Back
Technology

Malicious Chrome Extensions Target Enterprise Platforms for Credential Theft and Session Hijacking

Generated on: Last updated: 2 sources
View source

Malicious Chrome Extensions Target Enterprise HR and ERP Platforms

Cybersecurity firm Socket has identified a series of malicious Chrome extensions designed to steal credentials and disrupt security management on major enterprise platforms. These extensions, disguised as legitimate productivity and security tools, specifically targeted systems including Workday, NetSuite, and SAP SuccessFactors.

The campaign involved three distinct attack methods: cookie exfiltration, blocking of security pages, and bidirectional cookie injection for direct session hijacking.

The Extensions and Their Disguise

Socket's investigation uncovered five such Chrome extensions, which had been installed over 2,300 times collectively. Despite being published under various publisher names like 'databycloud1104' and 'Software Access', the extensions shared identical infrastructure, code patterns, and target specifications, pointing to a coordinated operation.

They were marketed to enterprise users as tools to improve productivity, streamline workflows, or enhance security controls. For instance:

  • 'Data By Cloud 2' claimed to offer bulk management features.
  • 'Tool Access 11' purported to restrict access to sensitive administrative features.

Critically, the extensions did not disclose their malicious activities, such as cookie extraction, credential exfiltration, or the blocking of security administration pages. Their privacy policies also omitted any mention of collecting user data.

Three-Pronged Attack Methodology

Analysis by Socket confirmed the extensions employed a multi-faceted approach:

1. Continuous Credential Theft
Multiple extensions continuously extracted authentication cookies named '__session' for the targeted domains. These cookies contained active login tokens for Workday, NetSuite, and SuccessFactors. The tokens were transmitted to remote command-and-control servers every 60 seconds, allowing attackers to maintain access to accounts even after the legitimate user had logged out.

2. Obstruction of Security Management
Two extensions, 'Tool Access 11' and 'Data By Cloud 2', actively blocked administrator access to security and incident response pages within Workday. This was achieved by detecting page titles and then either erasing the page content or redirecting the user away.

  • 'Tool Access 11' targeted 44 administrative pages.
  • 'Data By Cloud 2' expanded this to 56 pages, including those for password management and security audit logs, potentially crippling an organization's ability to respond to a security incident.

3. Direct Session Hijacking
The 'Software Access' extension implemented a more aggressive technique: bidirectional cookie manipulation. This feature not only stole session tokens but also allowed the attacker to inject stolen cookies from their server directly into a victim's browser.

This mechanism facilitated immediate account takeover across targeted enterprise platforms without requiring usernames, passwords, or multi-factor authentication codes.

Resolution and User Advice

Socket reported these malicious extensions to Google, which has since removed them from the Chrome Web Store. Users who may have installed any of these extensions are strongly advised to:

  1. Report the incident to their organization's security administrators immediately.
  2. Change their passwords on all affected platforms (Workday, NetSuite, SAP SuccessFactors).