Cyberhaven Supply Chain Attack: How One Phishing Email Led to Over 400,000 Compromised Browsers

On December 24, 2024, Cyberhaven, a data loss prevention provider, experienced a security breach involving its Chrome browser extension. What started as a phishing email led to a poisoned Chrome extension and quickly resulted in an estimated 400,000 compromised browsers. 

‍

Leveraging existing browser extension permissions and adding new ones, the threat actors were able to leak cookies and tokens, view browser history, exfiltrate data, and gain access to new victims.

‍

Attack Overview

‍

The attack started with a phishing email that pretended to be from Google Support. It warned the admin that the extension violated policies and was at risk of being removed.

‍

The phishing link led to what looked like a legitimate Google OAuth page, where the admin unknowingly approved a malicious app called "Privacy Policy Extension."

‍

This allowed the attackers to bypass MFA and gain full access to the Chrome Web Store developer account. Next, the attackers uploaded a new version of the extension (v24.10.4), embedding malicious code that went undetected by Google’s automated security scans. The malicious version was automatically pushed to Cyberhaven’s user base.

‍

This compromised extension was active for approximately 25 hours before Cyberhaven detected and removed it.

‍

The Attack Chain

‍

1. A phishing email was received targeting ChromeOS & Chrome Enterprise developers.
2. A developer clicked the phishing link, entered their credentials, and granted OAuth permissions to a malicious app.
3. Threat actors gained access to the Chrome extension development environment and made unauthorized changes.
4. A malicious version of Chrome extension was added to the Chrome Web Store.
5. The malicious extension was auto-updated for 400,000 users.
6. Browser cookies and credentials were stolen, targeting Facebook Ads accounts and certain AI platforms.

‍

Technical Analysis

‍

The malicious extension was a modified version of Cyberhaven's legitimate extension, with added code designed to:

‍

• Contact a Command and Control (C&C) Server: The extension reached out to a hardcoded domain, cyberhavenext[.]pro, to fetch further instructions.
• Monitor User Activity: It registered listeners to capture user interactions, particularly focusing on specific websites.
• Exfiltrate Data: The primary objective was to steal browser cookies and authenticated sessions, especially targeting Facebook Ads accounts.

‍

The Impact

‍

CybeCyberhaven’s Chrome extension was compromised and malicious code distributed to an estimated 400,000 enterprise users. The malicious app was designed to steal sensitive information like session cookies and credentials, with a specific focus on taking over Facebook Ads accounts.

‍

This incident was not isolated to Cyberhaven. It was part of a broader campaign where hackers targeted and compromised multiple companies' Chrome extensions in order to create a wide network of backdoors to steal sensitive data. According to Secure Annex, the list of potentially poisoned extensions has risen to 29 and counting.

‍

The Implications

‍

The attacker bypassed standard MFA protections by exploiting a common yet under-secured SaaS-to-SaaS connection: 4th party apps. 4th party apps are software or scripts that are connected to your third-party apps. While they don't integrate with your system directly, they are connected by proxy and represent potential vulnerabilities outside of an organization’s purview and control. 

‍

Supply chain attacks are increasing, with one report pointing to as much as 180%. As organizations increasingly rely on third-party applications to support and scale business operations, the attack surface becomes a web of machine-to-machine connections, identities, and permissions. Least privilege access can’t help when admins fall victim to phishing scams. And while identities are difficult to hijack when they have MFA enabled, there can be no MFA on app to app. This chain underscores just how vulnerable even secure systems can be when their third-party vendors become compromised.

‍

Cyberhaven's Response

‍

Upon discovering the breach on December 25, Cyberhaven acted swiftly:

‍

• Removed the Malicious Extension: The compromised version was taken down within an hour of detection.
• Released a Clean Update: A new, secure version (24.10.5) of the extension was published promptly.
• Notified Affected Parties: Customers were informed about the incident and advised to check their systems for any suspicious activity.
• Enhanced Security Measures: The company engaged an external incident response firm for forensic analysis and is cooperating with federal law enforcement to prevent future incidents.

‍

Recommendations for Users

‍

Users who had the compromised extension installed should:

‍

• Update the Extension: Ensure it's updated to version 24.10.5 or newer.
• Reset Sessions: Ensure stolen cookies are invalidated.
• Review Account Activity: Check for any unauthorized access, especially on platforms like Facebook Ads.
• Change Passwords: Rotate passwords, particularly those not using FIDO2 multi-factor authentication.

‍

How Reco Can Help

‍

Reco, a leading SaaS security solution, is purpose-built to address and prevent SaaS supply chain attacks like the Cyberhaven attack.

‍

• ITDR (Identity Threat Detection and Response): Reco monitors for identity-related threats, like compromised SaaS admin accounts or anomalous token activity based on suspicious IP addresses, locations, devices, and more. For example, Reco provides real-time alerts (see Figure 2), enabling you to act before an incident escalates.

• Posture Management: Reco reduces risks by identifying and addressing misconfigurations, such as overpermissioned users and admins, as well as high-risk authenticated tokens.
• SaaS to SaaS monitoring: Reco provides visibility into all 4th party apps and permission risks. Proactively identify Chrome extensions with overly permissive settings and gain visibility into app-to-app connections to prevent or reduce the impact of supply chain attacks.

Ready to Secure Your SaaS Ecosystem? Get Started with Reco Today

‍

‍Reco can help organizations reduce the risk of supply chain attacks like the Cyberhaven attack, as well as detect and respond to them in real time. Our AI-based graph technology provides visibility into every app, identity, and their actions, allowing organizations to seamlessly prioritize and remediate risks and active threats. Reach out for a demo of Reco today.