The Google Chrome extensions hack may have started much sooner than expected
- New details have emerged about the recent cyber attack
- A malicious Google Chrome extension caused 400,000 users to become infected with malware
- Attackers were reportedly planning the campaign as early as March 2024
The recent cyber attack that hit security firm Cyberhaven and subsequently affected a number of Google Chrome extensions may have been part of a ‘broader campaign’, new research claims.
A BleepingComputer Research has revealed that the same code has been injected into at least 35 Google Chrome extensions, used by approximately 2.6 million users worldwide. This led to 400,000 devices being infected with malicious code via the CyberHaven extensions.
The campaign began on December 5, more than two weeks earlier than initially suspected, although command and control subdomains dating back to March 2024 have been found.
Data loss prevention
Ironically, cybersecurity company Cyberhaven is a startup that offers a Google Chrome extension to prevent loss of sensitive data from unapproved platforms, such as Facebook or ChatGPT.
In this particular case, the attack came from a phishing email against a developer, masquerading as a Google notification alerting the administrator that an extension violated Chrome Web Store policies and was at risk to be removed. The developer was encouraged to allow a ‘Privacy Policy Extension’, which then gave permission and access to attackers.
After this, a new malicious version of the extension was uploaded, which bypassed Google’s security checks, and was distributed to around 400,000 users thanks to automatic extension updates in Chrome.
It has now been discovered that the attackers wanted to collect victims’ Facebook data via the extensions, and domains used in the attack were registered and tested in March 2024, before a new set was created in November and December prior to the incident.
“The employee followed standard procedure and accidentally authorized this malicious third-party application,” Cyberhaven said in a statement.
“The employee had Google Advanced Protection enabled and had MFA on their account. The employee did not receive an MFA prompt. The employee’s Google credentials have not been compromised.”