THE THREAT
On December 27th, Cyberhaven confirmed that a malicious version of Cyberhaven’s Chrome extension was published and briefly available on the Google Chrome Web Store. eSentire identified multiple customer incidents related to the malicious extension.
During the investigation into this campaign, researchers uncovered thirty-five additional Chrome extensions that are confirmed to be compromised; see the additional details section for a full list of confirmed compromised extensions. Compromised extensions are primarily related to AI/LLMs and free VPN services. There is a high probability that further browser extensions have been compromised, but not identified at this time.
The malicious Chrome extensions result in the theft of browser data, including authenticated sessions and cookies, which could be used to conduct secondary attacks. Organizations are strongly encouraged to identify any potentially malicious extensions, and ensure they are updated or removed.
What we’re doing about it
-
Known malicious IP addresses have been added to the eSentire Global Block list
-
Threat Hunts for known Indicators of Compromise remain ongoing
-
Impacted customers are being notified by the eSentire SOC
-
The eSentire Threat Intelligence team is actively tracking this topic for additional details and detection opportunities
What you should do about it
-
Verify that Cyberhaven Chrome extension is version 24.10.5 or newer
-
Review the list of confirmed malicious extensions
-
Update to a secure version if it has been made available
-
If updating is not possible, remove all impacted extensions
-
Reset credentials for all potentially impacted machines
-
Review logs for suspicious activity
Additional information
Based on details shared by Cyberhaven, threat actors are targeting developers with malicious emails, eventually resulting in the deployment of trojanized versions of developers’ Chrome extensions. In the Cyberhaven case, a developer received an email containing a link which, when interacted with, resulted in the installation of malicious Google OAuth application named "Privacy Policy Extension". The extension provided threat actors access to the developer’s accounts, which they leveraged to inject a malicious version of the Cyberhaven Chrome extension onto the Google Chrome Web Store.
The malicious Cyberhaven extension (24.10.4) is compromised of two files: Worker.js and Content.js. The former is a tampered variant of the original Cyberhaven extension, designed to establish communication with a hardcoded Command-and-Control (C2) server and obtain the necessary configuration. Content.js is used to extract user data specific to a website and exfiltrate it to an attacker-controlled webpage.
According to Cyberhaven's investigation, the focus of the threat actors is specifically targeting Facebook Ads accounts. They exfiltrated critical user data, which included sensitive details such as Facebook access tokens, user IDs, in-depth account information, along with business and ad account specifics. The entirety of this stolen information was related uniquely to Facebook users. This information may be used in fraud campaigns or to deliver malicious content via malvertising.
This campaign is actively developing at the time of writing, and eSentire is closely monitoring the situation for additional details and detection opportunities.
|
Confirmed Compromised Chrome Extensions
|
|
Name
|
Chrome Extension ID
|
|
Where is Cookie
|
emedckhdnioeieppmeojgegjfkhdlaeo
|
|
Web Mirror
|
eaijffijbobmnonfhilihbejadplhddo
|
|
ChatGPT App
|
lbneaaedflankmgmfbmaplggbmjjmbae
|
|
Hi AI
|
hmiaoahjllhfgebflooeeefeiafpkfde
|
|
Web3Password Manager
|
pdkmmfdfggfpibdjbbghggcllhhainjo
|
|
YesCaptcha assistant
|
[email protected]
|
|
Bookmark Favicon Changer
|
[email protected]
|
|
Proxy SwitchyOmega (V3)
|
[email protected]
|
|
GraphQL Network Inspector
|
[email protected]
|
|
AI Assistant
|
bibjgkidgpfbblifamdlkdlhgihmfohh
|
|
Bard AI chat
|
pkgciiiancapdlpcbppfkmeaieppikkk
|
|
ChatGPT for Google Meet
|
epdjhgbipjpbbhoccdeipghoihibnfja
|
|
Search Copilot AI Assistant for Chrome
|
bbdnohkpnbkdkmnkddobeafboooinpla
|
|
TinaMind
|
befflofjcniongenjmbkgkoljhgliihe
|
|
Wayin AI
|
cedgndijpacnfbdggppddacngjfdkaca
|
|
VPNCity
|
nnpnnpemnckcfdebeekibpiijlicmpom
|
|
Internxt VPN
|
dpggmcodlahmljkhlmpgpdcffdaoccni
|
|
Vidnoz Flex
|
cplhlgabfijoiabgkigdafklbhhdkahj
|
|
VidHelper
|
egmennebgadmncfjafcemlecimkepcle
|
|
Castorus
|
mnhffkhmpnefgklngfmlndmkimimbphc
|
|
Uvoice
|
oaikpkmjciadfpddlpjjdapglcihgdle
|
|
Reader Mode
|
fbmlcbhdmilaggedifpihjgkkmdgeljh
|
|
ParrotTalks
|
kkodiihpgodmdankclfibbiphjkfdenh
|
|
Primus
|
oeiomhmbaapihbilkfkhmlajkeegnjhe
|
|
Keyboard History Recorder
|
igbodamhgjohafcenbcljfegbipdfjpk
|
|
ChatGPT Assistant
|
bgejafhieobnfpjlpcjjggoboebonfcg
|
|
Reader Mode
|
llimhhconnjiflfimocjggfjdlmlhblm
|
|
Visual Effects for Google Meet
|
hodiladlefdpcbemnbbcpclbmknkiaem
|
|
AI Shop Buddy
|
epikoohpebngmakjinphfiagogjcnddm
|
|
Cyberhaven V3 Security Extension
|
pajkjnmeojmbapicmbpliphjmcekeaac
|
|
Earny
|
ogbhbgkiojdollpjbhbamafmedkeockb
|
|
Rewards Search Automator
|
eanofdhdfbcalhflpbdipkjjkoimeeod
|
|
Tackker
|
ekpkdmohpdnebfedjjfklhpefgpgaaji
|
|
Sort By
|
miglaibdlgminlepgeifekifakochlka
|
|
Email Hunter
|
mbindhfolmpijhodmgkloeeppmkhpmhc
|
|
ChatGPT Quick Access
|
didhgeamncokiaegffipckhhcpnmlcbl
|
|
GraphQL Network Inspector
|
[email protected]
|
Hunt Query
|
"AC5CC8BCC05AC27A8F189134C2E3300863B317FB" or "0B871BDEE9D8302A48D6D6511228CAF67A08EC60" or "parrottalks[.]info" or "ext[.]linewizeconnect[.]com" or "bookmarkfc[.]info" or "censortracker[.]pro" or "yujaverity[.]info" or "wayinai[.]live" or "vpncity[.]live" or "moonsift[.]store" or "primusext[.]pro" or "internxtvpn[.]pro" or "uvoice[.]live" or "cyberhavenext[.]pro" or "gptforbusiness[.]site" or "ext[.]businessforai[.]com" or "barefootcontractor[.]com" or "ultrablock[.]pro" or "dearflip[.]pro" or "vidnozflex[.]live" or "wakelet[.]ink" or "locallyext[.]ink" or "tinamind[.]info" or "apple-ads-metric[.]com" or "aeromexi[.]co" or "gptforads[.]info" or "blockforads[.]com" or "ytbadblocker[.]com" or "searchcopilot[.]co" or "geminiaigg[.]pro" or "blockadsonyt[.]vip" or "fadblock[.]pro" or "lltvmarkets[.]com" or "savgptforchrome[.]pro" or "bardaiforchrome[.]live" or "com-freeapps[.]com" or "gpt4summary[.]ink" or "searchaiassitant[.]info" or "artseasy[.]com" or "savechatgpt[.]site" or "upwordwave[.]com" or "yescaptcha[.]pro" or "videodownloadhelper[.]pro" or "castorus[.]info" or "proxyswitchyomega[.]pro" or "graphqlnetwork[.]pro" or "iobit[.]pro" or "internetdownloadmanager[.]pro" or "searchgptchat[.]info" or "pieadblock[.]pro" or "gptdetector[.]live" or "chatgptextent[.]pro" or "youtubeadsblocker[.]live" or "chatgptextension[.]site" or "remiwantnun[.]com" or "okta-onsolve[.]com" or "capitalizerutc[.]com" or "extensionpolicyprivacy[.]com" or "policyextension[.]info" or "extensionpolicy[.]net" or "checkpolicy[.]site" or "linewizeconnect[.]com" or "extensionbuysell[.]com" or "adskiper[.]net" or "aiforgemini[.]com" or "sclpfybn[.]com" or "tnagofsg[.]com" or "kra18[.]com" or "149[.]28[.]124[.]84" or "45[.]76[.]225[.]148" or "136[.]244[.]115[.]219" or "149[.]248[.]44[.]88" or "108[.]61[.]23[.]192" or "80[.]240[.]21[.]36" or "45[.]32[.]69[.]11" or "155[.]138[.]253[.]165" or "45[.]77[.]5[.]196" or "144[.]202[.]123[.]86" or "74[.]220[.]199[.]9" or "45[.]32[.]231[.]212" or "149[.]28[.]117[.]236" or "137[.]220[.]48[.]214" or "149[.]248[.]2[.]160"
|
* Please note, all Indicators of Compromise in the hunt query are de-fanged. Brackets must be removed prior to use.
References:
[1] https://www.cyberhaven.com/blog/cyberhavens-chrome-extension-security-incident-and-what-were-doing-about-it
[2] https://www.extensiontotal.com/cyberhaven-incident-live
[3] https://www.cyberhaven.com/engineering-blog/cyberhavens-preliminary-analysis-of-the-recent-malicious-chrome-extension
