Malicious Chrome Extensions (Cyberhaven) - Threat Campaign

Incident Report for Rapid Response Status Page

Resolved

Dear customers,

Following our latest update, we continued with the threat-focused research and hunting efforts, further evaluating the threat and looking for potential hits in your organizational infrastructures.

AXON reports have been published for AXON customers, including:

- More details regarding the threat campaign
- Recommended action items.
- Comprehensive list of IOCs
- Relevant hits that require your attention (both full list and summarized view)

The team keeps tracking this threat and will update in case of significant findings.

Please feel free to reach out in case of any follow-up questions.

Sincerely,
Team AXON.
Posted Dec 29, 2024 - 18:25 UTC

Update

Dear Customers,

We would like to provide you with an update on Team AXON’s ongoing threat-research and hunting efforts. Our team is actively analyzing the current threat campaign to ensure that all relevant insights and findings are delivered to you promptly.

A detailed AXON report will be shared with all AXON customers as soon as our Rapid Response analysis is finalized.

In the meantime, please note that a comprehensive list of Indicators of Compromise (IOCs) related to this campaign have been uploaded to the Hunters portal as AXON IOCs.

Should you have any questions or require further assistance, please do not hesitate to reach out to us.

Sincerely,
Team AXON
Posted Dec 28, 2024 - 11:58 UTC

Investigating

Dear Customers,

Team AXON is actively monitoring and investigating a security incident involving the Cyberhaven Chrome browser extension. According to recent reports, Cyberhaven, a data loss prevention company, alerted its customers on December 24 about a breach resulting from a successful phishing attack on an administrator account for the Google Chrome Web Store. The malicious actor compromised the employee’s account and published a tampered version of the Cyberhaven extension. This malicious version included code designed to communicate with the attacker's malicious domain.

In response to this incident, Team AXON has initiated a targeted threat research and hunting effort. Our early findings suggest that the Cyberhaven extension may not be the sole product impacted by this threat actor. Evidence points to this being part of a larger, coordinated campaign affecting multiple products over recent weeks.


If you or your organization uses the Cyberhaven Chrome extension, we strongly advise you to follow the vendor’s recommendations to mitigate potential risks:

- Update the Cyberhaven Chrome extension to the latest secure version.

- Revoke all passwords that are not FIDOv2, revoke/rotate API tokens, and review browser logs for signs of malicious activity.


Our dedicated threat-hunting efforts remain focused on uncovering the full scope of this campaign. Should any significant findings require your immediate attention, we will notify you promptly. Additionally, a detailed AXON report will be provided to all AXON customers once our Rapid Response analysis is complete.

If you have any questions or concerns, please do not hesitate to reach out to us.

Sincerely,
Team AXON
Posted Dec 27, 2024 - 23:46 UTC
This incident affected: Rapid Response.