Malicious Chrome Extensions Target Enterprise Platforms for Credential Theft and Session Hijacking

Cybersecurity firm Socket identified malicious Chrome extensions designed to target enterprise HR and ERP platforms. These extensions, masquerading as productivity and security tools for platforms such as Workday, NetSuite, and SAP SuccessFactors, were found to be engaged in credential theft and the obstruction of security management pages. Socket's investigation uncovered five such Chrome extensions, which had been installed over 2,300 times collectively. The campaign involved three distinct attack methods: cookie exfiltration to remote servers, manipulation of the Document Object Model (DOM) to block security administration pages, and bidirectional cookie injection for direct session hijacking. Despite being published under various names, including 'databycloud1104' and 'Software Access', the extensions shared identical infrastructure, code patterns, and target specifications, suggesting a coordinated operation. They were marketed as tools to improve productivity, streamline workflows, or enhance security controls for enterprise users. For example, 'Data By Cloud 2' claimed to offer bulk management, and 'Tool Access 11' purported to restrict access to sensitive administrative features. The extensions did not disclose their malicious activities, such as cookie extraction, credential exfiltration, or the blocking of security administration pages. Their privacy policies also did not mention the collection of user data. Analysis by Socket confirmed that multiple extensions continuously extracted authentication cookies named '__session' for targeted domains, containing active login tokens for Workday, NetSuite, and SuccessFactors. These tokens were transmitted to remote command-and-control servers every 60 seconds, allowing attackers to maintain access even after users logged out. Two extensions, 'Tool Access 11' and 'Data By Cloud 2', blocked access to security and incident response pages within Workday. This was achieved through page title detection, either by erasing page content or redirecting administrators from management pages. 'Tool Access 11' targeted 44 administrative pages, while 'Data By Cloud 2' expanded this to 56 pages, including password management and security audit logs, potentially hindering incident response. The 'Software Access' extension also implemented bidirectional cookie manipulation. This feature not only stole session tokens but also allowed the injection of stolen cookies from the attacker's server directly into a browser. This mechanism facilitated immediate account takeover across targeted enterprise platforms without requiring usernames, passwords, or multi-factor authentication codes. Socket reported these extensions to Google, leading to their removal from the Chrome Web Store. Users who may have utilized these extensions are advised to report the incident to their security administrators and to change their passwords on the affected platforms.