Cyberhaven, a leading Data Loss Prevention (DLP) provider, experienced a sophisticated cyber-attack that exploited its trusted Chrome extension. Designed to monitor user inputs in real time, block unauthorized data entry on platforms like social media or AI tools, and alert users and admins to violations, the extension was turned into a gateway for attackers.
A malicious update exposed 400,000 Cyberhaven users, enabling attackers to harvest sensitive data such as passwords and cookies, putting countless accounts at risk.
How Did It Happen?
1. Phishing Attack:
- A malicious email was sent to Cyberhaven’s admin, impersonating Google.
- The email falsely claimed that the Chrome extension was violating Google policies and required immediate action to avoid removal from the Chrome Web Store.
2. OAuth Exploitation:
- The email included a link that directed the admin to a fake OAuth permissions page.
- The admin unknowingly granted permissions to a malicious application, allowing attackers to upload new versions of Cyberhaven’s Chrome extension.
3. Malicious Code Deployment:
- Using the obtained permissions, attackers uploaded a compromised version of the extension, containing malicious code.
- The code was designed to exfiltrate user-sensitive data to a Command-and-Control (C2) server.
4. Automatic Updates:
- Chrome extensions update automatically. This caused the malicious version to spread to any Cyberhaven user.
Discovery and Mitigation
Hours after the malicious update was live, Cyberhaven’s security team detected the breach. They removed the malicious code and issued a public statement.
Attack Flow Diagram
How Suridata Protects Companies From Malicious Extensions
Suridata’s SaaS security platform identifies third-party apps and extensions and automates workflows to address risks arising from them.
1. Identification of Third-Party Apps and Extensions
Suridata provides continuous monitoring of your organization’s SaaS environment to identify all connected third-party applications. The platform scans the entire SaaS ecosystem to uncover every plugin authorized by users, detailing who approved it, the permissions granted, and other critical metadata—all presented in an intuitive interface designed for quick, and informed decision-making.
2. Automated Workflows for Remediation
Suridata empowers organizations to create automated workflows that address the risks associated with new third-party apps or extensions. These workflows can automatically send alerts to notify relevant stakeholders about newly added third-party apps, based on their priority, permissions, or associated risks.
With Suridata’s workflows, organizations can also take actions such as automatically revoking access to high-risk apps or extensions or assigning tasks to team members for further investigation.
Those automations significantly reduce the exposure-window by enabling immediate notification and action when a potential threat arises. One such use case is when a high-risk application with critical permissions is authorized by an admin, as happened in the Cyberhaven case, Suridata could notify the admin, who may not have been aware of the situation, and even revoke access or disable the application (leveraging the SaaS vendor’s capabilities).
Suridata provides fast identification and alerting on new & existing, potentially risky, third-party apps. Thus, allowing your security team to take immediate actions to minimize exposure and remediate the risk.