Chrome extensions have once again proven to be lucrative targets for hackers, underscoring the ongoing challenges in maintaining cybersecurity. A recent supply chain attack has compromised multiple Chrome browser extensions, including a popular data-loss prevention tool developed by cybersecurity startup Cyberhaven. This incident highlights the persistent risks users face when relying on third-party tools.
Cyberhaven Users Targeted in Attack
Cyberhaven, a San Jose-based cybersecurity firm led by former Nutanix and Palo Alto Networks executive Howard Ting, recently warned its customers of an attack that exploited its Chrome extension. Designed to protect against insider threats, the extension became a vector for malicious activity when attackers managed to publish a compromised version (24.10.4) on the Chrome Web Store.
The malicious update, available between 1:32 a.m. UTC on December 25 and 2:50 a.m. UTC on December 26, may have stolen sensitive data from users during this brief window. The attackers appeared to target Facebook Ads accounts, stealing access tokens to further their campaign.
Cyberhaven detected the breach at 11:54 p.m. UTC on December 25 and responded swiftly, removing the malicious package within an hour and releasing a safe update (24.10.5). The company has since engaged Mandiant for an independent investigation and is cooperating with federal law enforcement to address the breach.
A Wider Campaign Unveiled
This attack is part of a broader campaign that appears to opportunistically exploit Chrome extension developers. Jaime Blasco, co-founder and CTO of Nudge Security, identified several other compromised extensions, including Internxt VPN, VPNCity, Uvoice, and ParrotTalks.
Blasco noted that the attackers used command-and-control servers, including one at IP address 149.28.124.84, to coordinate their activities. Several domain names, such as bookmarkfc.info, cyberhavenext.pro, parrottalks.info, and vpncity.live, were linked to this campaign. Extensions associated with these domains may also have been targeted.
"It seems the attackers weren’t specifically targeting Cyberhaven but rather taking advantage of any accessible developer credentials," Blasco explained.
Phishing Leads to Compromise
Cyberhaven’s investigation traced the breach to a phishing attack targeting one of its developers. A phishing email redirected the victim to a legitimate Google authorization page, tricking them into granting access to a malicious OAuth application called "Privacy Policy Extension."
Despite having Multi-Factor Authentication (MFA) and Google Advanced Protection enabled, the developer inadvertently authorized the malicious app, enabling attackers to upload a modified version of the Cyberhaven Chrome extension to the web store. This malicious version retained much of the functionality of the legitimate extension but included additional code for data exfiltration and communication with the attackers' servers.
Mitigation Efforts and Lessons Learned
Cyberhaven reports that the attackers did not gain access to its core systems, such as code-signing keys or continuous integration/continuous delivery (CI/CD) environments. The company is preparing tools to help customers assess the impact and identify specific data exfiltrated during the breach.
Meanwhile, cybersecurity experts emphasize the importance of heightened vigilance for extension developers and users alike. Developers should ensure robust security measures are in place to prevent phishing and unauthorized access, while users are advised to monitor their systems for indicators of compromise and keep software updated.
Ongoing Risks in the Supply Chain
This incident underscores the growing threat of supply chain attacks in the software ecosystem. By targeting Chrome extensions, attackers exploit trust relationships between developers and users, often with devastating consequences. As organizations increasingly rely on third-party tools, maintaining a proactive and comprehensive approach to cybersecurity is paramount.
This latest breach serves as a reminder that cybersecurity is not a static goal but a continuous process requiring vigilance, robust incident response, and effective user education.
0 Comments