Hackers hijacked legitimate Chrome extensions to try to steal data

As early as mid-December, a cyberattack campaign inserted malicious code into multiple Chrome browser extensions. Reuters reported yesterday. The code appears to be designed to steal browser cookies and authentication sessions, targeting “specific social media advertising and artificial intelligence platforms,” According to a blog post from Cyberhaven, one of the target companies.

Cyberhaven blamed the attack on phishing emails, writing in a report Separate technical analysis post The code appears to specifically target Facebook ad accounts. according to ReutersSecurity researcher Jaime Blasco believes that the attack was “just random” and not specifically targeting Cyberhaven. he Posted on X He found that VPN and AI extensions contained the same malicious code inserted into Cyberhaven.

Cyberhaven said that hackers pushed an update (version 24.10.4) of Cyberhaven’s data loss prevention extension that contained malicious code at 8:32 pm ET on Christmas Eve. Cyberhaven said it discovered the code on December 25 at 6:54pm ET and removed it within an hour, but the code remained active until December 25 at 9:00pm ET. 50. The company said it released a clean version in the 24.10.5 update.

Cyberhaven’s advice to potentially affected companies includes checking logs for suspicious activity and revoking or rotating any passwords that don’t use the FIDO2 multi-factor authentication standard. Before publishing the post, the company notified customers via email: TechCrunch report Friday morning.