Browser extensions for Chrome often become prime targets for hackers, serving as gateways to exploit unsuspecting users. This underscores a crucial cybersecurity principle: security is not a static goal but an ongoing process.
One recent example involves the Cyberhaven Chrome extension, designed to protect corporate data from insider threats. Cyberhaven, a San Jose-based startup, warned users that attackers may have exfiltrated data through a malicious version of its extension.
The Incident
On Dec. 25, attackers managed to upload a compromised version (24.10.4) of Cyberhaven's Chrome extension to the Chrome Web Store.
This attack impacted systems running Chrome-based browsers that downloaded the extension between 1:32 a.m. UTC on Dec. 25 and 2:50 a.m. UTC on Dec. 26.
Cyberhaven detected the breach late on Dec. 27 and acted swiftly to mitigate the impact. Within an hour of detection, the company removed the malicious extension, released a secure version (24.10.5), and began notifying users.
Early investigations suggest the attack targeted Facebook Ads accounts to steal access tokens.
The company has since enlisted Mandiant for a thorough investigation and is working with federal authorities to understand the attack further.
A Larger Campaign
According to cybersecurity expert Jaime Blasco, this incident is likely part of a broader, opportunistic campaign targeting multiple Chrome extensions. Extensions such as Internxt VPN, VPNCity, Uvoice, and ParrotTalks were also reportedly compromised.
Blasco identified suspicious traffic to an IP address linked to the attackers and associated domain names, including bookmarkfc.info, cyberhavenext.pro, and vpncity.live.
The campaign appears to exploit developers’ credentials, focusing on extensions the attackers could access.
The Breach’s Root Cause
Cyberhaven's investigation revealed the attack began with a phishing email targeting a developer listed as a support contact. The email led to a legitimate-looking Google authorization page for a malicious OAuth application.
Despite using Google Advanced Protection and multi-factor authentication (MFA), the developer inadvertently authorized the malicious app, allowing attackers to upload and distribute the compromised extension.
The attackers modified a clean version of Cyberhaven’s extension, embedding malicious code to exfiltrate data and communicate with a command-and-control server.
Mitigation and Next Steps
Cyberhaven confirmed that no other accounts, code-signing keys, or build systems were compromised. The company is developing tools to help customers determine if specific data was exfiltrated.
This incident serves as a reminder of the ongoing risks associated with browser extensions.
Organizations and individuals should regularly audit installed extensions, monitor for suspicious traffic, and enforce strict policies around software updates and developer credentials.
Cybersecurity is not a one-and-done effort—it’s a continuous, adaptive process.
Ryan Kessler : Feb 1, 2024 4:14:47 PM
