Cyberhaven Employee’s Google Chrome Web Store Account Compromised in Christmas Eve Phishing Attack

A Christmas Eve phishing attack resulted in an unknown party taking over a Cyberhaven employee’s Google Chrome Web Store account and publishing a malicious version of Cyberhaven’s Chrome extension. While the problematic extension was removed within an hour of its discovery, the malicious activity highlights gaps in browser security that exist at most organizations and the necessity of getting a handle on the problem now, as extension poisoning is expected to be a persistent issue.

Further Research into the Incident

Further research into the incident suggests that this attack was likely part of two separate, but potentially related, campaigns to target multiple extension developers to distribute malicious extensions, experts say. The campaigns may have begun as early as April 2023. This raises questions about why organizations often overlook browser security, with many giving their browsers and their extensions such little thought when it comes to an organization’s security posture. It could merely be that their security teams are so overwhelmed with responsibilities that browsers are the least of their worries — though that could now change, notes Secure Annex’s Tuckner.

Shoring Up Browser Security

Organizations can take specific steps now to shore up the security of extensions running in corporate browsers, he says. Teams should start with collecting a real-time inventory of the browsers in the organization and which extensions are installed on them. This step should be followed by enrolling browsers in some kind of centralized management to set up an allowlist of known extensions, keeping only those that "drive core business value" and adding future ones on a case-by-case basis, Tuckner adds. The inventory will help security teams understand the scope of an incident when something happens.

Prioritizing Browser Security

"Few teams choose to or are able to prioritize browser security on top of everything else that they have to deal with," he says. "Many see browser security as a lower-risk item, but I believe that is quickly changing with incidents like this."