Pierluigi Paganini
December 31, 2024
A supply chain attack compromised 16 Chrome browser extensions, exposing over 600,000 users.
Threat actors targeted the publishers of the extensions on the Chrome Web Store via phishing messages, then once obtained access to their account inserted a malicious code into the code of the extensions.
The malicious code allowed attackers to steal cookies and access tokens.
One of the victims of this campaign is the cybersecurity firm Cyberhaven, on December 24 attackers published a malware-laced version of their Chrome extension.
“On December 24, a phishing attack compromised a Cyberhaven employee’s credentials to the Google Chrome Web Store. The attacker used these credentials to publish a malicious version of our Chrome extension (version 24.10.4).” reads a post on the incident published by Cyberhaven. “Our security team detected this compromise at 11:54 PM UTC on December 25 and removed the malicious package within 60 minutes.”
The phishing email, posing as Google Chrome Web Store Developer Support, warns the employee of the extension removal for policy violations. The message urges the recipient to accept the publishing policy.
Once the recipient clicked on the email, the employee unknowingly authorized a malicious OAuth app via Google’s standard authorization flow, despite using MFA and Google Advanced Protection.
“The attacker gained requisite permissions via the malicious application (“Privacy Policy Extension”) and uploaded a malicious Chrome extension to the Chrome Web Store. After the customary Chrome Web Store Security review process, the malicious extension was approved for publication.” reads the report published by Cyberhaven. “This malicious extension (24.10.4) was essentially based on a clean prior version of the official Cyberhaven Chrome extension. The attacker made a copy of the clean extension and added some malicious code to create a new malicious extension. This extension was uploaded to the Chrome webstore and replaced the clean official Cyberhaven Chrome extension. The malicious Chrome extension was now available and distributed to a portion of our customer base.”
The attackers only compromised version 24.10.4 of the Cyberhaven Chrome extension.
Only Chrome-based browsers that auto-updated between 1:32 AM UTC on December 25 and 2:50 AM UTC on December 26 were impacted.
The malicious extension used two files: worker.js contacted a hardcoded C&C server to download configuration and executed HTTP calls, and content.js that collected user data from targeted websites and exfiltrated it to a malicious domain specified in the C&C payload.
“Based on our initial research so far, this was a non-targeted attack, and part of a wider campaign, aimed at Facebook Ads users. We are working with our customers and an external third-party security response team to help us analyze and investigate further. We will post more updates as we have more findings.” concludes the report published by Cyberhaven.
Researchers at security firm Secure Annex further investigated the attack and discovered that other Chrome browser extensions were compromised:
The researchers noticed that the extension “Earny” was last updated on April 5th, 2023 and has been compromised since then.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini(SecurityAffairs –hacking, Google Chrome)
