Investigating the Chrome Extension Compromise with Binalyze AIR

In late 2024, a wave of cyberattacks compromised several legitimate Chrome browser extensions, including Cyberhaven’s data loss prevention tool. Attackers injected malicious code into these extensions, turning them into tools for harvesting browser cookies and authentication tokens. The ultimate targets were sensitive platforms such as Facebook Ads accounts, social media dashboards, and AI systems.

This incident highlights a rising trend in extension-based attacks, exploiting trusted tools to execute credential theft, session hijacking, and unauthorized access. Businesses must act swiftly to investigate and mitigate such threats.

The Threat Overview

Malicious actors tampered with legitimate Chrome extensions, weaponizing their capabilities to intercept sensitive data from unsuspecting users. By targeting authentication sessions, these attackers aimed to gain control of high-value accounts—especially those tied to advertising and financial services. Once authenticated sessions were compromised, attackers could manipulate accounts, steal funds, or deploy further malicious campaigns.

Among the affected were well-known extensions like Internxt VPN and ParrotTalks, alongside Cyberhaven. Though swift updates were issued to remediate the malicious code, organizations must remain vigilant to detect residual threats or secondary attacks stemming from compromised data.

How Binalyze AIR Can Help

In such incidents, rapid investigation and response are crucial. Binalyze AIR’s robust automated investigation and response platform is powered by forensic-level visibility, which at speed, empowers security teams to:

1. Leverage MITRE ATT&CK Analyzer 8.2.4: The AIR platform integrates updated MITRE ATT&CK mappings, including the latest techniques used in browser and extension-based attacks such as the Chrome Cyberhaven extension issue. Combined with tailored YARA rules, AIR can pinpoint malicious extension behaviors and immediately present them as High Findings in the Investigation Hub as seen below:

When a user selects an entry marked as a High Finding, the Investigation Hub immediately displays all relevant data required for the investigation. This empowers the user to take informed action and initiate remediation swiftly, leveraging the clearly presented actionable intelligence. The screenshot below highlights some of the granular details that can be easily accessed:

1. Analyze Browser Activity: AIR’s granular evidence acquisition profiles include browser histories and extension data. This helps identify compromised or suspicious extensions installed across assets.

2. Conduct Targeted Scans: Leverage the actionable intelligence displayed above by utilizing AIR’s integrated YARA, Sigma, and osquery rules. Perform live scans on affected systems to uncover additional malicious indicators (IoCs) and ensure that no threat actor footholds remain undetected.

3. Timeline Reconstruction: Use AIR to generate timelines and combine this with the Investigation Hub which consolidates all forensic data, providing a chronological view of events. This allows analysts to trace malicious activities from initial compromise to subsequent lateral movement or data exfiltration.

4. Streamlined Reporting: Binalyze AIR automatically generates detailed incident reports, ensuring clear documentation for compliance and further analysis.

Conclusion: Proactive Measures and Continuous Defense

While Cyberhaven and other vendors swiftly updated their compromised extensions, organizations must take a proactive stance to defend against such attacks. Binalyze AIR’s automation and integration capabilities allow seamless collaboration across SIEM, SOAR, and EDR platforms. This ensures that cyber investigations and incident response workflows remain efficient and effective.

By leveraging tools like AIR’s enhanced MITRE ATT&CK Analyzer and updated YARA rules, organizations and investigators can stay ahead of sophisticated threats, secure their assets, and minimize the impact of future attacks. 

AIR’s proactive, rapid, accurate and collaborative insights, result in faster investigations and boost cyber resilience.

Call to action

Want to see how Binalyze AIR fits into your incident response strategy? Book a demo today and experience the difference.

Check out this blog to see how effortlessly AIR's Investigation Hub simplifies handling malware cases.