New Information Reveals the Nature of the Google Chrome Extension Attack
• Recent information has come to light regarding a recent cyber attack.
• A malicious Google Chrome extension caused 400,000 users to get infected with malware.
• Attackers were reportedly planning the campaign as early as March 2024.
According to new research, a recent cyber attack that affected the security firm Cyberhaven and then several Google Chrome extensions may have been part of a “widespread campaign. “
In fact, at least 35 Google Chrome extensions had the same injected code, putting about 2.6 million users worldwide at risk, according to Bleeping Computer’s investigation. Subsequently, malware code infected 400,000 devices through the Cyberhaven extension.
The campaign started on December 5, two weeks ahead of the expected date. The command and control subdomains used in the attack were found to be older, dating to March 2024.
Data Loss Prevention
Ironically, cybersecurity firm Cyberhaven is a startup that offers Google Chrome extensions that prevent data loss from unapproved platforms like Facebook or ChatGPT.
In this case, the attack began with phishing mail, which was sent to a developer and appeared as a Google notification claiming that an extension violated the Chrome Web Store policies and would be taken down. It asked the developer to grant permission for a “Privacy Policy Extension,” then gave attackers the permissions and access needed.
Shortly thereafter, the hackers uploaded a malicious version of the extension to the store again, bypassing checks and procedures Google had in place for ensuring security. Because Chrome extensions update automatically, the attack spread to some 400,000 users.
It has been discovered now that the attackers planned to harvest data from the social networking site Facebook. The domains used in the attack were registered and tested in March 2024, while a new set of them was created in November and December before the event. Cyberhaven stated, in a statement, “The employee followed the standard flow and unbeknownst to them authorized this malicious third-party application.” “The employee had Google Advanced Protection enabled, and their account was covered by MFA (multi-factor authentication). The employee did not receive an MFA prompt.” “The employee’s Google credentials were not compromised.”
