search

zen-browser / desktop

🌀 Experience tranquillity while browsing the web without people tracking you!
https://zen-browser.app
Mozilla Public License 2.0
16.84k stars 395 forks source link

Malicious CDN’s #1096

Closed chrede88 closed 1 month ago

chrede88 commented 2 months ago

What happened?

I installed the Zen browser on my work laptop in order to check it out. My machine was immediately isolated on the network with the explanation that the Zen browser was “contacting a number of malicious CDN’s”! Can someone comment on this?

Reproducible?

Version

1.0.0

Severity impact

Low

What platform are you seeing the problem on?

Windows

Relevant log output

No response

cprin21 commented 2 months ago

If this is an issue on Zen Browser's end that's probably a high severity issue.

NOCanoa commented 2 months ago

@chrede88 can u provide more info?

chrede88 commented 2 months ago

I don't really have much more info. The SOC at my job only mentioned that the browser contacted a lot of CDN's using unsigned executables. See screendump they send me. image

LaurenceJJones commented 2 months ago

I don't really have much more info. The SOC at my job only mentioned that the browser contacted a lot of CDN's using unsigned executables. See screendump they send me. image

Most likely when going through the setup it will attempt to see if there are other browers installed to port across your saved information (bookmarks and stuff) which other browsers do including firefox which zen is based on. I guess it made it more seriously for your SOC since the binary is not signed and looks like you just ran some malware.

chrede88 commented 2 months ago

I don't really have much more info. The SOC at my job only mentioned that the browser contacted a lot of CDN's using unsigned executables. See screendump they send me. image

Most likely when going through the setup it will attempt to see if there are other browers installed to port across your saved information (bookmarks and stuff) which other browsers do including firefox which zen is based on. I guess it made it more seriously for your SOC since the binary is not signed and looks like you just ran some malware.

Right! That's probably some of it. But why is it reaching out to multiple CDN's at startup?

LaurenceJJones commented 2 months ago

I don't really have much more info. The SOC at my job only mentioned that the browser contacted a lot of CDN's using unsigned executables. See screendump they send me. image

Most likely when going through the setup it will attempt to see if there are other browers installed to port across your saved information (bookmarks and stuff) which other browsers do including firefox which zen is based on. I guess it made it more seriously for your SOC since the binary is not signed and looks like you just ran some malware.

Right! That's probably some of it. But why is it reaching out to multiple CDN's at startup?

Well we would need to know which CDN were attempted to be access as the term "malicious" in the title is hard to prove when you have very little information. (If your SOC is logging all procress access calls then most likely they will have this information)

I checked through the codebase and can't see any "known" CDNs refference anywhere (I searched for names that I know since I work for a cyber security company but it's not a comprehensive list)

Once we have more information (domain names if possible) then the developers will be able to provide additional information.

mauro-balades commented 2 months ago

I don't really have much more info. The SOC at my job only mentioned that the browser contacted a lot of CDN's using unsigned executables. See screendump they send me. image

Most likely when going through the setup it will attempt to see if there are other browers installed to port across your saved information (bookmarks and stuff) which other browsers do including firefox which zen is based on. I guess it made it more seriously for your SOC since the binary is not signed and looks like you just ran some malware.

Right! That's probably some of it. But why is it reaching out to multiple CDN's at startup?

Well we would need to know which CDN were attempted to be access as the term "malicious" in the title is hard to prove when you have very little information. (If your SOC is logging all procress access calls then most likely they will have this information)

I checked through the codebase and can't see any "known" CDNs refference anywhere (I searched for names that I know since I work for a cyber security company but it's not a comprehensive list)

Once we have more information (domain names if possible) then the developers will be able to provide additional information.

I did not change any DNS settings as far as I know... Could it be possible because the app isn't signed?

chrede88 commented 2 months ago

I don't really have much more info. The SOC at my job only mentioned that the browser contacted a lot of CDN's using unsigned executables. See screendump they send me. image

Most likely when going through the setup it will attempt to see if there are other browers installed to port across your saved information (bookmarks and stuff) which other browsers do including firefox which zen is based on. I guess it made it more seriously for your SOC since the binary is not signed and looks like you just ran some malware.

Right! That's probably some of it. But why is it reaching out to multiple CDN's at startup?

Well we would need to know which CDN were attempted to be access as the term "malicious" in the title is hard to prove when you have very little information. (If your SOC is logging all procress access calls then most likely they will have this information)

I checked through the codebase and can't see any "known" CDNs refference anywhere (I searched for names that I know since I work for a cyber security company but it's not a comprehensive list)

Once we have more information (domain names if possible) then the developers will be able to provide additional information.

Yes, I get that it's hard to say anything concrete with the very limited info I've provided. If I can get some more info, I'll relay it here.

chrede88 commented 2 months ago

I don't really have much more info. The SOC at my job only mentioned that the browser contacted a lot of CDN's using unsigned executables. See screendump they send me. image

Most likely when going through the setup it will attempt to see if there are other browers installed to port across your saved information (bookmarks and stuff) which other browsers do including firefox which zen is based on. I guess it made it more seriously for your SOC since the binary is not signed and looks like you just ran some malware.

Right! That's probably some of it. But why is it reaching out to multiple CDN's at startup?

Well we would need to know which CDN were attempted to be access as the term "malicious" in the title is hard to prove when you have very little information. (If your SOC is logging all procress access calls then most likely they will have this information) I checked through the codebase and can't see any "known" CDNs refference anywhere (I searched for names that I know since I work for a cyber security company but it's not a comprehensive list) Once we have more information (domain names if possible) then the developers will be able to provide additional information.

I did not change any DNS settings as far as I know... Could it be possible because the app isn't signed?

Possibly, this might be the only thing that flagged it in the first place. But I can't say for sure.

chrede88 commented 1 month ago

I don't really have much more info. The SOC at my job only mentioned that the browser contacted a lot of CDN's using unsigned executables. See screendump they send me. image

Most likely when going through the setup it will attempt to see if there are other browers installed to port across your saved information (bookmarks and stuff) which other browsers do including firefox which zen is based on. I guess it made it more seriously for your SOC since the binary is not signed and looks like you just ran some malware.

Right! That's probably some of it. But why is it reaching out to multiple CDN's at startup?

Well we would need to know which CDN were attempted to be access as the term "malicious" in the title is hard to prove when you have very little information. (If your SOC is logging all procress access calls then most likely they will have this information)

I checked through the codebase and can't see any "known" CDNs refference anywhere (I searched for names that I know since I work for a cyber security company but it's not a comprehensive list)

Once we have more information (domain names if possible) then the developers will be able to provide additional information.

I got the list of remote URLs from the IT department, it's attached here as a .csv file. At 12:10:00.489 a connection to dr.dk was established, this was 100% me, so everything before is likely the startup of ZEN.

DeviceNetworkEventsExport_Extended_strip.csv

At this point I'm not really sure there is any "malicious" cdn's on the list. But I don't have a good list to check against.

mauro-balades commented 1 month ago

haha no way!

let's analyze a bit where's connecting to...

  1. It's used for tracking protection.. basically, it's a list of URL that it should block (https://www.reddit.com/r/waterfox/comments/fwc2sf/shavarservicesmozilla_and/)
  2. updates.zen-browser.app, I think that's pretty explanatory (checking for updates)
  3. t2.gstatic.com used by the sidebar, to get the icons of the initial websites on startup

and other mozilla services like addon updates, etc... But there's definitely nothing malicous about it haha