Hackers Hijack Chrome Extensions Across a Range of Companies

The series of intrusions, which have been traced back to mid-December, saw hackers compromising multiple Chrome browser extensions used by several different companies. According to one of the affected parties and cybersecurity experts who investigated the campaign, the attackers managed to exploit vulnerabilities in these extensions, allowing them to gain unauthorized access to sensitive information and potentially manipulate user activity.

The campaign appears to have been highly targeted, with hackers utilizing the compromised extensions to carry out a variety of malicious actions. Experts are still working to understand the full scope of the intrusions and the specific objectives behind the attacks. As the investigation progresses, concerns have been raised about the broader security risks posed by vulnerabilities in browser extensions, which are widely used across the internet.

Among the victims of the Chrome extension breaches was Cyber Haven, a California-based data protection company, which confirmed the attack in a statement to Reuters."Cyber Haven can confirm that a malicious cyber attack occurred on Christmas Eve, affecting our Chrome extension," the company stated. The statement also referenced public remarks from cybersecurity experts, who suggested that the attack was part of a broader campaign targeting Chrome extension developers across multiple companies.

This indicates that the breach may have been one part of a much larger, coordinated effort to compromise a wide range of organizations through vulnerabilities in their browser extensions.Cyberhaven also added, "We are actively cooperating with federal law enforcement" in response to the breach. However, the full geographical extent of the attacks has not been immediately determined.Browser extensions, which are commonly used to customize web-browsing experiences—such as automatically applying coupons during online shopping—are also used by companies like Cyberhaven to secure client data.

In Cyberhaven's case, the compromised Chrome extension was designed to monitor and protect data flowing across web-based applications.Jaime Blasco, co-founder of Nudge Security, a cybersecurity firm based in Austin, Texas, reported that he had discovered several other Chrome extensions that had been similarly compromised. At least one of these extensions appeared to have been targeted as early as mid-December, raising concerns about the broader scope of the cyberattack campaign.

Blasco noted that the other affected extensions included those related to artificial intelligence and virtual private networks (VPNs), which he suggested indicated an opportunistic attempt to collect sensitive data by compromising as many extensions as possible. "I'm almost certain this is not targeted to Cyberhaven," Blasco said, adding, "If I had to guess, this was just random."The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has referred all inquiries related to the breach to the companies directly affected by the cyberattacks.

This includes those responsible for the compromised Chrome extensions and any other entities involved in the ongoing investigation. In addition, a request for comment made to Alphabet, the parent company of Google, which develops the Chrome browser, has not yet been responded to.CISA’s decision to refer questions to the affected companies is part of a broader effort to allow the organizations directly involved to address the situation and provide more detailed insights.

However, the lack of a response from Alphabet, despite its involvement in the development of the browser used in the attacks, has raised further questions about the extent of the company's knowledge of and response to the breaches. As cybersecurity experts continue to investigate, the delay in comment from major stakeholders, such as Alphabet, may prolong the clarity surrounding the full scope of the incident.