For Cyberhaven's CEO statement on the incident click here.

The attacker used this access to publish a malicious version of our Chrome extension (Cyberhaven Chrome extension version 24.10.4, Hash DDF8C9C72B1B1061221A597168f9BB2C2BA09D38D7B3405E1DACE37AF1587944).

Although analysis of the attack is still in progress, we now understand this was part of a larger campaign to target Chrome Extension developers. Public reports from security researchers have suggested that Chrome extensions from several different companies were compromised and our initial analysis points to a non-targeted attack. From analysis of some of the compromised machines, the primary motive for the attack was to target Facebook Ads accounts. 

Although we are still analyzing the attack with the help of a third-party security response company, here are our findings to date. We will publish a final report once all 3rd party work is done. 

Initial attack vector

A phished email was sent to Chrome Extension developers. In this case the email was initially sent to the registered support email which is in the public domain. Here is a screenshot of the phished email. 

Once the employee clicked on the email, they were taken to the standard Google authorization flow for adding a malicious OAUTH Google application called “Privacy Policy Extension”. 

Note: This authorization page was hosted on Google.com and part of the standard authorization flow for granting access to third-party Google applications. The employee followed the standard flow and inadvertently authorized this malicious third-party application. The employee had Google Advanced Protection enabled and had MFA covering his account. The employee did not receive a MFA prompt. The employee’s Google credentials were not compromised.

Uploading the malicious extension 

The attacker gained requisite permissions via the malicious application (“Privacy Policy Extension”) and uploaded a malicious Chrome extension to the Chrome Web Store. After the customary Chrome Web Store Security review process, the malicious extension was approved for publication. 

This malicious extension (24.10.4) was essentially based on a clean prior version of the official Cyberhaven Chrome extension. The attacker made a copy of the clean extension and added some malicious code to create a new malicious extension. This extension was uploaded to the Chrome webstore and replaced the clean official Cyberhaven Chrome extension. The malicious Chrome extension was now available and distributed to a portion of our customer base. The malicious extension (24.10.4) had the following hash - DDF8C9C72B1B1061221A597168f9BB2C2BA09D38D7B3405E1DACE37AF1587944

Analysis of the malicious payload

The malicious Chrome extension consisted of two files

worker.js (0B871BDEE9D8302A48D6D6511228CAF67A08EC60) -  This was a modified version of the Cyberhaven Chrome extension worker.js file. The main goal for this file was to first contact the Command and Control (C&C) server and download the configuration from the C&C. It would save the configuration to the Chrome local storage. As a next step, it registered listeners that would listen to events from content.js and execute HTTP calls.

The file also contained a hard coded C&C server domain - cyberhavenext[.]pro

content.js (AC5CC8BCC05AC27A8F189134C2E3300863B317FB) - This was a new file added to the malicious Chrome extension. The main goal of this file was to collect user data for a specific website. This website was part of the C&C payload received and stored by the worker.js. Once it collected the data, it exfiltrated it to a malicious website, which was also included in the configuration received from the C&C server.

In our analysis of many compromised endpoints across our customer base, the target website received from the C&C server was domains related to “*.facebook.com”. We have yet to see any other websites targeted, which makes us believe that this attack was a generic, non-targeted attack, aimed at facebook.com advertising users.

Note: This is an example of a base64 decoded configuration received from C&C 

What data was collected and exfiltrated

In our analysis of compromised machines, the extension was targeting Facebook.com users. If the user was logged into Facebook.com and navigated to the Facebook.com website, the extension would execute the malicious code path. 

Here is what the malicious flow would execute

1. Get the user's Facebook access token
2. Get the Facebook user's ID
3. Get the user's account information (if available) via Facebook API
4. Get the user's business accounts (via Facebook API)
5. Retrieve user's ad account information (via Facebook API)
6. Package all of this information, along with Facebook cookies and the user agent string, and send it to the C&C (Command & Control) server
7. The malicious code also made an HTTP POST call to https://chatgpt.com/status page with a fixed body “{prompt: "check", max_tokens: 150}”. This malicious code doesn’t appear to do anything with this call or response.  

After successfully sending all the data to the C&C server, the Facebook user ID is saved to browser storage. That user ID is then used in mouse click events to help attackers with 2FA on their side if that was needed.

Mouse click events

Regardless of what data was sent to exfiltrated and if it exfiltrated at all, malicious code added a mouse click listener for Facebook.com website. 

Every time a user clicks on a page, the malicious script retrieves all images and checks their src attributes, and if a src contains the substring "qr/show/code", it uses the previously saved user ID and sends it, along with the image’s src, to the C&C server.

We believe that the code was looking for QR code in order to bypass captchas and/or 2FA authorization requests.

IOC for the attack

• Installed Cyberhaven Chrome extension version
  • 24.10.4 DDF8C9C72B1B1061221A597168f9BB2C2BA09D38D7B3405E1DACE37AF1587944
    • content.js AC5CC8BCC05AC27A8F189134C2E3300863B317FB 
    • worker.js 0B871BDEE9D8302A48D6D6511228CAF67A08EC60
• Presence of Chrome extension local storage keys
  • Cyberhavenext_ext_manage - The value of this key contains the downloaded configuration payload
  • cyberhaven_ext_log - This key is only present in the event of data exfiltration
• Network traffic to the C&C server
  • cyberhavenext[.]pro
  • api.cyberhaven[.]pro
  • 149.28.124[.]84
  • 149.248.2[.]160

In addition, compromised devices can retrieve these values from the Chrome storage using Chrome developer tools:

• Open a tab in Chrome with any website (if none are opened, you can pick mail.google.com or drive.google.com).
• Go to the developer console of this page and select the Console tab.
• Select Cyberhaven in the Developer console list of sources (see "top").
• run await chrome.storage.local.get(null) in the developer console (Chrome blocks copy-paste to the developer console, you have to type it or run "allow pasting").
• If results are empty, it indicates that the device has not been compromised, possibly to it not being able to connect to the C&C server.
• If the result includes "cyberhavenext_ext_manage" only, the configuration payload has been downloaded, but the user has not navigated to a targeted domain.
• If the result also includes "cyberhavenext_ext_log", this indicates that it is likely data has been exfiltrated to the C&C server.

Conclusion

Based on our initial research so far, this was a non-targeted attack, and part of a wider campaign, aimed at Facebook Ads users. We are working with our customers and an external third-party security response team to help us analyze and investigate further. We will post more updates as we have more findings. 

‍

‍