Digital Imposters: Stealthy Chrome Extensions Threaten Enterprise Accounts
A recent alarming discovery by cybersecurity researchers has unveiled a sophisticated campaign involving five malicious Google Chrome web browser extensions. These digital imposters masquerade as legitimate human resources (HR) and enterprise resource planning (ERP) platforms, including industry giants like Workday, NetSuite, and SuccessFactors, with the ultimate goal of seizing control of victim accounts.
“The extensions work in concert to steal authentication tokens, block incident response capabilities, and enable complete account takeover through session hijacking,” revealed Kush Pandya, a security researcher at Socket, in a recent report. This coordinated attack highlights a significant threat to corporate data and employee credentials.
The Deceptive Five: Unmasking the Malicious Add-ons
The identified extensions, primarily published under the guise of “databycloud1104” and one by “Software Access,” were designed to blend in as productivity tools offering access to premium platform features. Here’s the list of the culprits:
- DataByCloud Access (ID: oldhjammhkghhahhhdcifmmlefibciph) – 251 Installs
- Tool Access 11 (ID: ijapakghdgckgblfgjobhcfglebbkebf) – 101 Installs
- DataByCloud 1 (ID: mbjjeombjeklkbndcjgmfcdhfbjngcam) – 1,000 Installs
- DataByCloud 2 (ID: makdmacamkifdldldlelollkkjnoiedg) – 1,000 Installs
- Software Access (ID: bmodapcihjhklpogdpblefpepjolaoij) – 27 Installs
While most of these extensions have been removed from the Chrome Web Store, they unfortunately remain accessible on various third-party software download sites, posing an ongoing risk.
A Coordinated Campaign with Shared Infrastructure
Despite being listed under two different publishers, the identical functionality and infrastructure patterns strongly suggest a single, coordinated operation. Some of these extensions, like DataByCloud 1 and DataByCloud 2, have been active since August 2021, indicating a long-running threat.
Anatomy of an Account Takeover: How the Attack Unfolds
The attackers employ a multi-pronged approach to achieve complete account takeover:
Cookie Exfiltration and Injection for Session Hijacking
At the core of the attack is the exfiltration of authentication cookies. Once installed, extensions like DataByCloud Access request broad permissions (cookies, management, scripting, storage, declarativeNetRequest) across Workday, NetSuite, and SuccessFactors domains. It then diligently collects authentication cookies for specified domains and transmits them every 60 seconds to a remote server, specifically “api.databycloud[.]com.”
The most sophisticated extension, Software Access, takes this a step further. Not only does it steal cookies, but it also receives stolen cookies from “api.software-access[.]com” and injects them directly into the victim’s browser. This allows threat actors to bypass login credentials entirely, directly installing the victim’s authentication state into their own browser session and facilitating immediate session hijacking.
Silencing Security: Blocking Administrative and Incident Response Capabilities
A critical component of this campaign is the deliberate disabling of security and administrative functions. “Tool Access 11 (v1.4) prevents access to 44 administrative pages within Workday by erasing page content and redirecting to malformed URLs,” explained Pandya. This includes crucial interfaces for authentication management, security proxy configuration, IP range management, and session control.
DataByCloud 2 expands this blocking capability to 56 pages, targeting essential functions such as password changes, account deactivation, 2FA device management, and security audit log access. It even targets both production environments and Workday’s sandbox testing environment (“workdaysuv[.]com”). This is achieved through Document Object Model (DOM) manipulation, where the extension constantly monitors and blocks access to specific page titles.
Furthermore, DataByCloud 1 incorporates features to prevent code inspection using web browser developer tools, leveraging the open-source DisableDevtool library. Both DataByCloud 1 and Software Access also encrypt their command-and-control (C2) traffic, making detection and analysis more challenging.
A Watchful Eye: Monitoring Other Security Tools
A particularly cunning aspect of these extensions is their ability to detect and monitor other security-related Chrome extensions. All five malicious add-ons contain an identical list of 23 legitimate security extensions – including EditThisCookie, Cookie-Editor, ModHeader, Redux DevTools, and SessionBox. This suggests an attempt by the attackers to identify tools that could interfere with their cookie harvesting or expose their malicious behavior.
Immediate Action Required: Protecting Your Accounts
The combination of continuous credential theft, administrative interface blocking, and direct session hijacking creates an extremely dangerous scenario for users. If you have installed any of the aforementioned add-ons, immediate action is crucial:
- Remove the extensions: Promptly uninstall all identified malicious extensions from your Chrome browser.
- Reset Passwords: Change passwords for all affected HR/ERP platforms (Workday, NetSuite, SuccessFactors) and any other critical accounts.
- Review Account Activity: Scrutinize your account activity for any signs of unauthorized access, unfamiliar IP addresses, or unusual device logins.
- Enable Multi-Factor Authentication (MFA): Ensure MFA is enabled on all your critical accounts for an added layer of security.
This incident serves as a stark reminder of the persistent threat posed by malicious browser extensions and the importance of vigilance when installing third-party software.
For more details, visit our website.
Source: Link
Leave a comment