Analysis Summary

At least 16 extensions were compromised as a result of a recent attack campaign that targeted well-known Chrome browser extensions, putting over 600,000 users at risk of data exposure and credential theft. In order to collect cookies and user access tokens, the attack employed a phishing effort to target browser extension authors on the Chrome Web Store. The attackers then used their access permissions to implant malicious code into legal extensions.

Cyberhaven, a cybersecurity organization, was the first to fall prey to the campaign. On December 24, a phishing attempt targeted one of its employees, enabling the threat actors to release a malicious version of the plugin. Cyberhaven revealed on December 27 that a threat actor had infiltrated their browser extension and added malicious code to download more configuration files, communicate with an external command-and-control (C2) server on the domain cyberhavenext[.]pro, and steal user information.

By stating that their extension was in imminent danger of being removed from the extension store due to a breach of Developer Program Policies, the phishing email, which appeared to be from Google Chrome Web Store Developer Support, attempted to create a false feeling of urgency. Additionally, it asked the receiver to click on a link to accept the policies, which led them to a page where they could grant permissions to a malicious OAuth application called "Privacy Policy Extension."

“The attacker gained requisite permissions via the malicious application ('Privacy Policy Extension') and uploaded a malicious Chrome extension to the Chrome Web Store. After the customary Chrome Web Store Security review process, the malicious extension was approved for publication,” said the company.

Web security's weakest underbelly is browser add-ons. In reality, browser extensions are often given broad access to sensitive user data, including cookies, access tokens, identification information, and more, despite the company’s tendency to view them as harmless. Many firms are unaware of the degree of their exposure and aren't even sure which extensions they have placed on their endpoints.

Other extensions that were compromised and interacting with the same C&C server were promptly discovered when the Cyberhaven breach became public. Researchers discovered other domains that resolved to the same IP address of the C2 server that was used in the Cyberhaven hack. Additional research has revealed additional extensions [Google Sheets] that may have been compromised. These other compromised extensions show that Cyberhaven was part of a larger attack campaign that targeted trustworthy browser extensions rather than being a one-off target.

Examination of compromised Cyberhaven shows that the malicious code deliberately targeted Facebook business accounts, as well as identification data and access credentials. According to Cyberhaven, roughly twenty-four hours after it went live, the malicious version of the browser extension was taken down. The Chrome Web Store has already updated or removed a few of the other vulnerable add-ons.

The removal of the extension from the Chrome store does not, however, imply that the publicity has ended. Hackers can still access the hacked extension and steal data as long as it is still operational on the endpoint. The complexity and reach of this attack campaign have increased the stakes for many enterprises in terms of protecting their browser extensions, but security researchers are still searching for more unprotected extensions. It's still unclear who is running the campaign and whether these concessions are connected.

Impact

• Code Execution
• Sensitive Data Theft
• Unauthorized Access
• Credential Theft

Indicators of Compromise

Domain Name

• cyberhavenext.pro

IP

• 149.28.124.84
• 149.248.2.160

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Implement robust multi-layered security measures to detect and respond to ransomware and cyber espionage activities.
• Conduct regular security assessments and penetration testing to identify and mitigate vulnerabilities in critical infrastructure and government systems.
• Deploy advanced threat detection tools, such as Endpoint Detection and Response (EDR) and Network Traffic Analysis (NTA), to monitor for suspicious activities and anomalies.
• Ensure timely patching and updating of all software and systems to close known security gaps.
• Use multi-factor authentication (MFA) and strong password policies to protect user accounts from unauthorized access.
• Segment networks to limit lateral movement within the organization in case of a breach.
• Develop and maintain an incident response plan that includes procedures for ransomware attacks and data breaches.
• Train employees on cybersecurity best practices and phishing awareness to reduce the risk of social engineering attacks.
• Regularly back up critical data and ensure backups are stored securely and are not accessible from the primary network.
• Collaborate with cybersecurity firms and government agencies for threat intelligence sharing and coordinated defense strategies.
• Implement encryption for sensitive data at rest and in transit to protect against data theft.
• Limit access to critical systems and data to only those individuals who require it for their role.
• Monitor for and immediately investigate the presence of known malware and indicators of compromise associated with state-sponsored groups.
• Engage in regular cybersecurity drills and exercises to ensure readiness for potential cyber incidents.
• Ensure legal and compliance measures are in place, particularly for industries subject to specific regulatory requirements.