Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
- New details have emerged regarding the recent cyber attack
- A malicious Google Chrome extension has led to 400,000 users being infected with malware
- The attackers had been planning the campaign since March 2024
The recent cyberattack that hit the security company Cyberhaven and then affected a number of Google Chrome extensions it could be part of a “broader campaign”, the new research claimed.
A BleepingComputer The investigation found that the same code was injected into at least 35 Google Chrome extensions, which are used by about 2.6 million users worldwide. This led to 400,000 devices being infected with malicious code through the CyberHaven extension.
The campaign began on December 5, more than two weeks before the first suspect, although the command and control subdomains have been found since March 2024.
Data loss prevention
Ironically, the cybersecurity company Cyberhaven is a startup that provides a Google Chrome extension aimed at preventing the loss of sensitive data from unapproved platforms, such as Facebook or ChatGPT.
In this particular case, the attack originated from a phishing email against a developer, posing as a Google notification alerting the administrator that an extension was in violation of Chrome Web Store policies and at risk of being removed. The developer was encouraged to allow a “Privacy Policy Extension”, which then grants permissions to the attackers and allows access.
After that, a new malicious version of the extension was uploaded, which bypassed Google’s security checks, and was spread to around 400,000 users thanks to automatic updates of the extension in Chrome.
It has now been discovered that the attackers aimed to collect Facebook data from victims through extensions, and the domains used in the attack were registered and tested in March 2024, before a new set is was created in November and December before the incident.
“The employee followed standard flow and inadvertently authorized this malicious third-party application,” Cyberhaven said in a statement.
“The employee had Google Advanced Protection enabled and had MFA covering their account. The employee did not receive an MFA prompt. The employee’s Google credentials were not compromised.”
