While I was spending my morning building a new virtual machine library on my MacBook Pro, a reader sent me a text message with this link that anyone who uses browser extensions in general, and specifically Chrome browser extensions should read:
At least five Chrome extensions were compromised in a coordinated attack where a threat actor injected code that steals sensitive information from users.
One attack was disclosed by Cyberhaven, a data loss prevention company that alerted its customers of a breach on December 24 after a successful phishing attack on an administrator account for the Google Chrome store.
Among Cyberhaven’s customers are Snowflake, Motorola, Canon, Reddit, AmeriHealth, Cooley, IVP, Navan, DBS, Upstart, and Kirkland & Ellis.
The hacker hijacked the employee’s account and published a malicious version (24.10.4) of the Cyberhaven extension, which included code that could exfiltrate authenticated sessions and cookies to the attacker’s domain (cyberhavenext[.]pro).
Cyberhaven’s internal security team removed the malicious package within an hour since its detection, the company says in an email to its customers.
A clean version of the extension, v24.10.5 was published on December 26. Apart from upgrading to the latest version, users of the Cyberhaven Chrome extension are recommended to revoke passwords that aren’t FIDOv2, rotate all API tokens, and review browser logs to evaluate malicious activity.
Yikes! At least this cybersecurity company took action quickly and notified their customers. Who looking at the list aren’t small.
But this story isn’t over:
Following Cyberhaven’s disclosure, Nudge Security researcher Jaime Blasco took the investigation further, pivoting from the attacker’s IP addresses and registered domains.
According to Blasco, the malicious code snippet that let the extension receive commands from the attacker was also injected around the same time in other Chrome extensions:
- Internxt VPN – Free, encrypted, unlimited VPN for secure browsing. (10,000 users)
- VPNCity – Privacy-focused VPN with AES 256-bit encryption and global server coverage. (50,000 users)
- Uvoice – Rewards-based service for earning points through surveys and providing PC usage data. (40,000 users)
- ParrotTalks – Information search tool specializing in text and seamless note-taking. (40,000 users)
Blasco found more domains that point to other potential victims but only the extensions above were confirmed to carry the malicious code snippet.
Cybersecurity researcher John Tuckner has found an additional set of extensions which also had the same malicious snippet injected on their code.
These are Bookmark Favicon Changer, Castorus, Wayin AI, Search Copilot AI Assistant, VidHelper, Vidnoz Flex, TinaMind, Primus, AI Shop Buddy, Sort by Oldest, Earny, ChatGPT Assistant, Keyboard History Recorder, and Email Hunter.
The additional set of extensions infected by the data stealing code have a collective download count of almost 380,000.
There have also been additional cases of compromise such as Visual Effects for Google Meet, Rewards Search Automator, Tackker, Bard AI chat, and Reader Mode, but these have been removed from Chrome’s Web Store.
This situation I acknowledge is a worst case scenario. But bad browser extensions can do anything from swipe passwords or steal data among other things. Having said that, supply chain attacks like this one are becoming more common. Thus this highlights why you need to be extremely careful about what extensions or software you install on your computer. Otherwise you might be on the wrong end of something that’s really, really bad.
A Major Supply Chain Attack Via Hijacked Chrome Extensions Has Just Happened.
Posted in Commentary with tags Hacked on December 30, 2024 by itnerdWhile I was spending my morning building a new virtual machine library on my MacBook Pro, a reader sent me a text message with this link that anyone who uses browser extensions in general, and specifically Chrome browser extensions should read:
At least five Chrome extensions were compromised in a coordinated attack where a threat actor injected code that steals sensitive information from users.
One attack was disclosed by Cyberhaven, a data loss prevention company that alerted its customers of a breach on December 24 after a successful phishing attack on an administrator account for the Google Chrome store.
Among Cyberhaven’s customers are Snowflake, Motorola, Canon, Reddit, AmeriHealth, Cooley, IVP, Navan, DBS, Upstart, and Kirkland & Ellis.
The hacker hijacked the employee’s account and published a malicious version (24.10.4) of the Cyberhaven extension, which included code that could exfiltrate authenticated sessions and cookies to the attacker’s domain (cyberhavenext[.]pro).
Cyberhaven’s internal security team removed the malicious package within an hour since its detection, the company says in an email to its customers.
A clean version of the extension, v24.10.5 was published on December 26. Apart from upgrading to the latest version, users of the Cyberhaven Chrome extension are recommended to revoke passwords that aren’t FIDOv2, rotate all API tokens, and review browser logs to evaluate malicious activity.
Yikes! At least this cybersecurity company took action quickly and notified their customers. Who looking at the list aren’t small.
But this story isn’t over:
Following Cyberhaven’s disclosure, Nudge Security researcher Jaime Blasco took the investigation further, pivoting from the attacker’s IP addresses and registered domains.
According to Blasco, the malicious code snippet that let the extension receive commands from the attacker was also injected around the same time in other Chrome extensions:
Blasco found more domains that point to other potential victims but only the extensions above were confirmed to carry the malicious code snippet.
Cybersecurity researcher John Tuckner has found an additional set of extensions which also had the same malicious snippet injected on their code.
These are Bookmark Favicon Changer, Castorus, Wayin AI, Search Copilot AI Assistant, VidHelper, Vidnoz Flex, TinaMind, Primus, AI Shop Buddy, Sort by Oldest, Earny, ChatGPT Assistant, Keyboard History Recorder, and Email Hunter.
The additional set of extensions infected by the data stealing code have a collective download count of almost 380,000.
There have also been additional cases of compromise such as Visual Effects for Google Meet, Rewards Search Automator, Tackker, Bard AI chat, and Reader Mode, but these have been removed from Chrome’s Web Store.
This situation I acknowledge is a worst case scenario. But bad browser extensions can do anything from swipe passwords or steal data among other things. Having said that, supply chain attacks like this one are becoming more common. Thus this highlights why you need to be extremely careful about what extensions or software you install on your computer. Otherwise you might be on the wrong end of something that’s really, really bad.
Leave a comment »