In a recent wave of cyberattacks, threat actors have compromised multiple Chrome browser extensions, injecting malicious code designed to steal sensitive user information. Among the affected is Cyberhaven, a data loss prevention company, which reported that its Chrome extension was hijacked following a phishing attack on an administrator’s account. Source: Bleeping Computer
The attackers released a malicious update (version 24.10.4) of Cyberhaven’s extension on December 24, capable of exfiltrating authenticated sessions and cookies to a rogue domain. The company’s security team detected the breach on December 25 and swiftly removed the compromised version, releasing a clean update (version 24.10.5) the following day. Users are advised to update their extensions promptly, revoke non-FIDOv2 passwords, rotate API tokens, and review browser logs for any suspicious activity. Source: Cybersecurity News
Security researcher Jaime Blasco identified that other extensions, including Internxt VPN, VPNCity, Uvoice, and ParrotTalks, were similarly compromised with the same malicious code. This suggests a broader campaign targeting Chrome extension developers across various companies. Source: The Verge
Recommendations for Users:
- Update Extensions: Ensure all Chrome extensions are updated to their latest versions to mitigate potential risks.
- Credential Management: Revoke and rotate any passwords not protected by FIDOv2 and update all API tokens.
- Monitor Activity: Regularly review browser logs and account activities for any unauthorized access or anomalies.
- Extension Audit: Periodically audit installed browser extensions, removing any that are unnecessary or from unverified sources.
This incident underscores the importance of vigilance when using browser extensions, as they can become vectors for cyber threats if compromised. Users should exercise caution and maintain robust security practices to safeguard their data.
