- New details emerge about recent cyber attacks
- Malicious Google Chrome extension infects 400,000 users with malware
- The attackers reportedly began planning the campaign as early as March 2024
Recent cyber attacks hit security company Cyberhaven, then Affects many Google Chrome extensions New research claims this may be part of a “wider movement”.
one Computer beeps Investigation found that the same code was injected into at least 35 Google Chrome extension, used by approximately 2.6 million users worldwide. This resulted in 400,000 devices being infected with malicious code via the CyberHaven extension.
The campaign began as early as December 5, more than two weeks earlier than initially suspected, but command and control subdomains were discovered as early as March 2024.
Prevent data loss
Ironically, cybersecurity company Cyberhaven is a startup that offers a Google Chrome extension designed to prevent the loss of sensitive data from unapproved platforms such as Facebook or Facebook. Chat GPT.
In this particular case, the attack originated from a phishing email from the developer, which was disguised as a Google notification alerting administrators that an extension violated Chrome Web Store policies and was at risk of removal. Developers are encouraged to allow “privacy policy extensions” which then grant attackers permission and allow access.
Since then, a new malicious version of the extension was uploaded, which bypassed Google’s security checks and spread to approximately 400,000 users via an auto-expand update on Chrome.
It is now discovered that the attacker’s purpose was to collect Facebook data from victims through the extension. The domain used in the attack was registered and tested as early as March 2024, and then created in November and December before the incident. New domain name.
“The employee followed standard procedures and inadvertently authorized this malicious third-party application,” Cyberhaven said in a statement.
“The employee enabled Google Advanced Protection and had MFA performed on their account. The employee did not receive an MFA prompt. The employee’s Google credentials were not compromised.”