Cyberhaven, a California-based cyber security firm says it was recently hacked on Christmas Eve, and that the hackers were targeting Chrome extensions. Cyberhaven doesn’t mention what the reasoning for the attack was, and it doesn’t currently know who the attack was carried out by.
It does however note that it’s currently working with federal law enforcement. The investigation is also being assisted by a different cybersecurity firm owned by Google called Mandiant. According to Cyberhaven, it doesn’t believe it was the direct target of the hack. Instead, the attack on its Chrome extension was part of a larger attack on several Chrome extensions from different companies.
None of those other companies were mentioned. However, Nudge Security co-founder said in a post on X that he has spotted several Chrome extensions that were hit with similar attacks. With one appearing to have happened as early as mid-December.
Hackers likely had control of some Chrome extensions for a while
It’s unclear exactly how many extensions were in control after the attack, but at least Cyberhaven’s was under control for a little over a day. According to The Record, Cyberhaven says it removed the malicious Chrome extension from the store within an hour of spotting the issue. However, any users that had the extension installed were vulnerable for at least a 30-hour period.
While the reason for the attack is unknown at the moment, Cyberhaven does mention that the malicious update added to its extension allowed for “exfiltration of user information” such as passwords. It also allowed access to cookies and sessions.
Users should update the extension, but not remove it
As the investigation continues, Cyberhaven says it has recommended that users update the extension. However, they shouldn’t remove it because parts of the malicious code could be used for analysis. Users are also recommended to rotate passwords to be on the safe side. Additionally, Cyberhaven says users should check their own logs for malicious activity. Given the nature of the attack, it would be a wise move. As the malicious update to the extension likely gave the hackers access to a lot of sensitive information.
Cyberhaven hasn’t given out specific details about the attack. It doesn’t mention though that one of its employees was targeted in an “advanced attack.” Some suggest that a phishing email could be what compromised that employee’s account.
