IPAddress,
  tblAssets.Firstseen,
  tblAssets.Lastseen,
  tblAssets.Lasttried,
  TsysLastscan.Lasttime As LastRegistryScan,
  Case
    When TsysLastscan.Lasttime < GetDate() - 1 Then
      'Last registry scan more than 24 hours ago! Scanned registry information may not be up-to-date. Try rescanning this machine.'
  End As Comment,
  Case
    When SubQuery1.Valuename Is Not Null And SubQuery1.Valuename <> ''
    Then 'Yes'
    Else 'No'
  End As MEGAExtensionFound,
  SubQuery1.Regkey,
  SubQuery1.Valuename,
  SubQuery1.Value,
  SubQuery1.Lastchanged
From tblAssets
  Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
  Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
  Inner Join TsysLastscan On tblAssets.AssetID = TsysLastscan.AssetID
  Inner Join TsysWaittime On TsysWaittime.CFGCode = TsysLastscan.CFGcode
  Left Join (Select Top 1000000 tblRegistry.AssetID,
        tblRegistry.Regkey,
        tblRegistry.Valuename,
        tblRegistry.Value,
        tblRegistry.Lastchanged
      From tblRegistry
      Where
        tblRegistry.Regkey Like
        '%Software\Google\Chrome\PreferenceMACs\Default\extensions.settings' And
        tblRegistry.Valuename = 'bigefpfhnfcobdlfbedofhhaibnlghod') SubQuery1 On
    SubQuery1.AssetID = tblAssets.AssetID
Where tblAssetCustom.State = 1 And TsysWaittime.CFGname = 'registry'
Order By tblAssets.Domain,
  tblAssets.AssetName

Active Discussions

Lansweeper Number Of Application Hang Event ID 1002 Count , Null
by  HRS   Go to last post Go to first unread
Last post: 11/29/2019 9:42:49 PM(UTC)
Action Change Windows domain PC Name
by  DaveDischord  
Go to last post Go to first unread
Last post: 11/27/2019 10:36:02 PM(UTC)
Lansweeper LsRemote.exe Background Image Removal
by  Martin Frey   Go to last post Go to first unread
Last post: 11/27/2019 11:40:23 AM(UTC)
Lansweeper List of Software Publisher´s
by  fuesselorg  
Go to last post Go to first unread
Last post: 11/22/2019 5:11:42 PM(UTC)
Lansweeper Infopath installer help
by  Dave Ward   Go to last post Go to first unread
Last post: 11/12/2019 11:16:51 AM(UTC)
Lansweeper Remote Registry 2019
by  gareauk  
Go to last post Go to first unread
Last post: 10/24/2019 7:33:06 PM(UTC)
Lansweeper Deploy
by  CyberCitizen   Go to last post Go to first unread
Last post: 10/10/2019 2:31:27 AM(UTC)
Action Backup Computer with Disk2VHD to network share
by  pryan67  
Go to last post Go to first unread
Last post: 10/7/2019 3:36:05 PM(UTC)