This article discusses the alarming rise in supply chain attacks, specifically focusing on the compromise of the Cyberhaven Chrome extension in December 2024, which affected over 2.6 million users. By exploiting trusted software and using sophisticated phishing techniques, attackers targeted high-value platforms, highlighting the need for enhanced security measures to counter such evolving threats. Affected: Chrome extensions, Cyberhaven, Darktrace customers, social media platforms
Keypoints :
- Supply chain attacks are becoming more sophisticated as defenses improve.
- Attackers exploited trusted browser extensions to infiltrate networks.
- The Cyberhaven Chrome extension was compromised via a phishing attack.
- A malicious version of the extension was distributed and active over the festive period.
- More than 30 additional Chrome extensions were compromised, impacting millions of users.
- Attackers aimed for financial gain, targeting high-value platforms.
- Darktrace detected unusual activities stemming from the Cyberhaven incident.
- Automated updates included malicious versions of the extension without user consent.
- Darktrace identified persistent communication with suspicious domains and IPs.
- The incident serves as a warning for monitoring cloud and browser-based security.
MITRE Techniques :
- INITIAL ACCESS (T1176) – Exploitation of browser extensions to gain initial access.
- EXECUTION (T1204.002) – Use of malicious browser extensions to execute the attack.
- PERSISTENCE (T1176) – Maintaining access via compromised browser extensions.
- COMMAND AND CONTROL (T1071.001) – Utilizing web protocols for C2 communications.
- COMMAND AND CONTROL (T1001) – Data obfuscation to evade detection.
- CREDENTIAL ACCESS (T1539) – Theft of web session cookies for credential access.
- DISCOVERY (T1518.001) – Discovery of security software within the targeted environment.
- LATERAL MOVEMENT (T1557.003) – Exploiting man-in-the-browser techniques to move laterally.
- EXFILTRATION (T1041) – Exfiltration of data over C2 channels.
- EXFILTRATION (T1567.002) – Exfiltration of data to cloud storage.
- IMPACT (T1583.006) – Conducting session hijacking to exploit compromised accounts.
Indicator of Compromise :
- [Hostname] cyberhavenext[.]pro – Used for C2 communications and data exfiltration (cookies and session tokens)
- [IP Address] 149.28.124[.]84 – Associated with malicious infrastructure
- [IP Address] 45.76.225[.]148 – Associated with malicious infrastructure
- [IP Address] 136.244.115[.]219 – Associated with malicious infrastructure
Full Story: https://darktrace.com/blog/cyberhaven-supply-chain-attack-exploiting-browser-extensions