Data theft

Cybersecurity News

Sophisticated Phishing Attack Exposed Over 600,000 Users to Data Theft; 16 Chrome Extensions Hacked

A sophisticated phishing attack exposed 600, 000 user data to theft as 16 Chrome Extensions got hacked amounting to credential theft. The attack targeted extension publishers through phishing emails where Developers were tricked into granting access to a malicious OAuth app via fake Chrome Web Store emails. The malicious update mimicked official communications from the Chrome Web Store, stealing sensitive user data.

This breach puts Facebook ad users at high risk of account hacking or unknown access

Summary of the attack

The phishing email was designed to create a sense of urgency posing as Google Chrome Web Store Developer Support, warns the employee of the extension removal for policy violations. The message urges the recipient to accept the publishing policy.

As per Cyberhaven, a cybersecurity firm report mentioned about the impacted firms as the attack occurred on December 24 and involved phishing a company employee to gain access to their Chrome Web Store admin credentials.

16 Chrome Extensions, including popular ones like “AI Assistant – ChatGPT and Gemini for Chrome,” “GPT 4 Summary with OpenAI,” and “Reader Mode,” were compromised, exposing sensitive user data.

Response & Recommendations:

The attackers targeted browser extension publishers with phishing campaigns to gain access to their accounts and insert malicious code.
Extensions such as “Rewards Search Automator” and “Earny – Up to 20% Cash Back” were used to exfiltrate user credentials and identity tokens, particularly from Facebook business accounts.
Malicious versions of extensions communicated with external Command-and-Control (C&C) servers, such as domains like “cyberhavenext[.]pro.”

  • Cyberhaven released a legitimate update (version 24.10.5), hired Mandiant to develop an incident response plan and also notified federal law enforcement agencies for investigation.
  • All users advised to revoke credentials, monitor logs, and secure extensions; investigations continue.
  • As per Cyberhaven, version 24.10.4 of Chrome extension was affected, and the malicious code was active for less than a day.
  • The malicious extension used two files: worker.js contacted a hardcoded C&C server to download configuration and executed HTTP calls, and content.js that collected user data from targeted websites and exfiltrated it to a malicious domain specified in the C&C payload.

Cybersecurity News

Blue Yonder SaaS giant breached by Termite Ransomware Gang

The company acknowledged it is investigating claims by a public threat group linked to the November ransomware attack. 

Continue Reading
Security Advisory

Advisory on MUT-8694: Threat Actors Exploiting Developer Trust in Open-Source Libraries

MUT-8694: Threat Actors Exploiting Developer Trust in Open-Source Libraries

Overview

In November 2024, a supply chain attack designated as MUT-8694 was identified, targeting developers relying on npm and PyPI package repositories. This campaign exploits trust in open-source ecosystems, utilizing typosquatting to distribute malicious packages. The malware predominantly affects Windows users, delivering advanced infostealer payloads.

MUT-8694 Campaign Details

The threat actors behind MUT-8694 use malicious packages that mimic legitimate libraries to infiltrate developer environments. The campaign employs techniques such as:

  • Typosquatting: Using package names that closely resemble popular or legitimate libraries.
  • Payload Delivery: Embedded scripts download malware such as Blank Grabber and Skuld Stealer hosted on GitHub and repl.it.
  • Targeted Ecosystems: npm and PyPI, critical platforms for developers.

             Source: Datadog

Key Findings

One identified package, larpexodus (version 0.1), executed a PowerShell command to download and run a Windows PE32 binary from github[.]com/holdthaw/main/CBLines.exe. Analysis revealed the binary was an infostealer malware, Blank Grabber, compiled from an open-source project hosted on GitHub. Further inspection of the repository exposed another stealer, Skuld Stealer, indicating the involvement of multiple commodity malware samples.

Capabilities of Malware

The deployed malware variants include advanced features that allow:

  • Credential Harvesting: Exfiltrating usernames, passwords, and sensitive data.
  • Cryptocurrency Wallet Theft: Targeting and compromising crypto assets.
  • Application Data Exfiltration: Stealing configuration files from popular applications

Affected Packages

Some known malicious packages include:

  • larpexodus (PyPI): Executes a PowerShell script to download malware.
  • Impersonations of npm libraries: Host binaries leading to infostealer deployment.

Remediation:

To mitigate the risks associated with this attack, users should:

  • Audit Installed Packages: Use tools like npm audit or pip audit to identify vulnerabilities.
  • Validate Package Sources: Verify package publishers and cross-check names carefully before installation.
  • Monitor Network Activity: Look for unusual connections to GitHub or repl.it domains.
  • Use Security Tools: Implement solutions that detect malicious dependencies.

General Recommendations:

  • Avoid downloading software from unofficial or unverified sources.
  • Regularly update packages and dependencies to the latest versions.
  • Conduct periodic security awareness training for developers and IT teams.

References:

Scroll to top