Cyberattack Hits Legit Chrome Extensions, Exposes Sensitive User Data - 1

Image by Freepik

Cyberattack Hits Legit Chrome Extensions, Exposes Sensitive User Data

  • Written by Kiara Fabbri Former Tech News Writer
  • Fact-Checked by Justyn Newman Former Lead Cybersecurity Editor

A coordinated cyberattack compromised at least five Google Chrome extensions , injecting malicious code designed to steal sensitive user information, as reported by Bleeping Computer .

In a Rush? Here are the Quick Facts!

  • Cyberhaven disclosed the breach on December 24 after a phishing attack targeted its account.
  • Malicious code in Cyberhaven’s extension stole sessions and cookies, sending data to attackers.
  • Major companies like Snowflake, Motorola, and Reddit were affected by the breach.

The breach was first disclosed on December 24 by Cyberhaven , a data loss prevention company, which alerted its customers after a phishing attack successfully targeted an administrator account for the Chrome Web Store.

Our team has confirmed a malicious cyberattack that occurred on Christmas Eve, affecting Cyberhaven’s Chrome extension. Here’s our post about the incident and the steps we’re taking: https://t.co/VTBC73eWda Our security team is available 24/7 to assist affected customers and… — Cyberhaven (@CyberhavenInc) December 27, 2024

Bleeping Computer explains that the attack enabled the hacker to hijack the admin’s account and publish a malicious version of the Cyberhaven extension. This version included code that could steal authenticated sessions and cookies, sending them to the attacker’s domain.

Among Cyberhaven’s clients affected by the breach are major companies such as Snowflake, Motorola, Canon, Reddit, and Kirkland & Ellis. Cyberhaven’s internal security team removed the malicious extension within an hour of detection, as reported by Bleeping Computer.

Cyberhaven attributes the attack to a phishing email, stating in a separate technical analysis that the code seemed to be specifically designed to target Facebook Ads accounts.

TechCrunch noted that the Chrome Web Store lists approximately 400,000 corporate users for the Cyberhaven extension. When TechCrunch inquired, Cyberhaven declined to disclose the number of affected customers it had notified about the breach.

In response, a clean version of the extension was published on December 26. Cyberhaven advised its users to upgrade to this latest version and to take additional precautions, such as verifying that the extension has been updated to version 24.10.5 or newer.

Additionally, Cyberhaven advises to revoke and rotate any passwords that do not use FIDOv2, and review your browser logs for any suspicious activity.

Bleeping Computer notes that the incident extended beyond Cyberhaven’s extension, with further investigations revealing that several other Chrome extensions were also affected. Nudge Security researcher Jaime Blasco traced the attack’s origins by analyzing the attacker’s IP addresses and domains.

Regarding the Cyberhaven chrome extension compromise I have reasons to believe there are other extensions affected. Pivoting by the ip address there are more domains created within the same time range resolving to the same ip address as cyberhavenext[.]pro (cont) — Jaime Blasco (@jaimeblascob) December 27, 2024

Blasco confirmed that the malicious code snippet was injected into several extensions around the same time, as reported by Bleeping Computer.

These include Internxt VPN, which has 10,000 users, VPNCity, a privacy-focused VPN service with 50,000 users, Uvoice, a rewards-based service with 40,000 users, and ParrotTalks, a note-taking tool with 40,000 users.

Bleeping Computer says that while Blasco identified additional potential victims, only the extensions listed above have been confirmed to contain the malicious code. Users of these affected extensions are urged to either remove them or ensure they update to the safe versions released after December 26.

For those uncertain of the safety of their extensions, it’s recommended to uninstall the affected extensions, reset important passwords, clear browser data, and restore browser settings to their defaults.

Italian Foreign Ministry’s Website Restored After Hacker Attack - 2

Image by DC Studio, from Freepik

Italian Foreign Ministry’s Website Restored After Hacker Attack

  • Written by Kiara Fabbri Former Tech News Writer
  • Fact-Checked by Justyn Newman Former Lead Cybersecurity Editor

The website of Italy’s Ministry of Foreign Affairs is back online following a cyberattack, Foreign Minister Antonio Tajani confirmed on Sunday, as reported by the local news agency ANSA .

In a Rush? Here are the Quick Facts!

  • Hackers targeted public-facing portals, sparing critical IT systems.
  • Milan airports’ websites disrupted, flight operations unaffected.
  • Hacker group NoName057(16) claimed responsibility.

The attack, announced on Friday, had rendered the websites of the Foreign Ministry and Milan’s Linate Airport inaccessible, while the Malpensa Airport site experienced intermittent functionality, as reported by the local news outlet Il Fatto Quotidiano (FQ).

Reuters explains that iIn these types of attacks, known as distributed denial-of-service (DDoS), involve hackers flooding a network with overwhelming data traffic to disrupt its functionality.

According to an earlier report by ANSA , the attack targeted only public-facing portals rather than the entire IT system, resulting in limited disruptions, such as the inability to check flight arrivals and departures, without affecting the overall operation of the airports.

The pro-Russian hacker group NoName057(16) claimed responsibility for the attack in a Telegram post, stating they had targeted several sites, including those of the Foreign Ministry and the two Milan airports. Unlike other pro-Russian groups, NoName057(16) operates independently, using a custom-made DDoSia toolkit, as noted by The Record .

While the Foreign Ministry’s website was quickly restored, the airport sites faced greater challenges, causing disruptions for travelers seeking information. However, there were no reported impacts on air traffic, says FQ. Additionally, Medium noted that the airports’ mobile apps stayed operational despite the website outages.

“This is the third cyberattack in three days,” Minister Tajani stated during a Senate session, as reported by FQ.

He also announced that he had instructed the Ministry’s Secretary-General to initiate reforms, including the establishment of a dedicated Directorate-General for cybersecurity and AI, as reported by FQ.