The team at Cyberhaven’s has confirmed that their chrome plugin was hacked, and a baited update was pushed onto users that would help gain access to saved passwords on the extension. Affected parties were send a notification email about potential supply chain attack by the company that specialized in data loss prevention.
Details of the Attack
Following Cyberhaven’s assault of December 25, hackers managed to publish a malicious update which had been versioned 24.10.4 using a compromised Cyberhaven account. Following up on this imbreach, hackers were also able to European version steal sensitive information that consisted of authenticated sessions and empires were taken to the attackers domain.
This release was noticed by the Cyberhaven’s security team and later the update was removed from the motherboard. Consequently, a valid version 24.10.5 was released to fix wotection on the motherboard.
Impact on Users and Recommended Actions
According to the company’s report 400 thousand corporate users have had data copied or deleted using the cyberhaven software. Instructions aimed at users were provided in regard to the breach together with credential disabling notifications which included altering API tokens and passwords. To prevent further issues users were advised to monitor logs and delete anything suspicious.
Compromised session tokens and cookies during the assault could easily bypass login and two factor authentication. But Cyberhaven did not explain if the customers need to modify the stored login information of other accounts associated with chrome.
Compromised Account and Security Failure
The compromised one is said to be the only administrator account owned by Cyberhaven on the Google store. The firm is yet to explain how the account was compromised, and what security measures were active during such time.
In a statement, Cyberhaven has, however, maintained that it has decided to review its security measures as well as put in place more measures aimed at preventing such breaches in the future.
Bigger Operation and DRCs
The statement from Cyberhaven implied that this incident was only part of a much wider campaign focusing on extension developers not only from Cyberhaven. As noted by Jaime Blasco, CTO of Nudge Security, a number of other extensions with tens of thousands users were also compromised – including AI, productivity and VPN service extensions.
Blasco observed that the shift from aiming at Cyberhaven to focusing on the developer credentials was most likely adopted by the attackers.
As per the reports in the media Mandiant, an incident response firm has been a part of the investigation that Cyberhaven is carrying out, alongside cooperating with federal law enforcement, other reports suggest that other organizations and extensions may have also been compromised, but there is little clarity on these reports.
The case demonstrates that the weaknesses in the software supply chain are not going away while the protection of sensitive user information always merits consideration of strong security controls.