Coordinated Malicious Chrome Extensions Compromise Enterprise HR and ERP Systems
A sophisticated cyber threat has emerged, involving five malicious Chrome extensions designed to infiltrate and compromise enterprise human resources (HR) and enterprise resource planning (ERP) platforms. These extensions specifically target widely-used systems such as Workday, NetSuite, and SuccessFactors, which are integral to managing sensitive employee and company data.
The Malicious Extensions and Their Deployment
The threat actors behind this campaign have strategically developed and deployed these extensions to maximize their impact:
– Databycloud1104 Series: Four of the extensions are published under the alias databycloud1104.
– SoftwareAccess Extension: The fifth extension operates under the name softwareaccess but shares identical infrastructure patterns and attack mechanisms with the databycloud1104 series.
Collectively, these extensions have been installed by over 2,300 users within enterprise environments, indicating a significant reach and potential impact.
Attack Mechanisms and Capabilities
These extensions are engineered to perform a series of coordinated attacks that include:
1. Credential Theft: By extracting authentication tokens and session cookies, the extensions gain unauthorized access to user accounts.
2. Disabling Security Controls: They actively disable security features within the targeted platforms, hindering the ability of security teams to respond effectively.
3. Session Hijacking: Through session hijacking techniques, attackers can maintain persistent access to compromised accounts.
A particularly concerning capability is the bidirectional cookie injection implemented by the SoftwareAccess extension. This technique allows attackers to inject stolen authentication cookies directly into their own browsers, granting immediate access to victim accounts without the need for passwords or bypassing multi-factor authentication (MFA) protections.
Additionally, some extensions continuously extract session tokens every 60 seconds, ensuring that attackers maintain current credentials even when users log out and back in during normal business operations.
Infection Mechanism and Persistence Strategies
The extensions employ sophisticated infection mechanisms that combine credential theft with targeted administrative interface blocking to prevent incident response:
– DOM Manipulation: The extensions monitor page content and immediately erase security administration pages when users attempt to access them.
– Blocking Administrative Pages: For example, the Tools Access 11 extension blocks 44 administrative pages within Workday, while Data By Cloud 2 expands this to 56 pages, including critical functions like password changes, account deactivation, MFA device management, and security audit logs.
– Continuous Monitoring: Using MutationObserver functions that check the page every 50 milliseconds, the extensions replace the entire page content with blank space and redirect users to malformed URLs when administrators attempt password resets or to disable compromised accounts.
This creates a containment failure scenario where security teams can detect unauthorized access but cannot implement standard remediation procedures, forcing organizations to either allow persistent unauthorized access or migrate affected users to entirely new accounts.
Detection and Mitigation
The malicious nature of these extensions was identified through code analysis by security researchers, revealing hidden functionalities despite misleading marketing claims. The extensions market themselves as legitimate productivity tools that streamline access across multiple accounts, while in reality, they steal credentials and block security teams from responding to attacks.
To mitigate the risks associated with these malicious extensions, organizations should:
– Conduct Regular Security Audits: Regularly review and audit browser extensions installed within the enterprise environment to identify and remove unauthorized or suspicious extensions.
– Implement Strict Extension Policies: Enforce policies that restrict the installation of browser extensions to those that have been vetted and approved by the organization’s security team.
– Educate Employees: Provide training to employees about the risks associated with installing unverified browser extensions and encourage them to report any suspicious activity.
– Enhance Monitoring: Utilize advanced monitoring tools to detect unusual activities related to browser extensions and respond promptly to potential threats.
By adopting these measures, enterprises can strengthen their defenses against sophisticated threats posed by malicious browser extensions targeting critical HR and ERP systems.
