A sophisticated cyberattack campaign has been uncovered, where malicious code was inserted into multiple Chrome browser extensions as far back as mid-December. The campaign, which has been reported by Reuters, appears to be designed to steal browser cookies and authentication sessions from users of specific social media advertising and AI platforms.
The Targeted Extensions
According to a blog post from Cyberhaven, one of the companies that was targeted in this attack, the malicious code was inserted into their data loss prevention extension. This extension is used by companies to monitor and control sensitive data on their employees’ devices.
Cyberhaven has identified several other extensions that may have been affected by this attack, including:
- Internxt VPN
- VPNCity
- Uvoice
- ParrotTalks
The Malicious Code
Security researchers believe that the malicious code was inserted into these extensions through a phishing email. The code appears to be designed specifically to target Facebook Ads accounts.
However, security researcher Jaime Blasco has suggested that the attack may not have been targeted at Cyberhaven specifically, but rather was "just random". He has also found evidence of other VPN and AI extensions containing the same malicious code.
Timeline of Events
Cyberhaven has released a detailed timeline of events surrounding this attack:
- December 24th: Hackers pushed an update (version 24.10.4) of the Cyberhaven data loss prevention extension containing the malicious code.
- December 25th:
- 6:54 PM ET: Cyberhaven discovered the malicious code and removed it within an hour.
- 9:50 PM ET: The code was still active, allowing attackers to potentially steal sensitive information from affected users.
- December 26th: Cyberhaven released a clean version of their extension (version 24.10.5).
Recommendations for Affected Companies
Cyberhaven has provided recommendations for companies that may have been affected by this attack:
- Check your logs for suspicious activity and revoke or rotate any passwords not using the FIDO2 multifactor authentication standard.
- Take immediate action to secure your accounts and prevent further potential attacks.
Prevention is Key
While the attack was discovered in December, it’s essential to remain vigilant and proactive when it comes to cybersecurity. Companies should regularly review their browser extensions and ensure they are using reputable and trustworthy software.
By taking these precautions, organizations can minimize their risk of falling victim to similar cyberattacks in the future.
Conclusion
The recent cyberattack campaign targeting Chrome browser extensions is a stark reminder of the importance of robust cybersecurity measures. While Cyberhaven has acted quickly to remove the malicious code and release a clean version of their extension, it’s essential for companies to remain proactive and vigilant when it comes to protecting sensitive information from potential threats.
As Jaime Blasco noted, "this attack was likely just random", but that doesn’t diminish the severity of its impact. Companies must take immediate action to secure their accounts and prevent further potential attacks.
