• Vulnerable U
  • Posts
  • Breaking: Cyberhaven Chrome Extension Compromised in Holiday Attack Campaign

Breaking: Cyberhaven Chrome Extension Compromised in Holiday Attack Campaign

An attacker successfully phished a Cyberhaven employee, gained access to Chrome Web Store admin credentials, published a malicious version of the extension

Author

Matt Johansen
December 26, 2024

An attack on a Cyberhaven employee led to the deployment of a malicious Chrome extension, potentially exposing sensitive user data during Christmas.

Why it matters: This breach shows how trusted security tools can be weaponized against users, with the attack strategically timed during the holiday season when security teams are typically operating with reduced staff.

By the numbers:

  • 31+ hours of potential exposure (Dec 25 1:32 AM UTC - Dec 26 2:50 AM UTC)

  • 1 compromised version identified (24.10.4)

  • 13+ suspicious domains linked to attacker infrastructure

  • 60 minutes taken to remove malicious package after detection

How it worked:

  • Initial Access: Attacker successfully phished a Cyberhaven employee

  • Compromise: Gained access to Chrome Web Store admin credentials

  • Deployment: Published malicious version 24.10.4 of the extension

  • Data Collection: Malicious code gathered webpage information and browser cookies

  • Exfiltration: Data sent to attacker-controlled domain (cyberhavenext[.]pro)

Between the lines: Security researchers have identified potential connections to other compromised Chrome extensions, suggesting this may be part of a broader campaign.

What people are saying:

Jaime Blasco (@jaimeblascob): "Regarding the Cyberhaven chrome extension compromise I have reasons to believe there are other extensions affected. Pivoting by the IP address there are more domains created within the same time range resolving to the same IP address as cyberhavenext[.]pro"

John Tuckner (@tuckner): "The content.js script is not present in version 24.10.2 or 24.10.5. It seems to gather a lot of information about a webpage and its contents... So in summary it seems like: Happens on all URLs, Gathers info visited, Gets all stored cookies tied to those sites, Sends them to an attacker controlled server"

Update: Tuckner also reached out to me to reiterate - Cyberhaven recommends not removing the extension to maintain arfifacts of the malicious code.

Official Communication from Cyberhaven:

What happened?

On December 24th, 2024, at approximately 5:24 PM UTC, a targeted advanced attack successfully occurred on a Cyberhaven employee. The attacker used the access gained in this attack to publish a malicious Chrome extension (version 24.10.4) to the Chrome Web Store in the early morning of December 25th, 2024.

Cyberhaven's internal security team detected the attack at 11:54 PM UTC on December 25th, 2024. Cyberhaven removed the malicious package within 60 minutes of detection.

What was the impact?

For browsers running the compromised plugin, it is possible for sensitive information, including authenticated sessions and cookies, to be exfiltrated to the attacker's domain (cyberhavenext[.]pro) The exfill domain was online from 1:32AM UTC December 25th, 2024 until 2:50AM UTC on December 26th, 2024 What we recommend on impacted endpoints

Verify that the impacted Cyberhaven Chrome extension version 24.10.4 is updated to 24.10.5 or newer Revoke/rotate all passwords that aren't FIDOv2 Revoke/rotate all API tokens Review all logs to verify no malicious activity Versions not hosted on the Chrome store (Firefox, edge) were not affected Next steps

Cyberhaven will continue its investigation into this incident and update its customers accordingly We are working on providing additional telemetry and additional threat intelligence and will share it with impacted customers as soon as possible Cyberhaven has engaged Mandiant and Federal Law Enforcement to help in this investigation One of Cyberhaven's core values is maximum transparency, and we are acting on these first principles to retain the trust we have earned from you. We will continue to keep you updated and support you in every way possible to mitigate the impact of this incident.

Additional information about the incident:

This incident only impacted machines running Chrome-based browsers that were updated via the Google

Chrome Web Store

After an in-depth review, the only compromise at Cyberhaven was a single admin account for the Google Chrome Store that allowed the attacker to push a malicious Chrome extension and bypass Cyberhaven controls; there was no other attack vector or any additional compromised accounts, including our CI/CD processes or code signing keys

The only impacted version of the plugin is 24.10.4

It only affected machines that were online between 1:32

AM UTC on December 25th, 2024 and 2:50 AM UTC on December 26th, 2024

We know the attack did not clean up the Chrome data store, so we have included instructions below that your security teams can use to verify what if any, data was exfiltrated

Cyberhaven will be publishing a new Chrome extension (version 24.10.6) that will leverage this new information to gather additional telemetry to narrow down the scope of possible compromised machines; also, this data will allow us to narrow down the scope of possible compromised browsers and understand what if any, data was exfiltrated

Longer form thoughts:

Threat actors are moving beyond the traditional spray-and-pray phishing campaigns to highly targeted attacks against individual employees. We’ve even seen plenty of employees’ personal devices and home networks targeted to pivot into corporate assets or SaaS platforms.

Think about it: instead of trying to breach a well-thought-out, multi-layer defense corporate network, attackers are finding it more effective to compromise one person with legitimate access to tools, data, and SaaS apps.

In this case, a single compromised admin account led to a supply chain attack that potentially affected many other organizations.

I’ve talked about the browser extension ecosystem for a long time. Go watch my BlackHat/Defcon talk from over a decade ago about the Chrome Webstore and how dangerous an extension with a vulnerability can be.

While organizations typically have strict policies about installing software, browser extensions are often more challenging to wrangle. Also, their update chains are harder to review and control. So, a once-reviewed and approved extension could catch a bad update like this Cyberhaven one and do damage.

Browser extensions are seen as lightweight, harmless add-ons rather than the powerful tools they actually are. This perception gap creates a pervasive risk: extensions have deep access to browser data (including authenticated sessions and sensitive information), they're easy to update, and they're often not subject to the same scrutiny as traditional software.

I expect we'll see a surge in attacks targeting browser extensions in 2025. The attack surface is massive – Chrome's Web Store alone has thousands of extensions with millions of users. Many of these extensions are maintained by small teams or individual developers who might not have robust security practices.

Plus, the auto-update feature means that once an attacker compromises an extension's distribution channel, they can potentially push malicious code to all users instantly.

Browser extensions shouldn't be treated as second-class citizens in security policies. They need the same level of scrutiny, if not more, as any other software running in your environment.

What's next:

  • Mandiant and Federal Law Enforcement are investigating

  • Cyberhaven releasing version 24.10.6 with enhanced telemetry

  • Customers are advised to update extensions and rotate credentials

Note: This is a developing story. Details may be updated as new information becomes available.