Threat Overview

AlienVault has recently published a threat report highlighting the activities of several Chrome extensions that have been compromised. The affected extensions are linked to multiple suspicious domains resolving to the same IP address as cyberhavenext[.]pro.

Compromised Extensions and Domains

Some confirmed compromised extensions include Cyberhaven, with their corresponding URLs listed below. Users are advised to search for these extensions in their environments and monitor for any traffic to the IP address 149.28.124[.]84.

• Cyberhaven: https://chrome.google.com/webstore/detail/cyberhaven/lomkodljhjnlkgfekblpmgikpgpdkbgh
•  

Threat Actor’s TTPs

The threat actor behind this compromise has been linked to multiple suspicious domains, suggesting a widespread attack targeting browser extensions. This could potentially put users’ data and privacy at risk.

Recommendations for Improving Cybersecurity Posture

Based on the threat report, several recommendations can be made:
* Monitor activity from known malware samples, such as those associated with cyberhavenext[.]pro.
* Implement strict security controls around access to sensitive systems.
* Regularly update software packages to prevent exploitation by zero-day vulnerabilities
* Implement layered web and network security mechanisms to detect and prevent lateral movement.

Resources

The Record Article on Cyberhaven Hack
LinkedIn Post by Jaime Blasco