Cyberhaven Extension Compromise: TLS Certificates Reveal Hidden Infrastructure
NetmanageIT OpenCTI - opencti.netmanageit.com
SUMMARY :
A phishing attack targeting a Cyberhaven employee led to the compromise of their Google Chrome extension. The attacker published a malicious version on the Chrome Web Store, active for 24 hours, capable of exfiltrating cookies and session data. Analysis of IP addresses and domains revealed connections to a broader campaign targeting Facebook advertising accounts. A TLS certificate linked previously reported infrastructure to additional connections, suggesting a long-running operation. The infrastructure, primarily hosted on The Constant Company network, showed consistent domain patterns mimicking known organizations and extensions dating back to early 2024. While similarities exist with groups like Savvy Seahorse, further analysis is needed to establish definitive links.
OPENCTI LABELS :
phishing,chrome extension,domain spoofing,certificate rotation
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
Cyberhaven Extension Compromise: TLS Certificates Reveal Hidden Infrastructure