Users of Cyberhaven’s Data-Loss Prevention Chrome Extension Among Those Targeted
Chrome browser extensions are magnets for hackers who turn them against their users, in a reminder of how cybersecurity is never an end state, but a process.
See Also: Live Webinar | Supercharge Your ServiceNow CMDB with Complete and Real-Time Data
One such extension is built by cybersecurity startup Cyberhaven, which offers an eponymous Chrome browser extension designed to safeguard corporate data from insider threats, including accidental exposure.
The San Jose, California-based startup, led by former Nutanix and Palo Alto Networks executive Howard Ting, warned customers directly on Thursday that attackers may have exfiltrated data from users of its Chrome browser extension (see: Cyberhaven Secures $88M to Strengthen Data Security Platform).
Cyberhaven told customers “the attacker used the access gained in this attack to publish a malicious Chrome extension (version 24.10.4) to the Chrome Web Store in the early morning of Dec. 25.”
The attack “only impacted machines running Chrome-based browsers that were updated via the Google Chrome Web Store,” and information may have been stolen from any system using the vulnerable extension, but only if the machines “were online between 1:32 a.m. UTC on Dec. 25 and 2:50 a.m. UTC on Dec. 26,” it said.
Cyberhaven CEO Howard Ting on Friday said his company first detected the attack at 11:54 p.m. UTC on Wednesday and “removed the malicious package within 60 minutes of detection,” then issued version 24.10.5, which is safe. He said the attack against users of its extension appeared to be designed at least in part to target Facebook Ads accounts, and to steal Facebook access tokens.
The company has hired third-party incident response firm Mandiant to investigate and said it’s also sharing information with federal law enforcement.
Wider Campaign
The attacks appear to be part of a larger, possibly long-running and opportunistic campaign, said veteran cybersecurity researcher Jaime Blasco, co-founder and CTO at Nudge Security.
Blasco said in a LinkedIn post he’s confirmed that the same attackers appear to have also compromised a number of other Chrome extensions, including Internxt VPN, VPNCity, Uvoice and ParrotTalks.
“I recommend you search for them in your environment,” he said. “Also look for any traffic to 149.28.124.84,” which is the URL for the attacker’s command-and-control server.
Blasco said the compromised extensions connect with a number of domain names that appear to resolve to that same IP address, all of which were around the same time. Some of those domain names include bookmarkfc.info, cyberhavenext.pro, parrottalks.info, uvoice.live and vpncity.live, which ape targeted extensions.
Other domain names that have resolved to that IP address via DNS forwarding include castorus.info, censortracker.pro, ext.linewizeconnect.com, iobit.pro, moonsift.store, readermodeext.info, wayinai.live, yescaptcha.pro and yujaverity.info. Blasco said extensions with those names may have been targeted, in an attack campaign that began earlier this year.
“It seems it wasn’t targeted against Cyberhaven, but rather opportunistically targeting extension developers,” Blasco told TechCrunch. “I think they went after the extensions that they could, based on the developers’ credentials that they had.”
Responding to Blasco’s findings, other researchers report identifying further subverted Chrome extensions, based on their communicating with the IP address used by attackers, including Bookmark Favicon Changer.
Aside from Cyberhaven, which of the other subverted extensions have been fixed isn’t clear.
Phishing Attack Targeted Developer
In a more detailed preliminary incident report that includes indicators of compromise, Cyberhaven said the attack traced to one of the developers of its Chrome Extension – publicly listed as a support point of contact – who received a phishing email.
“Once the employee clicked on the email, they were taken to the standard Google authorization flow for adding a malicious OAUTH Google application called ‘Privacy Policy Extension,'” the company said.
“This authorization page was hosted on Google.com and part of the standard authorization flow for granting access to third-party Google applications,” it said. “The employee followed the standard flow and inadvertently authorized this malicious third-party application. The employee had Google Advanced Protection enabled and had MFA covering his account. The employee did not receive an MFA prompt. The employee’s Google credentials were not compromised.”
By inadvertently authorizing the malicious Privacy Policy Extension the developer enabled the attacker to upload a modified version of the company’s extension, using it to replace the legitimate one in the Chrome web store.
“This malicious extension (24.10.4) was essentially based on a clean prior version of the official Cyberhaven Chrome extension,” Cyberhaven said. “The attacker made a copy of the clean extension and added some malicious code to create a new malicious extension.” These added malicious components enabled the extension to contact a command-and-control server as well as gather and exfiltrate data.
The company said the attacker didn’t compromise any other Cyberhaven accounts, steal any code-signing keys or gain any access to its continuous integration and continuous delivery environment.
Cyberhaven said it’s prepping tools to help customers identify what, if any, specific data attackers might have exfiltrated.