New developments have surfaced surrounding a recent cyberattack affecting 400,000 users due to a malicious Google Chrome extension. The attack, targeting security firm Cyberhaven, appears to be part of a larger scheme according to new research. It has been discovered that the same code was injected into 35 Chrome extensions used by around 2.6 million users worldwide, leading to the widespread infection of devices through the CyberHaven extensions. Contrary to initial beliefs, the campaign began earlier than anticipated, as early as December 5, with roots traced back to March 2024.
Ironically, the attacked firm, Cyberhaven, focuses on data loss prevention through a Chrome extension designed to safeguard sensitive information. The breach originated from a phishing email disguised as a Google notification regarding a policy violation. The unsuspecting developer authorized a ‘Privacy Policy Extension’, unwittingly granting access to attackers. A malicious version of the extension bypassed Google’s security checks, infecting 400,000 users who received automatic updates. The attackers’ objective was to harvest Facebook data, with domains linked to the attack registered and tested in March 2024.
Cyberhaven stated, “The employee inadvertently authorized the malicious application despite having Google Advanced Protection and MFA in place, and his credentials remained uncompromised.” This incident sheds light on the critical need for vigilant cybersecurity measures to combat evolving threats.