轉發 國家資安資訊分享與分析中心 NISAC-400-202507-00000048
[內容說明]
資安院觀測外部資安情資,近期發現駭客針對瀏覽器擴充功能進行惡意劫持活動(如Red Direction活動), 其攻擊手法為利用合法之擴充功能,於後續更新中植入惡意程式碼,可監控使用者網頁瀏覽活動並傳送至C2伺服器,甚至導向釣魚網站。 影響範圍: Chrome 與 Edge 共計18種擴充功能,其可能含蓋超過230萬名使用者。
詳細清單下載連結:https://cert.tanet.edu.tw/pdf/2023057048ioc.zip
[建議措施]
1 清查並移除所有已確認存在惡意威脅之瀏覽器擴充功能。
2 清除瀏覽器快取、Cookie及相關會話資料,避免持續的憑證洩漏風險。
3 持續監控受影響主機及相同網段的網路行為,確保異常活動不再復發。
4 如懷疑帳號憑證已外洩,請強制重設相關使用者密碼及多因素驗證設定。
Forwarded National Security Information Sharing and Analysis Center NISAC-400-202507-00000048
[Content Description]
The National Security Administration has observed external security intelligence and recently discovered that hackers have carried out malicious hijacking activities against browser extensions (such as the Red Direction activity). Their attack method is to use legitimate extensions to implant malicious code in subsequent updates, which can monitor user web browsing activities and send them to C2 servers, and even lead to phishing websites. Scope of impact: Chrome and Edge have a total of 18 extensions, which may cover more than 2.3 million users.
Detailed list download link: https://cert.tanet.edu.tw/pdf/2023057048ioc.zip
[Recommended measures]
1 Check and remove all browser extensions that have been confirmed to have malicious threats.
2 Clear browser cache, cookies and related session data to avoid the risk of continuous credential leakage.
3 Continue to monitor the network behavior of the affected host and the same network segment to ensure that abnormal activities do not recur.
4 If you suspect that the account credentials have been leaked, please force reset the relevant user passwords and multi-factor authentication settings.