Source: Cyberhaven
Author: unknown
URL: https://www.cyberhaven.com/engineering-blog/cyberhavens-preliminary-analysis-of-the-recent-malicious-chrome-extension
# ONE SENTENCE SUMMARY:
Cyberhaven’s Chrome extension was compromised through phishing, targeting Facebook Ads users, as part of a larger non-targeted attack.
# MAIN POINTS:
1. Cyberhaven’s Chrome extension version 24.10.4 was maliciously published.
2. The attack was part of a wider campaign against Chrome extension developers.
3. A phishing email tricked an employee into authorizing a malicious OAuth application.
4. The attacker gained permissions and uploaded a malicious version of the extension.
5. The malicious code targeted Facebook users to collect sensitive data.
6. User data, including Facebook access tokens, was exfiltrated to a Command and Control server.
7. Malicious code tracked mouse clicks on Facebook to bypass security mechanisms.
8. The incident highlights vulnerabilities in the Chrome extension approval process.
9. Cyberhaven is cooperating with third-party security analyses to understand the incident.
10. Further updates will be released once the investigation is complete.
# TAKEAWAYS:
1. Phishing remains a prevalent threat to corporate security.
2. OAuth applications require stricter scrutiny during authorization.
3. Regular audits of extensions could mitigate similar risks in the future.
4. Understanding attack methods helps in developing better defenses.
5. Collaboration with security experts is crucial in handling breaches.