Security operations · 2 MIN READ · MYLES SATTERFIELD · DEC 27, 2024 · TAGS: Alert
TL;DR
- Threat actors injected code into at least five Chrome extensions to steal sensitive data from users.
- Cybersecurity firm Cyberhaven disclosed that its Chrome extension was compromised.
- Cyberhaven removed the malicious package, but recommends updating it along with a few other important steps.
*This post has been updated with new information released by Cyberhaven.
What happened?
A threat actor has injected at least five Chrome extensions with malicious code that steals sensitive information from users. Cybersecurity firm Cyberhaven was one of the companies whose Chrome extension was compromised, and it released information on what occurred.
On Christmas Eve, the threat actor successfully executed an attack on a Cyberhaven employee and then used the access it gained to publish a malicious Chrome extension (version 24.10.4) to the Chrome Web Store on Christmas Day. Cyberhaven’s internal security team detected the attack at 11:54 PM UTC, and removed the malicious extension from the Chrome Web Store within 60 minutes.
The exfill domain was online from 1:32 AM UTC on December 25 until 2:50 AM UTC on December 26. Versions of the extension not hosted on the Chrome store (Firefox, Edge, etc.) were not affected.
According to Bleeping Computer, the other Chrome extensions that the attacker compromised include:
- Internxt VPN
- VPNCity
- Uvoice
- ParrotTalks
On December 27, Cyberhaven released additional details of the attack, which showed that the attacker used a phishing email to trick admins into granting app permissions that would allow the attacker to modify Chrome extensions. Cyberhaven’s analysis of the Command and Control communications indicate that the malicious extension collected information about Facebook Advertising accounts on the infected host.
Why does it matter?
According to a communication that Cyberhaven sent to customers, “For browsers running the compromised plugin, it is possible for sensitive information, including authenticated sessions and cookies, to be exfiltrated to the attacker’s domain (cyberhavenext[.]pro).”
This type of data could also be at risk for users of the other compromised Chrome extensions, as well.
What is Expel doing?
Our team is paying close attention to this attack. We’ve pushed BOLO (be-on-the-lookout) detections for C2 and malicious JS Files, and are scoping available data for each of the indicators.
We’re also collaborating with any Expel customers who may have been affected.
What should you do right now?
The official communication from Cyberhaven recommends that its customers do the following:
- Verify that the impacted Cyberhaven Chrome extension version 24.10.4 is updated to 24.10.5 or newer.
- Revoke/rotate all passwords that aren’t FIDOv2.
- Revoke/rotate all API tokens.
- Review all logs to verify no malicious activity has occurred in your environments.
Users of the other affected Chrome extensions listed above should either remove them from the browser or upgrade them to a newer version published after December 26, once they’ve confirmed that the publisher has fixed the issue.
And since the attacker appeared to be targeting Facebook Advertising accounts, we recommend you give extra scrutiny to these accounts.
What next?
We’re continuing to monitor this situation, and will update our customers with developments. In the meantime, we’re keeping the security teams at Cyberhaven and its impacted customers in our thoughts—they’re no doubt working overtime dealing with this situation.
