Focus Mode
Threat Research

Targeted supply chain attack against Chrome browser extensions

iocOne
Targeted supply chain attack against Chrome browser extensions
This article discusses a supply chain attack on Chrome browser extensions that began in December 2024, where attackers exploited a phishing vulnerability to inject malicious code. This breach compromised a number of extensions, risking sensitive user data including authentication tokens. Investigations revealed the attackers’ sophisticated methods and infrastructure, highlighting the ongoing threats posed by such supply chain vulnerabilities. Affected: Chrome browser extensions, Cyberhaven users, ChatGPT users, Facebook for Business users

Keypoints :

  • Cyberhaven reported a compromise of their Chrome extension on December 26, 2024.
  • The attack involved targeted phishing attacks against Chrome extension developers.
  • Attackers exploited permissions gained through a phishing attack to upload a malicious version of the Cyberhaven extension.
  • The compromise potentially affected hundreds of thousands of users across multiple extensions.
  • Harvested sensitive data included API keys, session cookies, and authentication tokens from platforms like ChatGPT and Facebook for Business.
  • Analysts recovered initial phishing emails that led to identifying the attacker’s infrastructure.
  • The campaign represents a shift from distributing fake extensions to compromising legitimate ones.
  • Cybersecurity measures are recommended for users with potentially compromised extensions.

MITRE Techniques :

  • T1589.002 – Gather Victim Identity Information: Email Addresses – Attackers collected developers’ email addresses from public extension pages.
  • T1583.001 – Acquire Infrastructure: Domains – Attackers registered multiple domains to support their phishing infrastructure.
  • T1586.003 – Compromise Accounts: Cloud Accounts – Phishing emails targeted developers to gain control over their extensions.
  • T0862 – Supply Chain Compromise – Maliciously altered legitimate Chrome extensions.
  • T1566.002 – Phishing: Spearphishing Link – Used targeted phishing emails to gain access.
  • T1059.007 – Command and Scripting Interpreter: JavaScript – Malicious JavaScript was injected into the compromised extensions.
  • T1550.001 – Use Alternate Authentication Material: Application Access Token – Hijacked OAuth tokens to update extensions.
  • T1528 – Steal Application Access Token – Harvested API keys and authentication tokens from users.
  • T1036 – Masquerading – Attacker posed as legitimate developers to exploit trust.
  • T1071.001 – Application Layer Protocol: Web Protocols – Used web protocols for command and control communication.
  • T1105 – Ingress Tool Transfer – Transferred malicious code to compromised extensions.
  • T1041 – Exfiltration Over C2 Channel – Exfiltrated harvested data to command and control servers.

Indicator of Compromise :

  • [Domain] chromewebstore-noreply[.]com
  • [Domain] chromeforextension[.]com
  • [Domain] supportchromestore[.]com
  • [Domain] graphqlnetwork[.]pro
  • [SHA256] d303047205dabec8e2d34431e920ebe3478ca80a18f57bf454da094aca0e10aa

Full Story: https://blog.sekoia.io/targeted-supply-chain-attack-against-chrome-browser-extensions/

Tags: DNS, TOOL, CLOUD, INITIAL ACCESS, PAYLOAD, PASSWORD, VULNERABILITY, EMAIL