- New details have emerged regarding recent cyberattack
- A malicious Google Chrome extension led to 400,000 users being infected with malware
- Attackers were reportedly planning the campaign as early as March 2024
The recent cyberattack which hit security firm Cyberhaven and then affected a number of Google Chrome extenions may have been part of a ‘wider campaign’, new research has claimed.
A BleepingComputer investigation found the same code was injected into at least 35 Google Chrome extensions, which are being used by roughly 2.6 million users worldwide. This led to 400,000 devices being infected with malicious code through the CyberHaven extensions.
The campaign started as early as December 5, over two weeks earlier than first suspected, although command and control subdomains have been found dating back as far as March 2024.
Data loss prevention
Ironically, cybersecurity firm Cyberhaven is a startup which provides a Google Chrome extension aimed at preventing sensitive data loss from unapproved platforms, such as Facebook or ChatGPT.
In this particular case, the attack originated from a phishing email against a developer, which posed as a Google notification alerting the administrator that an extension was in breach of Chrome Web Store policies and at risk of being removed. The developer was encouraged to allow a ‘Privacy Policy Extension’, which then granted attackers permissions and allowed access.
After this, a new malicious version of the extension was uploaded, which bypassed Google’s security checks, and was spread to around 400,000 users thanks to automatic extension updates on Chrome.
It has now been discovered the attackers were aiming to collect Facebook data from victims through the extensions, and domains used in the attack were registered and tested back in March 2024, before a new set was created in November and December ahead of the incident.
“The employee followed the standard flow and inadvertently authorized this malicious third-party application,” Cyberhaven said in a statement.
“The employee had Google Advanced Protection enabled and had MFA covering his account. The employee did not receive an MFA prompt. The employee’s Google credentials were not compromised.”
Leave a comment