A cyberattack campaign inserted malicious code into multiple Chrome browser extensions as early as mid-December. Reuters reported yesterday. The code appeared designed to steal browser cookies and authentication sessions, targeting “targeted advertising on social media and artificial intelligence platforms.” according to a blog post from Cyberhaven, one of the companies attacked.
Cyberhaven blames the attack on a phishing email, writing in a separate technical analysis position that the code appeared to specifically target facebook ad accounts. According Reuters, s.Security researcher Jaime Blasco believes the attack was “simply random” and did not target Cyberhaven specifically. He <a target="_blank" href="https://x.com/jaimeblascob/status/1872445912175534278″>published in x that it had found VPN and ai extensions that contained the same malicious code that was inserted into Cyberhaven.
Cyberhaven says hackers pushed an update (version 24.10.4) to its Cyberhaven data loss prevention extension containing the malicious code on Christmas Eve at 8:32 pm ET. Cyberhaven says it discovered the code on December 25 at 6:54 pm ET and removed it within an hour, but that the code was active until December 25 at 9:50 pm ET. The company says it released a clean version in its 24.10.5 update.
Cyberhaven's recommendations for businesses that may be affected include reviewing their logs for suspicious activity and revoking or rotating any passwords that do not use the FIDO2 multi-factor authentication standard. Before publishing its posts, the company notified customers by email that TechCrunch reported Friday morning.
