Impreza Portal
Sign InMy ServicesMy DomainsMy InvoicesMy Tickets
News
Celebrative Logos
Our Platform
Tutorials
Video TutorialsKnowledge Base
More
UptimeNetwork StatusAffiliatesJobsAbout us
enEnglish ($ USD)
pt-brPortuguês (R$ BRL) (Portuguese (R$ BRL))
Contact
Submit Ticket (Less than 1hour to answer)Whatsapp (Less than 24hours to answer)Telegram (Less than 24hours to anwer)Report Abuse

Special Offer for Today only!

Maximum power with a
Intel Xeon E5-2620

A powerful machine with:

  • Intel Xeon E5-2620
  • 16GB RAM
  • 2x 250GB SSD or 1TB HDD
  • 1Gbps uplink
  • Ukraine Datacenter

From

$200/mo

To

  $100/mo

Complete hardware for your Servers, choose any OS you want, reinstall, install, shut it down or turn it on, you’re in control everytime!

Order Now
HOMEDOMAINS

Servers

Whether Offshore or Surface, we have it all, a lot of Server
options for various types of use!

Hosting

Hosting Services ready for your website, whether on
WordPress or another systems, we can handle it!

Email

Be professional online and get an unique Email with your
name or the name of your company!

Security

Browse the web freely by choosing any of our online
security methods, always be anonymous online!

Choose the Hosting Service that will fit you!

Choose a complete Website Hosting for your business, get everything you need to start online

All Products ➤
WEBSITE HOSTINGWEBSITE HOSTINGThe first step to let your website onlineThe first step to let your website onlineKNOW MORE

Get a Hosting Service that works for you and let’s begin a Journey together!

Recommended Services

SSL Certificates

Backup for Websites

Open-Xchange Email

CONTACT
Login
Sign InCreate an Account
No Comments

Supply chain attack hits Chrome extensions, could expose millions

Threat actor exploited phishing and OAuth abuse to inject malicious code

Cybersecurity outfit Sekoia is warning Chrome users of a supply chain attack targeting browser extension developers. It has potentially impacted hundreds of dozens of Chrome extension developers who have fallen victim to the attacks thus far. Which aimed to:
  • lift API keys,
  • session cookies,
  • other authentication tokens from websites such as ChatGPT and Facebook for Business.

In the first place Sekoia examined the infrastructure used for the wide-scale phishing campaign targeting devs. And traced it back to similar attacks as far back as 2023 with “high confidence.” The latest known campaign activity occurred on December 30, 2024, however.

In the second place, California-based Cyberhaven, which makes a cloud-based data protection tool, was among the victims. The company was one of the unfortunate ones to detect the compromise over the holiday period on Boxing Day 2024. A discovery that was widely reported at the time.

Potentially affected Chrome extensions

Booz Allen Hamilton, who analyzed the incident at Cyberhaven. And backed up the vendor’s suspicions that it was part of a wider campaign. Its accompanying report [PDF] to the Cyberhaven analysis revealed a long list of other extensions. It believes were likely affected, taking the potential number of affected end users into the millions. Sekoia published a less comprehensive list in its research, although the same extensions appear on both lists.

In the first place a number of the potentially affected extensions appear to have been pulled from the Chrome Web Store at the time of writing. (According to Booz Allen Hamilton’s report). The pages belonging to many of the others show they have been updated since Cyberhaven’s incident. Even that very few have publicly acknowledged an incident.

One outlier was Reader Mode, whose founder Ryzal Yusoff penned an open letter to its circa 300,000 users, informing them of a December 5 breach.

“On December 5, 2024, our developer account was compromised due to a phishing email that mimicked official  communications,” said Yusoff. “This breach allowed unauthorized parties to upload malicious versions of the Reader Mode extension (1.5.7 and 1.5.9) to the Chrome Web Store. The attack was discovered on December 20, 2024, after Google issued warnings identifying phishing attempts linked to this breach.

“The malicious versions of the extension may have included unauthorized scripts designed to collect user data or perform other harmful actions. If you installed or updated the Reader Mode extension between December 7 and December 20, 2024, your browser may have been affected.”

Jaime Blasco, co-founder and CTO at Austin-based Nudge Security, also named some extensions in a series of online posts he suspected were compromised, many of which also appeared in Booz’s report.

 

Chrome support impersonation

In the first place the attacker targeted dev teams with phishing emails seemingly from Chrome Web Store Developer Support. It mimicked official communication, according to Yusoff and Sekoia.

The sample email, which appears in the report, shows the warnings that extensions may be pulled from Chrome over fake rule violations, such as unnecessary details in the extension’s description.

Then, the victims were lured into clicking a link disguised as an explanation of Chrome Web Store policies. The link led to a legitimate Google Accounts page, where they were prompted to approve access for a malicious OAuth app. Once developers granted the app permission, the attacker gained everything needed to upload compromised versions of their extensions to the Chrome Web Store.

The researchers said it’s likely the devs’ emails were gathered from the Chrome Web Store, where such information may be accessible.

Probing the infrastructure

Using the two domains associated with the phishing emails, Sekoia uncovered the other domain names used in this campaign. And those likely involved in previous attacks by the same miscreants.

The domain names used as the attacker’s command and control (C2) servers were hosted at just two IP addresses. And using passive DNS resolutions, the researchers believe they uncovered possibly all the domains that were compromised in the campaign.

Sekoia said it was “straightforward” to uncover the domain names used in the latest attack and the ones used in 2023. Every time they used the same registrar (Namecheap), and the DNS setups and TLS configs were consistent.

“The domain naming convention and their creation dates indicate that the attacker’s campaigns have been active since at least December 2023”.

Sekoia wrote in a blog post, for example:

“It is possible that the websites redirecting to allegedly malicious Chrome extensions were promoted through SEO poisoning or malvertising.

As a matter of fact. “Sekoia analysts believe that this threat actor has specialized in spreading malicious Chrome extensions to harvest sensitive data. At the end of November 2024, the attacker shifted his modus operandi from distributing his own malicious Chrome extensions via fake websites to compromising legitimate Chrome extensions by:

  • phishing emails,
  • malicious OAuth applications,
  • and malicious code

injected into compromised Chrome extensions.” ®

Source: The Register

Read other news at our blog

You might also like
Domain Registration, Domains, Hacking, Malware, Phishing, Ransomware
Domain Registration, Domains, Hacking, Malware, Phishing, Ransomware

More Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.