Chrome Extension Hacked: - A Wake-Up Call for Users.

A new attack campaign has recently rocked the world of Chrome browser extensions, leading to a significant security breach. At least “35 popular extensions” have been compromised, potentially putting over 2.6 million users at risk. The exposed information includes login details, personal data, and browsing history, making this attack a serious threat to privacy.

Cyberhaven, a cybersecurity firm, was the first to report the breach after one of its employees' fell victim to a phishing attack on December 24. This allowed the threat actors to publish a malicious version of a popular extension. The attack highlights the vulnerability of trusted extensions and the importance of robust security practices for developers.

Source: bleepstatic.com

Phishing Attack Compromises Cyberhaven’s chrome Extension:

On December 24, 2024, Cyberhaven fell victim to a phishing attack that led to the compromise of an employee’s access to the Google Chrome Web Store. This breach allowed the attacker to publish a malicious version (24.10.4) of Cyberhaven’s Chrome extension.

As the investigation unfolds, here’s an overview of the incident and what we know so far:

Key Details of the Attack

Target Focus:

The attack was part of a broader campaign targeting Chrome extension developers across various companies. Its primary focus appeared to be compromising Facebook Ads accounts.

2. Phishing Entry Point:

The attacker used a phishing email to deceive a Cyberhaven employee into authorizing a fraudulent Google OAuth application named “Privacy Policy Extension.”

3. Google OAuth Exploitation:

Once authorized, the malicious application gained access to sensitive permissions, bypassing standard Google multi-factor authentication (MFA) mechanisms.

4. Malicious Extension Deployment:

With these permissions, the attacker successfully uploaded a compromised version (24.10.4) of Cyberhaven’s Chrome extension to the Chrome Web Store, exposing unsuspecting users to potential threats.

Known Affected Extensions in the camping:

Key Components of the Malicious Extension

The extension contained two core files responsible for its operation:

Worker.js

Functionality:

Communicated with a Command-and-Control (C&C) server.

Downloaded configuration data to dynamically adjust its behaviors.

Registered event listeners to monitor user activity.

2. Content.js

Functionality:

Collected Sensitive userdata (Facebook access token,user IDs, Cookies.)

Exfiltrated the stolen data to the C & C server for further exploitation.

Targeted Domains and Attack Objectives: This malicious code focused on Facebook Domains, with a particular emphasis on users managing Facebook Ads, the primary goals of the attack were:

Data Exfiltration: Harvesting sensitive information to compromise user accounts or gain unauthorized access to Facebook Ads accounts.

Bypassing Security Mechanisms: Assisting attackers in bypassing CAPTCHA challenges and Two-Factor Authentication (2FA) using QR code-based mechanisms.

Indicators of Compromise (IoCs): Malicious Browser Extension Targeting Facebook Ads

Extension Details

Malicious Extension Version: 24.10.4

Hash (SHA-256): DDF8C9C72B1B1061221A597168F9BB2C2BA09D38D7B3405E1DACE37AF1587944

Malicious Files: The extension contained the following files responsible for its malicious activities:

worker.js Hash: 0B871BDEE9D8302A48D6D6511228CAF67A08EC60

content.js Hash: AC5CC8BCC05AC27A8F189134C2E3300863B317FB

Command-and-Control (C&C) Communication

The extension established connections with the following domains and IP addresses to exfiltrate data and receive instructions:

Domains:

cyberhavenext[.]pro

api.cyberhaven[.]pro

IPs:

149.28.124[.]84

149.248.2[.]160

Mitigating Risks from Compromised Browser Extensions

Uninstall Compromised Extensions: Immediately remove any affected extensions from all browsers across your organization to prevent further malicious activity.Reset Credentials: Change passwords for all systems or accounts accessed using browsers where the compromised extensions were installed and ensure that new passwords follow strong security guidelines to prevent brute force attacks.Enable Multi-Factor Authentication (MFA): Activate MFA for all accounts to provide an additional layer of security. This reduces the risk of unauthorized access, even if credentials are compromised.

Key takeaways from the attack include:

The use of phishing techniques to compromise developer credentials, bypassing even advanced security measures like MFA.

The sophistication of malicious extensions, capable of stealing user data, exfiltrating Facebook credentials, and bypassing CAPTCHA and 2FA mechanisms.

The importance of proactive organizational measures, such as auditing extensions, enforcing MFA, and resetting credentials, to mitigate risks.

Organizations must recognize that browser extensions, while offering enhanced functionality, can be exploited as attack vectors. Robust extension management policies, employee training, and continuous monitoring are essential to prevent future compromises.

This incident highlights the need for a collective effort from browser vendors, developers, and users to improve extension security, enforce stricter verification mechanisms, and minimize the attack surface available to cybercriminals.

The recent attack on Chrome extensions serves as a stark reminder of the vulnerabilities inherent in browser add-ons. The compromise of over 35 extensions, potentially affecting millions of users, underscores the significant risk posed by phishing attacks and the exploitation of trusted platforms like the Chrome Web Store. This breach, which targeted sensitive data and bypassed advanced security mechanisms such as MFA, demonstrates the growing sophistication of cyber threats.

Key lessons from this incident emphasize the critical need for robust extension security, vigilant monitoring, and proactive measures by organizations and developers alike. By implementing strong credential policies, conducting regular audits, and enhancing user awareness, stakeholders can better protect against similar attacks in the future. Ultimately, a collective effort is required to bolster security, reduce the attack surface, and safeguard user data from evolving cyber threats.

For more contact:

LinkedIn: https://www.linkedin.com/company/esecforte-technologiesWebsite: https://www.esecforte.com/