Cyberhaven Chrome Extension Compromised in Targeted Attack

On December 24, 2024, at approximately 5:24 PM UTC, Cyberhaven experienced a sophisticated and targeted attack. According to an official statement from the company, the attacker successfully gained access to a Cyberhaven employee’s account and used this foothold to publish a malicious version of the Cyberhaven Chrome extension (version 24.10.4) to the Chrome Web Store early the following morning.

Cyberhaven’s internal security team detected the breach on December 25, 2024, at 11:54 PM UTC, and promptly removed the malicious package within 60 minutes of detection.

The malicious extension posed a significant risk to users, particularly those who installed or updated the compromised version. As Cyberhaven stated, “For browsers running the compromised plugin, it is possible for sensitive information, including authenticated sessions and cookies, to be exfiltrated to the attacker’s domain (cyberhavennext[.]pro).” The attacker’s exfiltration domain was operational from 1:32 AM UTC on December 25, 2024, until 2:50 AM UTC on December 26, 2024.

To mitigate potential risks, Cyberhaven has advised impacted users to take the following actions:

1. Verify that the Chrome extension is updated to version 24.10.5 or newer.
2. Revoke and rotate all passwords not protected by FIDOv2.
3. Revoke and rotate all API tokens.
4. Review all logs for evidence of malicious activity.

It is essential to note that versions of the extension hosted outside of the Chrome Web Store, such as on Firefox and Edge, were not affected.

Cyberhaven is actively investigating the incident and has engaged Federal Law Enforcement and Mandiant to assist in its efforts. The company is also working to provide its customers with additional telemetry and threat intelligence as the situation develops.

“One of Cyberhaven’s core values is maximum transparency, and we are acting on these principles to retain the trust we have earned from you,” the company stated, emphasizing its commitment to keeping customers informed and supported.

Users are encouraged to remain vigilant and adhere to the company’s recommendations to protect their sensitive data.

Via: vxunderground

Related Posts:

• Google Fixes Critical RCE Vulnerabilities in December 2024 Pixel Security Update
• Microsoft Addresses Critical Zero-Day CVE-2024-49138 & 72 Additional Flaws in December Patch Tuesday
• GitHub’s August Nightmare: Multiple Disruptions Lead to Global Outage
• Midnight Blizzard Accesses Microsoft Internal Systems and Source Code
• MOVEit Cyberattack Exposes 632K US Federal Employee Emails