A recent cyber attack targeted users of Cyberhaven’s Data-Loss Prevention Chrome Extension, highlighting the vulnerability of browser extensions to hacking threats. The attack, which occurred in late December, involved the exfiltration of data from users of the Cyberhaven extension, which is designed to protect corporate data from insider threats.
The San Jose-based cybersecurity startup, led by industry veteran Howard Ting, detected the attack and swiftly took action to mitigate the impact. The attackers exploited a vulnerability in the Chrome Web Store, where they published a malicious version of the Cyberhaven extension. This attack specifically targeted machines running Chrome-based browsers that were updated via the Chrome Web Store during a specific timeframe.
Cyberhaven CEO Howard Ting confirmed that the company removed the malicious package within an hour of detection and released a safe version of the extension. The attackers’ motives were linked to targeting Facebook Ads accounts and stealing Facebook access tokens. In response to the incident, Cyberhaven has engaged the services of third-party incident response firm Mandiant and is cooperating with federal law enforcement agencies to investigate further.
The attack on Cyberhaven is part of a larger campaign targeting various Chrome extensions, as highlighted by cybersecurity researcher Jaime Blasco. The attackers compromised several other extensions, such as Internxt VPN, VPNCity, Uvoice, and ParrotTalks, in addition to Cyberhaven. Blasco warned users to be vigilant and look out for suspicious traffic to specific domains associated with the attackers’ command-and-control server.
Blasco’s findings suggest that the attackers’ campaign may have been ongoing for some time, targeting extension developers opportunistically. It is essential for users to remain cautious and monitor their systems for any signs of compromise. Researchers have identified additional subverted Chrome extensions, including Bookmark Favicon Changer, which may have been affected by the same attackers.
A detailed incident report by Cyberhaven revealed that the attack originated from a phishing email targeting one of the developers of the Chrome Extension. The employee inadvertently authorized a malicious OAUTH Google application, enabling the attackers to upload a modified version of the extension to the Chrome Web Store. The malicious extension contained code to communicate with a command-and-control server and exfiltrate data from users.
Despite the attack, Cyberhaven assured customers that no other accounts were compromised, and steps are being taken to assist users in identifying any potential data exfiltration. This incident serves as a stark reminder of the evolving threat landscape faced by businesses and individuals in the digital age. Collaborative efforts between cybersecurity experts, law enforcement agencies, and technology companies are crucial to combatting such malicious activities and safeguarding digital assets.