Executive Summary
In December 2024, Cyberhaven, a data-loss prevention company, experienced a significant security breach when attackers compromised their Chrome Web Store account through a phishing attack. This allowed the publication of a malicious update (version 24.10.4) to their Chrome extension, which was automatically distributed to users. The compromised extension exfiltrated sensitive data, including authenticated sessions and cookies, to an attacker-controlled domain. The malicious version was available for approximately 25 hours before detection and removal. (techcrunch.com)
This incident underscores the escalating threat of supply chain attacks targeting browser extensions. With the increasing reliance on browser-based tools in enterprise environments, such attacks can lead to widespread data breaches and operational disruptions. Organizations must enhance their security protocols to mitigate such risks.
Why This Matters Now
The Cyberhaven incident highlights the urgent need for organizations to scrutinize third-party browser extensions, as they can serve as vectors for supply chain attacks, leading to significant data breaches and operational disruptions.
Attack Path Analysis
The adversary compromised a popular browser extension through a supply chain attack, embedding malicious code into the extension's update. Upon installation, the malicious extension escalated privileges by exploiting browser vulnerabilities to gain unauthorized access to sensitive data. The attacker then moved laterally by leveraging the compromised extension to access other browser sessions and applications. Command and control was established through the extension, allowing the adversary to remotely control the infected systems. Sensitive data was exfiltrated via the compromised extension, transmitting information to external servers. Finally, the attacker executed impact actions such as data manipulation or further malware deployment through the compromised extension.
Kill Chain Progression
Initial Compromise
Description
The adversary compromised a popular browser extension through a supply chain attack, embedding malicious code into the extension's update.
MITRE ATT&CK® Techniques
Browser Extensions
JavaScript
Browser Fingerprint
Elevated Execution with Prompt
Winlogon Helper DLL
PowerShell
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches.
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Asset Management
Control ID: Pillar 3: Devices
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Browser extension supply chain attacks pose critical risks to financial institutions through cookie harvesting, data exfiltration capabilities, and potential compromise of customer authentication sessions.
Health Care / Life Sciences
Healthcare organizations face severe HIPAA compliance violations from malicious browser extensions that can harvest sensitive patient data and establish unauthorized command-and-control channels.
Computer Software/Engineering
Software companies are prime targets for extension-based supply chain attacks, risking intellectual property theft through egress filtering bypass and lateral movement within development environments.
Government Administration
Government agencies face heightened security risks from compromised browser extensions enabling unauthorized data access, particularly given widespread enterprise extension deployments and compliance requirements.
Sources
- Moving up the Assemblyline: Exposing malicious code in browser extensionshttps://redcanary.com/blog/threat-detection/assemblyline-browser-extensions/Verified
- Trust Wallet Chrome Extension Hack Drains $8.5M via Shai-Hulud Supply Chain Attackhttps://thehackernews.com/2025/12/trust-wallet-chrome-extension-hack.htmlVerified
- Cyberhaven Supply Chain Attack: Exploiting Browser Extensionshttps://www.darktrace.com/blog/cyberhaven-supply-chain-attack-exploiting-browser-extensionsVerified
- Hackers Launch a Supply Chain Attack by Injecting Malicious Code into Hijacked Chrome Extensionshttps://www.cpomagazine.com/cyber-security/hackers-launch-a-supply-chain-attack-by-injecting-malicious-code-into-hijacked-chrome-extensions/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could likely limit the attacker's ability to escalate privileges, move laterally, and exfiltrate data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix CNSF may not prevent the initial compromise via a supply chain attack, it could likely limit the attacker's subsequent actions within the cloud environment.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation could likely limit the attacker's ability to escalate privileges by enforcing strict access controls and segmenting workloads based on identity and context.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security could likely limit the attacker's lateral movement by monitoring and controlling internal traffic flows between workloads.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control could likely limit the attacker's ability to establish and maintain command and control channels by providing comprehensive monitoring and control over network traffic.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement could likely limit the attacker's ability to exfiltrate data by controlling and monitoring outbound traffic.
While Aviatrix CNSF may not prevent the initial compromise, its controls could likely limit the attacker's ability to execute impact actions by restricting unauthorized access and movement within the environment.
Impact at a Glance
Affected Business Functions
- Online Financial Transactions
- User Account Management
- Customer Data Protection
Estimated downtime: 2 days
Estimated loss: $8,500,000
Compromise of user credentials and financial information, leading to unauthorized access and potential identity theft.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict browser extensions' access to sensitive data and systems.
- • Enforce Egress Security & Policy Enforcement to monitor and control outbound traffic from browser extensions.
- • Utilize Threat Detection & Anomaly Response to identify and respond to suspicious behaviors in browser extensions.
- • Apply Inline IPS (Suricata) to detect and prevent malicious payloads within browser extension traffic.
- • Regularly audit and monitor browser extensions for unauthorized changes or suspicious activities.
