Summary: A sophisticated cyber campaign targeting Chrome extension developers has been uncovered, utilizing phishing and malicious code to compromise both developers and users. The operation has affected at least 35 extensions and potentially over 2.5 million users, highlighting the evolving nature of cyber threats.
Threat Actor: Unknown | unknown
Victim: Cyberhaven | Cyberhaven
Key Point :
- Campaign first identified on December 24, 2024, with a tampered Chrome extension reported by Cyberhaven.
- Attackers used phishing emails claiming policy violations to trick developers into granting malicious OAuth consent.
- Malicious code enabled command-and-control communication and credential theft, affecting millions of users.
- Team Axon identified over 90 malicious domains and 30 IP addresses linked to the campaign.
- Urgent call for organizations to implement detection and mitigation measures against such threats.
In a detailed report from Team Axon—led by Alon Klayman and Uri Kornitzer—researchers have revealed on a sophisticated campaign targeting Chrome extension developers. This operation exemplifies the evolving nature of cyber threats, combining phishing, credential theft, and malicious code injection to compromise both developers and end users.
The campaign first came to light on December 24, 2024, when Cyberhaven, a cybersecurity firm specializing in secure browser extensions, disclosed a tampered version of their Chrome extension on the Chrome Web Store. According to Cyberhaven, the breach stemmed from a successful phishing attack that tricked an employee into granting malicious OAuth consent, providing attackers access to the Google Chrome Web Store.
Team Axon’s investigation revealed that the tampered extension contained malicious code enabling command-and-control (C2) communication and credential theft. “Research findings indicate that this threat campaign, targeting Chrome extension developers, has been active for at least seven months and possibly longer,” the report states.
Further analysis uncovered that this was not an isolated incident. The campaign targeted multiple Chrome extension developers using similar phishing methods, leading to the compromise of at least 35 additional extensions, potentially affecting over 2.5 million users. Alarmingly, the attackers registered a new malicious domain as recently as December 28, 2024.
The attack begins with phishing emails purportedly from Google, falsely claiming that the recipient’s extension violates Chrome Web Store policies. Developers are redirected to a fraudulent OAuth consent page, where they are tricked into granting permissions to a malicious application. These permissions allow attackers to tamper with Chrome extensions, injecting malicious code designed to:
- Establish C2 communication.
- Steal sensitive data, including cookies.
“This highly targeted request appeared legitimate, as it focused exclusively on Chrome extension-related activities,” the report explains.
Team Axon identified over 90 malicious domains and 30 IP addresses associated with this campaign. To aid detection and response efforts, the report includes tailored threat-hunting queries and IOCs, empowering security teams to uncover related threats in their infrastructures.
The report concludes with an urgent call for organizations to act quickly. “This highlights the urgency for organizations to act quickly and deploy detection and mitigation measures,” Team Axon warns.
Related Posts:
Source:
https://securityonline.info/35-chrome-extensions-compromised-2-5-million-users-at-risk/