Cyberhaven has confirmed that a phishing attack compromised an employee's credentials to the Google Chrome Web Store, allowing a malicious version of its Chrome extension to be published.

In a statement on its website, the company said the attack took place on December 24th, the malicious extension was detected the following day and removed within 60 minutes of identification.

Investigation

In its investigation, it confirmed that only version 24.10.4 of its Chrome extension was affected, it was active for around 24 hours and “only Chrome-based browsers that auto-updated during this period were impacted.”

The company confirmed that while the investigation is ongoing, its initial findings show the attacker was targeting logins to specific social media advertising and AI platforms. It was also able to determine that no other Cyberhaven systems, including its CI/CD processes and code signing keys, were compromised.

Also, any browsers running the compromised extension during this period, the malicious code could have exfiltrated cookies and authenticated sessions for certain targeted websites.

Whilst the compromised extension was removed from the Chrome Web Store, a secure version (24.10.5) was published and automatically deployed.

Larger Campaign

In its initial response, Cyberhaven said it understood the effort to be part of a larger campaign to target Chrome Extension developers. Initial analysis of some of the compromised machines found the primary motive for the attack was to target accounts related to Facebook adverts.

Detailing the phishing attack tactic used, the email took the employee to the standard Google authorisation flow for adding a malicious OAUTH Google application called “Privacy Policy Extension”.  The employee followed the standard flow and inadvertently authorised the malicious third-party application.

As the employee had Google Advanced Protection enabled and had MFA covering their account, they did not receive a MFA prompt, but the attacker gained requisite permissions via the malicious application.

“One of Cyberhaven's core values is maximum transparency, and we are acting with these first principles to retain the trust we have earned from our customers,” the statement said.

“We will continue to keep our customers updated and support you in every way possible to mitigate the impact of this incident. We appreciate the trust you place in us.”

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.