Threat Bulletin

Blackwell Helix Threat Bulletin: Chrome Extension Exploitation

By: Helix Threat Team
January 7, 2025
threatbulletinheader

Key Alert:

A recent supply chain attack has compromised several Chrome browser extensions, including a data loss extension from cybersecurity company Cyberhaven. The attackers injected malicious code into legitimate extensions, enabling unauthorized data exfiltration. This incident is part of a broader campaign targeting Chrome extension developers across various companies. Listed below are known exploited extensions that have not been resolved as of now.

Un-resolved extensions:

  • YesCaptcha assistant
  • Proxy SwitchyOmega (V3)
  • VPNCity
  • VidHelper
  • Uvoice
  • Reader Mode
  • ParrotTalks
  • Keyboard History Recorder
  • ChatGPT Assistant
  • AI Shop Buddy
  • Earny
  • Sort By
  • Email Hunter

Threat Overview:

The attack involved phishing campaigns that compromised developers’ access to the Chrome Web Store, allowing attackers to publish malicious versions of legitimate extensions. These compromised extensions were then distributed to users, facilitating unauthorized access to sensitive information.

Key aspects of the attack include:

  • Targeted Component: Chrome browser extensions from multiple companies, including the data loss prevention extension by Cyberhaven.
  • Proof-of-Concept (PoC): The attack was executed through phishing emails that led developers to authorize malicious OAuth applications, granting attackers the necessary permissions to upload compromised extensions.
  • Exploitation in the Wild: The malicious extensions were active between December 24 and December 26, 2024, affecting users who had auto-updated their extensions during this period.

Healthcare Impacts:

The compromise of these Chrome extensions presents significant risks to the healthcare sector, including:

  • Unauthorized Data Access: The malicious code was designed to exfiltrate cookies and authenticated sessions for specific websites, potentially granting attackers access to sensitive healthcare data, including patient records and protected health information (PHI).
  • Credential Theft: By targeting authentication sessions, attackers could harvest credentials for electronic health record (EHR) systems, enabling unauthorized access to critical healthcare applications and patient data.
  • Supply Chain Vulnerability Exposure: The attack highlights vulnerabilities in the software supply chain, emphasizing the need for enhanced security measures in the development and distribution of extensions used by healthcare organizations. Compromised extensions could expose organizations to operational disruptions and regulatory penalties.

Exploitation Method:

Attackers initiated the compromise through phishing emails that prompted developers to authorize a malicious OAuth application named “Privacy Policy Extension.” This authorization granted attackers the necessary permissions to upload malicious versions of legitimate Chrome extensions to the Chrome Web Store.

Affected Products and Versions:

  • Cyberhaven Chrome Extension: Version 24.10.4 was compromised; the malicious code was active between December 24 and December 26, 2024.
  • Other Chrome Extensions: Extensions related to artificial intelligence and virtual private networks (VPNs) were also compromised, indicating a broader impact.

Indicators of Compromise (IoCs):

  • Malicious Extension Version: Presence of Cyberhaven Chrome Extension version 24.10.4.
  • Unauthorized OAuth Applications: Detection of the “Privacy Policy Extension” OAuth application in developer accounts.
  • Suspicious Network Traffic: Outbound connections to the domain cyberhavenext[.]pro, associated with the attacker’s command-and-control server.

Compromised Extension IOCs:

  • cyberhavenext[.]pro
  • gptforbusiness[.]site
  • ext[.]businessforai[.]com
  • barefootcontractor[.]com
  • uvoice[.]live
  • cyberhavenext[.]pro
  • primusext[.]pro
  • ultrablock[.]pro
  • dearflip[.]pro
  • parrottalks[.]info
  • vidnozflex[.]live
  • wakelet[.]ink
  • locallyext[.]ink
  • tinamind[.]info
  • apple-ads-metric[.]com
  • geminiaigg[.]pro
  • blockadsonyt[.]vip
  • fadblock[.]pro
  • lltvmarkets[.]com
  • savgptforchrome[.]pro
  • bardaiforchrome[.]live
  • com-freeapps[.]com
  • gpt4summary[.]ink
  • searchaiassitant[.]info
  • artseasy[.]com
  • savechatgpt[.]site
  • upwordwave[.]comyescaptcha[.]pro
  • videodownloadhelper[.]pr
  • internetdownloadmanager[.]prosearchgptchat[.]inf
  • gptdetector[.]live
  • chatgptextent[.]pro
  • youtubeadsblocker[.]live
  • chatgptextension[.]site
  • remiwantnun[.]com
  • okta-onsolve[.]com
  • capitalizerutc[.]com
  • extensionpolicyprivacy[.]com
  • policyextension[.]info
  • extensionpolicy[.]net
  • checkpolicy[.]site
  • linewizeconnect[.]com
  • extensionbuysell[.]com
  • adskiper[.]net
  • aiforgemini[.]com
  • aeromexi[.]co
  • gptforads[.]info
  • blockforads[.]com
  • ytbadblocker[.]com
  • searchcopilot[.]co
  • castorus[.]infobookmarkfc[.]info
  • proxyswitchyomega[.]pro
  • graphqlnetwork[.]pro
  • iobit[.]pro
  • pieadblock[.]pro
  • sclpfybn[.]com
  • tnagofsg[.]com
  • kra18[.]com

IPV4 IOCs:

  • 149.28.124.84
  • 45.76.225.148
  • 136.244.115.219
  • 149.248.44.88
  • 108.61.23.192
  • 80.240.21.36
  • 45.32.69.11
  • 155.138.253.165
  • 45.77.5.196
  • 144.202.123.86
  • 74.220.199.9
  • 45.32.231.212
  • 149.28.117.236
  • 137.220.48.214
  • 149.248.2.160

Known Compromised Extension IDs:

  • bibjgkidgpfbblifamdlkdlhgihmfohh
  • pkgciiiancapdlpcbppfkmeaieppikkk
  • epdjhgbipjpbbhoccdeipghoihibnfja
  • bbdnohkpnbkdkmnkddobeafboooinpla
  • befflofjcniongenjmbkgkoljhgliihe
  • cedgndijpacnfbdggppddacngjfdkaca
  • nnpnnpemnckcfdebeekibpiijlicmpom
  • dpggmcodlahmljkhlmpgpdcffdaoccni
  • cplhlgabfijoiabgkigdafklbhhdkahj
  • miglaibdlgminlepgeifekifakochlka
  • mbindhfolmpijhodmgkloeeppmkhpmhc
  • eaijffijbobmnonfhilihbejadplhddo
  • ndlbedplllcgconngcnfmkadhokfaaln
  • igbodamhgjohafcenbcljfegbipdfjpk
  • bgejafhieobnfpjlpcjjggoboebonfcg
  • llimhhconnjiflfimocjggfjdlmlhblm
  • hodiladlefdpcbemnbbcpclbmknkiaem
  • epikoohpebngmakjinphfiagogjcnddm
  • pajkjnmeojmbapicmbpliphjmcekeaac
  • ogbhbgkiojdollpjbhbamafmedkeockb
  • eanofdhdfbcalhflpbdipkjjkoimeeod
  • lbneaaedflankmgmfbmaplggbmjjmbae
  • hmiaoahjllhfgebflooeeefeiafpkfde
  • pdkmmfdfggfpibdjbbghggcllhhainjo
  • acmfnomgphggonodopogfbmkneepfgnh
  • mnhffkhmpnefgklngfmlndmkimimbphc
  • oaikpkmjciadfpddlpjjdapglcihgdle
  • fbmlcbhdmilaggedifpihjgkkmdgeljh
  • kkodiihpgodmdankclfibbiphjkfdenh
  • oeiomhmbaapihbilkfkhmlajkeegnjhe
  • jiofmdifioeejeilfkpegipdjiopiekl
  • hihblcmlaaademjlakdpicchbjnnnkbo
  • egmennebgadmncfjafcemlecimkepcle
  • emedckhdnioeieppmeojgegjfkhdlaeo
  • didhgeamncokiaegffipckhhcpnmlcbl
  • ekpkdmohpdnebfedjjfklhpefgpgaaji

MITRE Tactics, Techniques, and Procedures (TTPs):

TacticsTechniques
Initial AccessPhishing: Spear Phishing Link (T1566.002)
ExecutionUser Execution: Malicious File (T1204.002)
PersistenceImplantation of Malicious Browser Extensions (T1176)
Credential AccessSteal Application Access Tokens (T1550.004)
Command and ControlApplication Layer Protocol: Web Protocols (T1071.001)

Recommendations for Healthcare Organizations:

Immediate Actions:

  1. Update Extensions: Ensure all Chrome extensions are updated to their latest versions, particularly those identified as compromised.
  2. Revoke Unauthorized OAuth Applications: Review and remove any unauthorized OAuth applications, such as the “Privacy Policy Extension,” from developer accounts.
  3. Monitor Network Traffic: Implement monitoring for connections to known malicious domains, including cyberhavenext[.]pro.

Long-Term Defense:

  • Use Trusted Sources and Tools for Vetting Extensions: Rely on reputable browser stores and third-party security tools to vet extensions before installing them. Look for extensions with high ratings, detailed reviews, and transparent developer information. Avoid installing extensions from unknown or unverified sources.
  • Enable Multi-Factor Authentication (MFA) Where Possible: For any services or applications accessed through browser extensions, enable MFA to secure accounts even if the extension is compromised. This adds an additional layer of defense against unauthorized access.
  • Conduct Regular Security Audits: Perform periodic reviews of browser extensions and associated OAuth applications to detect and mitigate potential vulnerabilities.

Leadership Guidance:

Organizational leaders should prioritize implementation of appropriate security policies. Developing policies that vet and clear extensions prior to installation by users. Additionally leadership can consider disabling automatic updates to ensure malicious code is not automatically installed.

Blackwell Security MHXDR Customers:

If Blackwell is receiving endpoint logs we are looking for Event ID 4663, Event ID 4688, and inspecting process creation linked to Chrome or Edge activity, as well as monitoring for IOCs listed above which have been added to our internal threat intelligence platform. If you observe abnormal browser behavior, high CPU usage, or crash dumps referencing chrome.dll, please contact the Blackwell IR team immediately. Note: Although this exploit specifically covers the CyberHaven extension, the original report also indicates the same technique has been used to target other extensions as well. Even if Cyberhaven is not a used extension if users experience similar abnormal browser behavior reach out to Blackwell IR team.

References:

Cyberhaven Extension Compromise

Cyberhaven’s Chrome extension security incident and what we’re doing about it

When Chrome Extensions Turn Against Us: The Cyberhaven Breach and Beyond

Cybersecurity firm’s Chrome extension hijacked to steal users’ data

Cyberhaven Incident‍Ongoing Updates

Tags
Cybersecurity Extension Healthcare
About the Author
Blackwell Helix Logo
Helix Threat Team
Blackwell’s Helix Threat Team takes a proactive approach to prioritizing the response to signals derived from various sources, including industry threat intelligence (commercial, government & open-source), in-house indicators of compromise born from intense analysis, and security control gaps. By leveraging a two-part methodology—exposure analysis and threat enrichment—Helix delivers contextual insights and automates the identification of hidden vulnerabilities and emerging threats within healthcare environments. This combination of enriched threat signals and comprehensive analysis enables Helix to identify and address risks before they escalate.
More from this author
Back to Resources
Related Resources
View all
threatbulletinheader
Threat Bulletin
Blackwell Helix Threat Bulletin: Rootkit Installation due to macOS Vulnerability CVE-2024-44243
January 15, 2025
January 15, 2025
Read More
threatbulletinheader
Threat Bulletin
Blackwell Helix Threat Bulletin: NonEuclid Remote Access Trojan (RAT)
January 9, 2025
January 9, 2025
Read More
threatbulletinheader
Threat Bulletin
Blackwell Helix Threat Bulletin: Chrome Extension Exploitation
January 7, 2025
January 7, 2025
Read More
Blackewll logo
Blackwell is cybersecurity made for healthcare.

Our comprehensive security platform and expert managed services provide the most complete protection for healthcare organizations. Leading providers across North America trust Blackwell to reduce cyber risk, stay compliant, and build trusted experiences across the care continuum.

© 2025 Blackwell Security | Privacy Policy | Sitemap