Hackers have compromised at least 35 Chrome extensions by injecting malicious data-stealing JavaScript code in a massive supply chain attack that has impacted over 2,600,000 people.
The attackers impersonated Google to send fake Chrome Web Store policy violation emails with links to a phishing domain.
Using a malicious OAuth application, the attackers tricked Chrome extension developers into granting them unrestricted access to their Chrome Web Store accounts.
Supply chain attack hijacks over 35 Chrome extensions affecting 2.6 million people
Cyberhaven discovered the supply chain attack when its Chrome extension Cyberhaven security extension V3 was compromised after an employee fell victim to the phishing campaign.
The supply chain attack begins with the hacker sending a phishing message to the developer’s support email displayed on the Chrome extension’s page.
“Hi there, We wanted to let you know that your item is at risk of being removed from the Chrome Web Store,” the phishing email warns.
They include the extension name and ID to make the message believable. Regarding violation, they claim that the app includes “Unnecessary details in the description.”
“We do not allow extensions with misleading, poorly formatted, non-descriptive, irrelevant, excessive, or inappropriate metadata, including but not limited to the extension description, developer name, title, icon, screenshots, and promotional images.”
On clicking the ‘Go To Policy’ link to address the violations, the developers are redirected to a legitimate Google login page for a malicious OAuth application named “Privacy Policy Extension,” which requests permissions to manage the developer’s Chrome extensions.
Granting permission allows the malicious Privacy Policy Extension to “See, edit, update, or publish” the developer’s Chrome extensions, themes, apps, and licenses.
The app also allows attackers to bypass account login credentials and multi-factor authentication in a single hoop.
“The employee had Google Advanced Protection enabled and had MFA covering his account. The employee did not receive an MFA prompt. The employee’s Google credentials were not compromised,” Cyberhaven explained.
On gaining access, the threat actor altered the developer’s Chrome extensions by including two JavaScript files, ‘worker.js’ and ‘content.js,’ which target Facebook account data.
Finally, the attacker published the new version on the Chrome Web Store using the victim’s account. Cyberhaven says that over 400,000 users were affected immediately when the attacker published its infected extension.
“Cyberhaven’s Chrome Extension counts enterprise and business users as its regular users, meaning that a successful compromise could impact business accounts, not just the accounts of regular Internet users,” warned Casey Ellis, Founder at Bugcrowd.
Stephen Kowski, Field CTO at SlashNext noted that “Chrome extensions can access and modify web content, collect data, and interact with various web services, making them powerful tools but also attractive targets for attackers.”
Supply chain attack targeted Facebook Ad accounts
According to Cyberhaven’s assessment, the supply chain attack aims to take over Facebook Ad accounts to use the victims’ credit, run disinformation or phishing campaigns, or monetize their access by selling it to other threat actors.
“From analysis of some of the compromised machines, the primary motive for the attack was to target Facebook Ads accounts,” Cyberhaven stated.
“The 24-hour exposure window during a major holiday potentially affected numerous users who had auto-updates enabled, creating a significant risk for Facebook advertising accounts and associated business data,” added Kowski.
To achieve this objective, the attacker collects the victim’s Facebook access token and ID. They also leverage Facebook API to collect the victim’s Facebook account information, business account information, and ad account information.
They packaged the stolen Facebook information alongside session cookies and browser string and sent it via HTTP POST request to the threat actor’s command-and-control (C2) servers.
They also save the information on the user’s browser storage and use the user’s ID to create a mouse-click event for MFA authentication when required.
“We believe that the code was looking for QR code in order to bypass captchas and/or 2FA authorization requests.”
Cyberhaven listed the indicators of compromise (IOCs) to assist potential victims in determining if they have been compromised. They include the presence of Chrome extensions’ local storage keys ‘Extensionname_ext_manage’ and ‘Extensionname__ext_log’ in the browser’s storage.
Besides Cyberhaven security extension V3, Nudge Security CTO says the supply chain attack also compromised Internxt VPN, VPNCity, Uvoice, and ParrotTalks Chrome extensions. Over 35 Chrome extensions have been infected, affecting over 2.6 million users.
Meanwhile, Cyberhaven says the supply chain attack was not targeted and did not pivot to other systems.
