Modern browser APIs can be abused for hijacking device resources
Powerful capabilities of modern browser APIs could be misused by attackers to take control of a site visitor’s browser, add it to their botnet, and use it for a variety of malicious actions, researchers from the Foundation for Research and Technology – Hellas and Stony Brook University are warning.
To prove their point, they’ve created MarioNet, a prototype framework that allows them to do just that. The hijacked resources could be used for unwanted and harmful operations such as cryptocurrency mining, distributed password-cracking, click-fraud, etc.
A web-based attack that’s difficult to spot
MarioNet (i.e., “marionette”) consists of an in-browser component (embedded in a service worker module) and a remote command and control system, but it does not require the victim to install any software. Instead, it leverages the provided capabilities of JavaScript and relies on HTML5 APIs used by most desktop and mobile browsers.
It uses the Service Workers API to register and activate service workers, which run in the page’s background, do the work required by the attacker in a separate process (without interfering with the webpage’s core functionality), and are not dependent on the malicious page.
That means that MarioNet continues working even after victims browse away from the malicious webpage or close its window or tab: it runs in the background as long as the browser is open.
Another of its advantages is that the compromise is difficult to spot for both security monitoring extensions and users: browser extensions can’t monitor the outgoing traffic of deployed service workers and users are unlikely to notice the device using extra resources because MarioNet allows the attacker to monitor, throttle or pause the (mis)use.
Finally, MarioNet can also persists after the browser has been restarted, but this requires the user/victim to grant the attacker permission to access the Push API. (The other capabilities do not require any user interaction.)
For attackers to leverage MarioNet they don’t have to have continuous control of the malicious page that registers the service worker. After the registration, the worker can establish a communication channel with a separate remote C&C server to be controlled and receive tasks.
Mitigations needed
Since most modern browsers use the exploited APIs and SyncManager interface, most users can become victims. The attacks won’t work only on Internet Explorer, Opera Mini and Blackberry’s mobile browser.
The researchers have proposed several defense strategies against MarioNet attacks, each of which has pros and cons.
“The aim of this work is to increase the awareness of developers and browser vendors about the provided powerful (but also potentially risky) capabilities of modern HTML, and hopefully lead to the deployment of restrictive policies that will adequately secure the user-side environments of future web applications,” they noted.