-2.png?width=1073&height=826&name=image%20(26)-2.png "Mastering Azure Managed Identities – Attack & Defense, Part 1")
This article discusses a large-scale phishing attack targeting Chrome extension developers, leading to the distribution of tampered extensions that facilitate credential theft and command-and-control communication. The publication provides insights into the campaign, its implications, and a collection of Indicators of Compromise (IoCs) to aid security teams. Affected: Chrome Web Store, Cyberhaven
Keypoints :
- Cyberhaven reported a tampered version of their browser extension uploaded to the Chrome Web Store.
- The tampered extension was a result of a phishing attack that tricked an employee into granting malicious OAuth consent.
- At least 35 additional compromised extensions have been identified, affecting over 2.5 million users.
- The phishing campaign targeted Chrome extension developers for at least seven months.
- Newly registered malicious domains indicate the campaign is still active.
- The malicious OAuth application requested extensive permissions related to Chrome extension management.
- Security teams have been provided with threat-hunting queries to identify potential victims.
MITRE Techniques :
- Phishing (T1566) – Attackers sent phishing emails masquerading as Google notifications about policy violations to trick developers.
- Credential Dumping (T1003) – The malicious code in the tampered extensions enabled credential theft, including cookie harvesting.
- Command and Control (T1071) – The tampered extensions facilitated command-and-control communication for data exfiltration.
Indicator of Compromise :
- [domain] chatgpt[.]forassistant[.]com
- [domain] chatgptforsearch[.]com
- [domain] geminiforads[.]com
- [ip address] 140[.]82[.]50[.]201
- [ip address] 149[.]28[.]71[.]39
- Check the article for all found IoCs.
Full Research: https://www.hunters.security/en/blog/chrome-extension-threat-campaign-0