One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8632098 |
| Date de publication | 2024-12-31 16:46:27 (vue: 2024-12-31 17:08:13) |
| Titre | Hackers Launch Supply Chain Attack Against Chrome Extensions |
| Texte | ## Snapshot Cybersecurity startup Cyberhaven warned customers that attackers had exfiltrated data from users of its Chrome browser extension. Public reports suggest this attack was part of a larger campaign targeting Chrome extension developers across multiple companies. ## Description The company discovered that a malicious version of their extension was published to the Chrome Web Store on December 25 2024. The attack affected machines running Chrome-based browsers updated via the store and online between certain times on December 25 and 26. [Cyberhaven CEO Howard Ting](https://www.cyberhaven.com/blog/cyberhavens-chrome-extension-security-incident-and-what-were-doing-about-it) reported that the company detected the attack and removed the malicious package within an hour, subsequently releasing a safe version. Ting said the attack appeared to be, in part, targeting Facebook Ad accounts and to steal Facebook access tokens. [Veteran cybersecurity researcher Jaime Blasco](https://www.linkedin.com/posts/jaimeblasco_regarding-the-cyberhaven-chrome-extension-activity-7278237969637941248-qBEj/) said the incident might be part of a larger campaign targeting Chrome extensions, with other compromised extensions, including Internxt VPN, VPNCity, Uvoice, and ParrotTalks. The attackers used a command-and-control (C2) server with the IP address 149\[.\]28.124.84 and connected with various domain names that mimic targeted extensions. [Cybersecurity researcher John Tuckner](https://secureannex.com/blog/cyberhaven-extension-compromise/) also found additional extensions with the same malicious code. [The initial infiltration](https://www.cyberhaven.com/engineering-blog/cyberhavens-preliminary-analysis-of-the-recent-malicious-chrome-extension) occurred when a Cyberhaven developer received a phishing email and inadvertently authorized a malicious third-party Google application called \'Privacy Policy Extension.\' This allowed the attacker to upload a modified version of Cyberhaven\'s extension to the Chrome web store. The malicious extension contained code that enabled it to communicate with the C2 server and exfiltrate data. Additionally, the malicious code added a mouse click listener for Facebook\[.\]com. Cyberhaven confirmed that no other accounts, code-signing keys, or continuous integration and delivery environments were compromised. ## Recommendations Cyberhaven recommends the following for customers running version 24.10.4 of our Chrome extension during the affected period (December 24-26, 2024): - Verifying your extension has updated to version 24.10.5 or newer - Revoke/rotate all passwords that aren\'t FIDOv2 - Reviewing logs for any suspicious activity [John Tuckner](https://secureannex.com/blog/cyberhaven-extension-compromise/) provided the following YARA rule: rule Cyberhaven\_Extension\_Pattern { meta: description = "Detects suspicious messages seen in the Cyberhaven attack" severity = "high" strings: $msg1 = "action:" wide ascii $rtext1 = "-rtext" nocase wide ascii $rtext2 = "\_rtext" nocase wide ascii $rjson1 = "-rjson" nocase wide ascii $rjson2 = "\_rjson" nocase wide ascii $errors1 = "-check-errors" nocase wide ascii $errors2 = "\_check-errors" nocase wide ascii condition: $msg1 and (any of ($rtext\*)) and (any of ($rjson\*)) and (any of ($errors\*)) } Microsoft recommends the following mitigations for related threats. - Establish [best practices to secure software supply chain](https://learn.microsoft.com/en-us/nuget/concepts/security-best-practices). - Conduct an [audit for packages and dependencies](https://learn.microsoft.com/en-us/nuget/concepts/auditing-packages), analyzing the security of packages included in software projects. - Configure [continuous access evaluation] |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | $errors $errors1 $errors2 $msg1 $rjson $rjson1 $rjson2 $rtext $rtext1 $rtext2 **© 124 149 2024 2024** 27173 365 365/security/defender 365/security/defender/microsoft 365/security/office 7278237969637941248 abbreviatedmktgpage about access access/concept access/overview accessed accounts across action: activity added additional additionally address advanced affected against age alert all allowed also among analysis analyzing anti antivirus any appeared application apps are aren ascii attack attacker attackers attacks audit authorized automatically bank bankinfosecurity based baseline behavior best between blasco bleepingcomputer block blog/cyberhavens brings browser browsers build called campaign can center centralizing ceo certain chain check chrome click code com com/azure/active com/blog/cyberhaven com/blog/cyberhavens com/deployedge/microsoft com/en com/engineering com/hackers com/microsoft com/news/security/cybersecurity com/posts/jaimeblasco com/security/business/siem command communicate companies company complement compliant compromise/ compromised condition: conditional conduct configure configure confirmed connected contained content continuous control copyright credentials criterion customers cyberhaven cybersecurity data data/ december defaults defender defenders delivery dependencies description detect detected detection detects developer developers device devices directory/conditional directory/fundamentals/concept discovered distribution doing domain domains driven during edge email emails enable enabled enabling endpoint/attack endpoint/detect endpoints enforced ensures environments errors establish evaluate evaluation example executable execution exfiltrate exfiltrated extension extensions facebook fidov2 files firm firms following found from fundamentals further general google granular group hackers had has high hijacked hour howard https://docs https://learn https://secureannex https://www identify identities identity impersonation improve inadvertently incident included including incoming infiltration info information initial ins integration intelligence internxt invest investigations its jaime john keys larger launch learndoc learndoc#block leverage like linkedin links list listener location logs machines mailbox malicious management mdo meet membership messages meta: mfa microsoft might mimic mitigations mode modified monitor more mouse multiple names newer nocase obfuscated occurred ocid=magicti office online organizations other others package packages parrottalks part party passwords pattern period permission phishing policies policy posture potentially practices preliminary prevalence privacy prohibited projects protect protection protection/microsoft provided pua public published qbej/ real received recent recommendations recommends reduction reference references regarding related releasing removed reported reports reproduction requests requirements researcher reserved resilience reviewing revoke/rotate rights rjson rtext rule rule: rules running safe safelinks said same scan scanning scripts secure security security/safe security/set security/virus seen sender server set settings severity sign signals signing site smartscreen smartscreen/ snapshot software solutions solutions that specific startup status steal stolen store strings: subsequently such suggest supply surface suspicious system targeted targeting tenant that themselves thereof third those threat threats through time times ting together tokens trusted tuckner turn unless unwanted updated upload urls us/nuget/concepts/auditing us/nuget/concepts/security us/windows/security/operating use used user users use using uvoice various verifying version veteran view=o365 visited vpn vpncity warned web websites well what when wide within without worldwide written xdr/microsoft yara your 365 as enable in policies |
| Tags | |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.