- New details have emerged about the recent cyberattack
- A malicious Google Chrome extension caused 400,000 users to be infected with malware
- The attackers were reportedly planning the campaign as early as March 2024.
The recent cyberattack that hit security company Cyberhaven and then affected several Google Chrome extensions may have been part of a “broader campaign,” new research claims.
An investigation by BleepingComputer found that the same code was injected into at least 35 Google Chrome extensions, which are used by approximately 2.6 million users worldwide. This resulted in 400,000 devices being infected with malicious code via CyberHaven extensions.
The campaign began on December 5, more than two weeks earlier than initially suspected, although command and control subdomains dating back to March 2024 have been found.
Data loss prevention
Ironically, cybersecurity company Cyberhaven is a startup that provides a Google Chrome extension aimed at preventing the loss of sensitive data from unapproved platforms, such as Facebook or ChatGPT.
In this particular case, the attack originated from a phishing email against a developer, posing as a notification from Google alerting the administrator that an extension violated Chrome Web Store policies and was at risk of be eliminated. The developer was encouraged to allow a 'Privacy Policy Extension', which then granted attackers permissions and allowed access.
After this, a new malicious version of the extension was uploaded, which bypassed Google's security controls and spread to around 400,000 users thanks to the extension's automatic updates in Chrome.
It has now been discovered that the attackers aimed to collect victims' Facebook data through the extensions, and the domains used in the attack were registered and tested in March 2024, before a new set was created in November and December before the incident.
“The employee followed the standard flow and inadvertently authorized this malicious third-party application,” Cyberhaven said in a statement.
“The employee had Google Advanced Protection enabled and had MFA covering their account. The employee did not receive an MFA notice. The employee's Google credentials were not compromised.”