Harvesting private user information, particularly browser cookies and authentication sessions, was the main goal of the attack. Experts noted that the primary targets were AI services and social media advertising platforms, with a special emphasis on Facebook Ads accounts.
Ironically, Cyberhaven, a company that offers cybersecurity solutions, was one of the impacted businesses. A phishing email was used to compromise their data loss prevention extension. At 20:32 on December 24, the malicious version of their extension (24.10.4) was made available.
Even though the company responded quickly, identifying the problem the next day at 18:54, the malicious code continued to function until 21:50 on December 25.
Jaime Blasco, a security researcher, notes that no particular company was the target of this attack. He found the same malicious code in other extensions, such as VPN and AI tools, while conducting his investigation.
Following the incident, Cyberhaven released a number of security guidelines for organizations that might be impacted.
Important precautions include checking system logs carefully for unusual activity and changing all credentials’ passwords right away if they don’t use the sophisticated FIDO2 security standard for multi-factor authentication.
An updated, secure version of the extension, designated 24.10.5, has already been made available by the company.