Malicious Chrome extensions masquerading as productivity and security tools targeted enterprise HR and ERP platforms, stealing credentials and blocking management pages. This coordinated attack threatened thousands of users by exfiltrating session cookies and hijacking accounts, potentially leading to large-scale data breaches and ransomware attacks. #Workday #NetSuite
Keypoints
- Five malicious Chrome extensions targeted major enterprise platforms like Workday, NetSuite, and SAP SuccessFactors.
- Extensions employed cookie exfiltration, session hijacking, and blocking security management pages.
- Attackers used coordinated infrastructure and similar code patterns under different publisher names.
- The extensions collected authentication cookies and exfiltrated them to remote servers every 60 seconds.
- Google has removed the malicious extensions, and users are advised to report and change passwords.