←
Back to Blog
Endpoint security
12/31/2024
-
XX
Minute Read
Cyberhaven releases open source tools to detect broad-based Chrome extension attack
Last week, Cyberhaven’s Chrome extension was compromised as part of a larger campaign targeting web extension developers. Security researchers have discovered the same code actively embedded in other extensions dating back to May 2024, and Secure Annex has been maintaining an active list of compromised extension versions and a thorough analysis of the situation, and we highly recommend monitoring it - https://secureannex.com/blog/cyberhaven-extension-compromise/
For an overview of the Cyberhaven Chrome extension incident click here
For the initial technical analysis of the incident click here
Open-source tools
As Cyberhaven assisted our customers in responding to the attack, it became apparent that limited tooling was available to quickly and accurately evaluate the spread of the impact. While we are sharing this telemetry with our customers, there does not seem to be a standard solution for all organizations to conduct such investigations independently at scale.
To enable our customers and other organizations that could be affected by this attack on Chrome extensions to run their own investigations for this attack, we are releasing a suite of scripts. These scripts search for entries indicating that a malicious extension has exfiltrated data.
The scripts are available to download from our GitHub repository - https://github.com/CyberhavenInc/chrome-extension-tools
The README.md files include instructions on how to run the scripts, but please find a high-level overview below:
ListChromeExtensions.ps1
To assist organizations in gathering detailed information on the installed extensions and their versions. This script can be run against a specific user profile or, by default, will attempt to check all user profiles. See the example below for the data that is returned.
We have not created a MacOS equivalent, as this is easy to check using a one-line command:
cat Preferences | jq '.extensions.settings | .[] | .manifest.name,.manifest.version,.path,.state'
chrome-extensions-scanner/scan_wrapper.ps1
chrome-extensions-scanner/scan_wrapper.sh
These scripts scan for known Indicators of Compromise across Windows (.ps1) and Mac (.sh) Chrome-family extensions. The scripts come with a small set of built-in IoCs based on the Cyberhaven extension compromise, but they appear shared across a wider family of attacks. The scripts search for both the raw text as well as its base64 counterpart.
- api.cyberhavenext.pro
- api/saveQR
- ads/ad_limits
- qr/show/code
- _ext_manage
- _ext_log
These values can be modified or added to by editing the provided scripts.
The README.md (https://github.com/CyberhavenInc/chrome-extension-tools/blob/main/README.md) includes full instructions for their use.
Future use
We release these scripts as open source, as we believe that they can be helpful not just now, but also for future extension-based attacks. They can be particularly helpful in the first hours of a zero-day, before EDR solutions update their databases, to organizations that do not have an EDR solution, and to home users.