HQ/EMEAFind out how we can help your business
Threat actors have injected code to steal user information by exploiting at least five Cyberhaven Chrome extensions.
The exploited extension is from a data loss prevention provider. It explained that it notified its customers about one breach incident that occurred a day before Christmas. The attack is a successful phishing attempt on an administrator account for the Google Chrome Store.
The hacker allegedly took over the employee’s account and released a malicious version (24.10.4) of the Cyberhaven extension, which contained code that could exfiltrate authenticated sessions and cookies to the attacker-controlled domain.
Cyberhaven claimed that it immediately destroyed the malicious software.
According to reports, the Cyberhaven internal security team claimed that the malicious software was stopped within an hour of being spotted.
The software provider released a clean version of the extension on December 26, almost 48 hours after the malicious exploit was identified. The firm also advised its Chrome extension users to revoke non-FIDOv2 passwords, rotate all API tokens, and monitor browser logs to identify suspicious activity.
Following Cyberhaven’s disclosure, a security researcher expanded the study, focusing on the attacker’s IP addresses and registered domains. The researcher found out that the malicious code snippet that enabled the extension to accept orders from the attacker was also injected at the same time in other Chrome extensions, such as Internxt VPN, VPNCity, Uvoice, and ParrotTalks.
Furthermore, the researchers identified more domains that lead to other potential victims. However, they cannot verify these exploits; hence, they can only confirm that the earlier-mentioned exploited extensions, which the hackers injected the malicious code snippet.
Users of these extensions are advised to uninstall them from their browsers or upgrade to a secure version published the day after Christmas to ensure that the publisher has adopted and resolved the security vulnerability.
However, some users may be sceptical about the update. Therefore, they can uninstall the extension, reset essential account passwords and exact browser data, and restore browser settings to their original defaults.
