NorthSky Technology has identified a browser replacement application called OneLaunch which we have observed to be highly correlated to account compromise, and as a result we consider it very dangerous. We’ve developed tools to detect and remove this software, and are undergoing an intensive effort to enhance our monitoring and controls to increase the likelihood we can detect the login activity that is generated by these types of compromise.
Monitoring for this software has already been applied to all managed computers for our managed IT services clients at no additional cost. If we detect this in your environment, we will proactively reach out to you to initiate a full investigation and remediation.
The Full Story
Recently, we detected and remediated a small number of account compromises which had less than usual characteristics. Typically we can trace a compromise to an originating event: a phishing email, a shared password, one of the common methods of tricking a user into approving an MFA prompt, etc. In these particular incidents, there wasn’t any of these, the attacker was just logging in from a malicious location without ever being prompted for a password or MFA.
Quick Technical Background about Logins
When you use a website or service that requires authentication with a username, password, and (hopefully) MFA, you may notice that you only have to enter those details every once in awhile. You’ll enter them the very first time you login, but after that it might only be once a week, or once a month, or longer before you are asked to re-enter them again.
In real-world terms, entering your username and password is like showing your ID to show that you are 21. If you are somewhere that is crowded and busy, like a festival or concert, the person who checks your ID may give you a wristband as proof that the venue checked your ID and validated your age. The wristband will usually be of a particular color or design such that the venue knows it’s only valid for a particular event. This streamlines any future interactions you may have requiring proof of your age as the staff only have to look at your wristband instead of performing a full ID check.
Logging into an account with your username, password, and MFA is like showing your ID for verification. After your credentials are validated, a session is established and you are issued a session token (like a wristband) to use going forward anytime you’re communicating with that account. The session token serves as proof that you’ve already proven you are who you say you are, and so the system trusts you without checking your ID again. This is more secure, as you’re not sending your password in every communication, and makes using the account much more efficient and convenient. Session tokens are valid for a limited period of time - after which you may be required to re-enter your password to get a new one.
Back to OneLaunch
We determined in these investigations that the account compromises were a result of session hijacking. The attacker had stolen the session token (like stealing the wristband in the example above) and was using it to illegitimately access the account. By re-using the user’s valid session as their own, they didn’t need to know the user’s password and didn’t need to trick them into approving an MFA prompt.
Session tokens are sensitive and only transmitted over secure connections, so hijacking them most commonly involves the attacker eavesdropping or infiltrating those secure communications, referred to as a “man-in-the-middle” attack. This most often involves the attacker having some sort of interception on the user’s device or web browser, which led us to discover OneLaunch.
OneLaunch is a Windows application which purports to “upgrade your Windows experience” and serves as a replacement web browser. Its appearance mimics your normal browser and it very eagerly auto-launches itself front-and-center inviting the user to use it instead of Chrome, Edge, or Firefox. The problem with OneLaunch is we have strong reason to believe it is being leveraged by attackers to steal session tokens (and causing performance issues on the machine in the process). In our investigations we found OneLaunch was installed and used to login into the account which was compromised soon after, and technical analysis of the software itself reveals troubling spyware-like behaviors. Whether OneLaunch has legitimate users or not, we’re finding it is too great of a risk to be allowed in corporate managed environments are taking steps to immediately remove any detected installs.
We’re finding that users are being tricked into downloading and installing OneLaunch, either by deceptive advertising or by thinking it is some other tool like Easy PDF or a mapping program. To make matters a bit more challenging, OneLaunch installs in an evasive manner which isn’t reported to traditional software inventorying systems, and it does not require administrative permission to install. Any user can install it without IT or your own organization's management being involved or aware.
In an increasingly work-from-home and BYOD world, this serves as another reminder of the importance of organizations maintaining control over all aspects of their technology environment, especially their computer endpoints, if they want to keep their systems secure and functioning at their best. Detecting or preventing the installation of dangerous software like OneLaunch isn’t possible when users are running on personal devices that the organization has no control over or visibility into, leaving organizations more exposed to risk than they may realize.