A sophisticated cyberattack campaign has been uncovered, where hackers infiltrated multiple legitimate Chrome browser extensions, injecting malicious code designed to steal browser cookies and authentication sessions. The attack, which began as far back as mid-December, targeted specific social media advertising and AI platforms, according to a blog post from Cyberhaven, one of the companies affected.

The malicious code was inserted into the Cyberhaven data protection extension, among others, through a phishing email, as revealed in a technical analysis post by Cyberhaven. The company believes the attack was targeted at Facebook Ads accounts, but security researcher Jaime Blasco suggests that the attack was "just random" and not specifically aimed at Cyberhaven. Blasco discovered that VPN and AI extensions, including Internxt VPN, VPNCity, Uvoice, and ParrotTalks, also contained the same malicious code.

Cyberhaven reported that the hackers pushed an update (version 24.10.4) of its extension containing the malicious code on Christmas Eve at 8:32 PM ET. The company discovered the code on December 25th at 6:54 PM ET and removed it within an hour, but the code remained active until December 25th at 9:50 PM ET. A clean version was subsequently released in the 24.10.5 update.

In response to the attack, Cyberhaven recommends that companies check their logs for suspicious activity and revoke or rotate any passwords not using the FIDO2 multifactor authentication standard. Prior to publishing its posts, the company notified customers via an email, as reported by TechCrunch.

The implications of this attack are far-reaching, highlighting the vulnerability of even legitimate browser extensions to malicious code insertion. This incident serves as a reminder for users to remain vigilant and proactive in monitoring their online security, as well as for developers to prioritize the security of their extensions.

As the cybersecurity landscape continues to evolve, it is essential for companies and individuals alike to stay informed about emerging threats and take necessary precautions to protect their data. This incident underscores the importance of robust security measures and swift response to potential breaches.

In the wake of this attack, users are advised to exercise caution when installing and updating browser extensions, ensuring they only download from trusted sources and keep their extensions up-to-date. Furthermore, developers must prioritize security in their development process, implementing robust testing and validation procedures to prevent similar attacks in the future.