The Cyberhaven Chrome Extension Vulnerability
In late December 2024, Cyberhaven, a data loss prevention company, experienced a security breach involving its Chrome browser extension. The incident was part of a broader campaign targeting multiple Chrome extensions across various organizations.
Incident Overview
On December 24, 2024, a Cyberhaven employee fell victim to a phishing attack that compromised their Google Chrome Web Store access. The attacker exploited this access to publish a malicious version (24.10.4) of Cyberhaven’s Chrome extension. This compromised extension was active from December 25, 1:32 AM UTC, until December 26, 2:50 AM UTC, during which it could exfiltrate sensitive user data, including authenticated sessions and cookies, to a rogue domain (cyberhavenext[.]pro).
The malicious extension contained two altered JavaScript files:
worker.js: This script contacted the command and control (C&C) server at cyberhavenext[.]pro to download a configuration stored in Chrome’s local storage. It also registered listeners to handle events from content.js and execute HTTP requests as directed.
content.js: This script monitored user interactions and DOM changes, focusing on specific websites. It communicated with worker.js to relay information back to the attacker, facilitating the exfiltration of sensitive data.
The attack vector involved a phishing email that led the employee to authorize a malicious OAuth application named “Privacy Policy Extension.” This authorization allowed the attacker to upload the compromised extension to the Chrome Web Store. Notably, the employee had Google Advanced Protection and multi-factor authentication (MFA) enabled yet did not receive an MFA prompt during the attack, indicating a sophisticated bypass of security measures.
Post Incident Analysis and Remediation
Scenario 1: Extension Controlled Using Browser Security on Chrome
Challenges in this scenario:
Limited control over the extension behavior.
Dependency on Chrome’s built-in extension management policies for mitigation.
Users may unwittingly install the malicious extension if not preemptively blocked.
Actions Security Teams Should Take
Analyze and Block the Extension
• Audit Installed Extensions: Use tools like Chrome Browser Cloud Management (CBCM) to generate an inventory of extensions across managed endpoints.
• Create an Extension Blocklist: Block the malicious extension by its unique extension ID using Chrome policies:
{
"ExtensionSettings": {
"*": {
"installation_mode": "allowed"
},
"malicious_extension_id": {
"installation_mode": "blocked"
}
}
}Force Removal: Enforce a policy to uninstall the extension from all managed browsers
2. Enhance User Awareness
Notify users about the malicious extension and provide steps to verify its presence and remove it if necessary.
Rotate user credentials for necessary applications.
Educate users on how to spot potentially malicious extensions and encourage the use of vetted tools.
3. Monitor Browser Activity
DNS and Network Traffic: Monitor for communication to suspicious domains associated with the extension.
Anomaly Detection: Look for unusual browser behaviors, such as excessive CPU usage or unexpected web requests originating from endpoints.
4. Restrict Extension Permissions
Implement strict permissions policies for Chrome extensions, allowing only those necessary for legitimate business purposes.
Use enterprise extension allowlisting to preapprove a set of trusted extensions.
Scenario 2: Extension Controlled via MDM with No Log Visibility
Challenges in this scenario:
Complete control of the extension by the third-party provider means no transparency in its operations.
Logs and telemetry are unavailable for real-time monitoring or incident response.
Mitigating the issue might/will involve third-party coordination.
Actions Security Teams Should Take
Evaluate the Third-Party Vendor
Demand Transparency: Request detailed reports and security assessments from the Vendor, including evidence of a secure software development lifecycle (SDLC).
Review Incident Response Plans: Ensure the Vendor has robust incident handling mechanisms.
Compliance Checks: Verify that the Vendor adheres to relevant security frameworks (e.g., SOC 2, ISO 27001).
2. Control Distribution and Use
Restrict to Necessary Systems: Deploy the extension only on devices, accounts, or browsers that require it.
Apply Usage Policies: Use MDM policies to enforce strict usage controls, such as disabling access during off-hours or limiting access to critical sensitive systems.
3. Monitor Through Alternative Means
Endpoint Behavior Monitoring: Deploy endpoint detection and response (EDR) tools (e.g., CrowdStrike) to flag suspicious activities triggered by the extension.
DNS and Traffic Analysis: Identify unusual traffic patterns to known C2 or malicious domains and block outbound connections.
4. Coordinate with the Vendor
Notify the Vendor of the detected vulnerability immediately and request:
Do root cause analysis.
Updates or patches to the extension.
Specific mitigation steps for customers.
5. Containment and Removal
If the vulnerability poses a severe threat:
Revoke the extension’s access via MDM policies.
Implement emergency procedures to uninstall the extension across all endpoints.
Use MDM to enforce the usage of a secure alternative tool.
Long-Term Recommendations for Both Scenarios
Adopt Browser Management Tools: Use CBCM (Chrome Browser Cloud Management) or similar tools to enforce strict security policies and gain visibility into browser-related risks.
Integrate MDM Logs with SIEM: Leverage third-party integrations or proxy-based monitoring to collect relevant telemetry and add visibility to blind spots.
Vendor Management Program: Regularly review third-party tools for vulnerabilities. Enforce contractual agreements mandating compliance with security best practices and prompt remediation of discovered issues.
Simulate Extension Attacks: Conduct red-team exercises focusing on malicious browser extensions to test organizational response plans.
Alternative Solutions: If the third-party Vendor fails to address concerns, explore secure alternatives vetted through rigorous testing and analysis.
In both scenarios, organizations can significantly mitigate risks associated with third-party browser extensions by combining proactive management, user education, and vendor collaboration.
References:
