Cyberhaven, a leading provider of data loss prevention (DLP) solutions, disclosed a significant security breach involving its Chrome extension.
On December 24, 2024, a targeted cyberattack compromised an administrator account, allowing attackers to publish a malicious update (version 24.10.4) to the Chrome Web Store. The update was automatically deployed to users early on December 25, 2024.
The malicious extension enabled attackers to exfiltrate sensitive user data, including authenticated sessions and cookies, to a rogue domain (cyberhavenext[.]pro).
The exfiltration domain remained active from 1:32 AM UTC on December 25 until 2:50 AM UTC on December 26, posing a critical risk to users’ data security.
2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide
Cyberhaven’s internal security team detected the compromise at 11:54 PM UTC on December 25 and removed the malicious package within an hour.
A clean version (24.10.5) was released on December 26, removing the malicious code. Cyberhaven is also preparing an additional update (24.10.6) with telemetry features to help identify affected endpoints.
Impact and Recommendations
The compromised extension could have exposed sensitive information from browsers running version 24.10.4. In response, Cyberhaven has issued the following recommendations for impacted users:
- Update the extension: Ensure it is updated to version 24.10.5 or newer.
- Rotate credentials: Revoke and rotate all passwords not protected by FIDOv2 and all API tokens.
- Review activity logs: Check for signs of suspicious activity.
- Do not uninstall the extension: Retaining it may preserve forensic artifacts useful for analysis.
Cyberhaven confirmed that versions of the extension hosted outside the Chrome Web Store, such as those for Firefox or Edge, were not affected.
Cyberhaven has engaged federal law enforcement and cybersecurity firm Mandiant to investigate the breach further. The company emphasized its commitment to transparency and customer trust, stating: “We are acting on our core values of maximum transparency to retain the trust we have earned from you.”
Indicators of Compromise (IOCs)
Secure Annex has shared technical details of the attack to aid in detection and mitigation:
- Malicious domain: cyberhavenext[.]pro
- IPs: 149.28.124.84, 149.248.2.160
- Malicious scripts:
content.js
(hash: AC5CC8BCC05AC27A8F189134C2E3300863B317FB),worker.js
(hash: 0B871BDEE9D8302A48D6D6511228CAF67A08EC60) - CRX package hash: b53007dc2404dc3a4651db2756c773aa8e48c23755eba749f1641542ae796398
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free