The hacking of Google Chrome extensions may have started earlier than previously thought.
New details emerge about the nature of the attack on the Google Chrome extension.
Recent research has revealed new details about a cyberattack that affected the security firm Cyberhaven and various Google Chrome extensions. It has been determined that a malicious browser plugin infected nearly 400,000 users with malware. This attack could be part of a broader campaign, which apparently was planned since March 2024.
Analysis by BleepingComputer has indicated that the malicious code was injected into at least 35 Google Chrome extensions, used by approximately 2.6 million people worldwide. The attack, which began on December 5, occurred more than two weeks earlier than initially suspected. However, command and control subdomains were found to have existed since March 2024.
Cyberhaven, the target of the attack, is a startup that offers a Google Chrome extension designed to prevent the loss of sensitive data from unauthorized platforms such as Facebook or ChatGPT. The security breach was facilitated by a phishing email directed at a developer, which posed as a Google notification alerting the administrator about a potential violation of Chrome store policies, suggesting a modification of the privacy policy extension. By accepting, permissions were granted to the attackers, allowing them to access the account.
Once access was obtained, a malicious version of the extension was uploaded that managed to bypass Google's security checks, spreading to 400,000 users through Chrome's automatic extension updates. The attackers aimed to collect Facebook data from the victims through these extensions, using domains that had been registered and tested in March 2024, before creating a new set of domains in November and December, just before the attack.
Cyberhaven stated in a statement that the employee followed standard procedures and, unfortunately, authorized the malicious third-party application. Although the employee had Google Advanced Protection and multi-factor authentication (MFA) enabled, they did not receive an MFA notice and their Google credentials were not compromised.
