Source: Cyberhaven Author: unknown URL: https://www.cyberhaven.com/engineering-blog/cyberhavens-preliminary-analysis-of-the-recent-malicious-chrome-extension
-
ONE SENTENCE SUMMARY: Cyberhaven’s Chrome extension was compromised through phishing, targeting Facebook Ads users, as part of a larger non-targeted attack.
-
MAIN POINTS:
-
Cyberhaven’s Chrome extension version 24.10.4 was maliciously published.
-
The attack was part of a wider campaign against Chrome extension developers.
-
A phishing email tricked an employee into authorizing a malicious OAuth application.
-
The attacker gained permissions and uploaded a malicious version of the extension.
-
The malicious code targeted Facebook users to collect sensitive data.
-
User data, including Facebook access tokens, was exfiltrated to a Command and Control server.
-
Malicious code tracked mouse clicks on Facebook to bypass security mechanisms.
-
The incident highlights vulnerabilities in the Chrome extension approval process.
-
Cyberhaven is cooperating with third-party security analyses to understand the incident.
-
Further updates will be released once the investigation is complete.
-
TAKEAWAYS:
-
Phishing remains a prevalent threat to corporate security.
-
OAuth applications require stricter scrutiny during authorization.
-
Regular audits of extensions could mitigate similar risks in the future.
-
Understanding attack methods helps in developing better defenses.
-
Collaboration with security experts is crucial in handling breaches.