Malicious Chrome extensions on the Chrome Web Store masquerading as productivity and security tools for enterprise HR and ERP platforms were discovered stealing authentication credentials or blocking management pages used to respond to security incidents.
The campaign was discovered by cybersecurity firm Socket, which says it identified five Chrome extensions targeting Workday, NetSuite, and SAP SuccessFactors, collectively installed more than 2,300 times.
"The campaign deploys three distinct attack types: cookie exfiltration to remote servers, DOM manipulation to block security administration pages, and bidirectional cookie injection for direct session hijacking," reports Socket.
"The extensions target the same enterprise platforms and share identical security tool detection lists, API endpoint patterns, and code structures, indicating a coordinated operation despite appearing as separate publishers."
The extensions were published under different names but the researchers say they share identical infrastructure, code patterns, and targeting. Four of the extensions were published under the developer name databycloud1104, while the fifth used different branding under the name Software Access.
While the extensions affected only 2,300 users, the theft of enterprise credentials could fuel large-scale ransomware and data theft attacks.
Marketed as tools for enterprise users
Socket says the extensions were promoted to users of enterprise HR and ERP platforms, presenting themselves as tools designed to improve productivity, streamline workflows, or enhance security controls.
Several of the extensions claimed to offer simplified access to "premium tools" for Workday, NetSuite, and other platforms.
One of the more popular extensions, Data By Cloud 2, was installed 1,000 times and promoted as a dashboard offering bulk management tools and faster access for users managing multiple enterprise accounts.
... continue reading