ESSGroupCyberhaven: Chrome Extensions Found Compromised, Threat Actor Uses Other Groups’ Tools

Cyberhaven: Chrome Extensions Found Compromised, Threat Actor Uses Other Groups’ Tools

Threat Overview

AlienVault has recently published a threat report highlighting the activities of several Chrome extensions that have been compromised. The affected extensions are linked to multiple suspicious domains resolving to the same IP address as cyberhavenext[.]pro.

Compromised Extensions and Domains

Some confirmed compromised extensions include Cyberhaven, with their corresponding URLs listed below. Users are advised to search for these extensions in their environments and monitor for any traffic to the IP address 149.28.124[.]84.

Cyberhaven: https://chrome.google.com/webstore/detail/cyberhaven/lomkodljhjnlkgfekblpmgikpgpdkbgh

Threat Actor’s TTPs

The threat actor behind this compromise has been linked to multiple suspicious domains, suggesting a widespread attack targeting browser extensions. This could potentially put users’ data and privacy at risk.

Recommendations for Improving Cybersecurity Posture

Based on the threat report, several recommendations can be made:
* Monitor activity from known malware samples, such as those associated with cyberhavenext[.]pro.
* Implement strict security controls around access to sensitive systems.
* Regularly update software packages to prevent exploitation by zero-day vulnerabilities
* Implement layered web and network security mechanisms to detect and prevent lateral movement.

Resources

The Record Article on Cyberhaven Hack
LinkedIn Post by Jaime Blasco

Related

Discover more from ESSGroup

Subscribe to get the latest posts sent to your email.

30 Dec 2024

Comment 0

Categoty:
CTI News

Cyber Security

Threat

Azure Active Directory

Malware

Vulnerability

Email Security

Threat actors (ATP)

Leave a ReplyCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

News & Blog

Related Blog

02 January

ICS Threat Report: New Malware Can Kill Engineering Processes

Threat Overview

Cyber threats targeting industrial control systems (ICS) have become a pressing concern for organizations in various sectors, including energy and manufacturing. A recent threat report published by ICS-CSIRT.io highlighted the emergence of new malware that can disrupt engineering processes.

The report, titled “New, Experimental Malware Can Kill Engineering Processes,” details an ICS threat actor group that has been observed using this malware to compromise industrial targets. The malware is designed to target specific systems and can cause significant disruptions to critical infrastructure.

Tactics, Techniques, and Procedures (TTPs)

The report highlights the tactics, techniques, and procedures (TTPs) employed by the ICS threat actor group. These include:

System Compromise: Targeting vulnerable industrial control system devices.
Data Exfiltration: Stealing sensitive data from compromised systems.
Malware Distribution: Distributing malware through various attack vectors.

Tools and Infrastructure Used

The report also outlines the tools and infrastructure used by the ICS threat actor group, including:

Hapiot backdoor
KazuarV2 backdoor

Techniques Exploited for Execution of Attacks

The report highlights several techniques exploited by the ICS threat actor group to execute attacks, including:

Initial Access

Spear phishing was used as a technique to gain initial access to target systems.

Recommendations

Based on the threat report, several recommendations can be made for improving cybersecurity posture:

Monitor activity from known adversary groups.
Implement strict security controls around access to sensitive systems.
Regularly update software packages to prevent exploitation by exploiting zero-day vulnerabilities.
Implement layered web and network security mechanisms.

Resources

The full threat report is available at the following link:
https://www.forescout.com/blog/ics-threat-analysis-new-experimental-malware-can-kill-engineering-processes/

In conclusion, this new malware poses a significant threat to industrial control systems and emphasizes the need for organizations to maintain robust cybersecurity measures to protect against these types of threats.

Related

16 December

Exploitation of a Vulnerability in Apache ActiveMQ by actor group Mauri Ransomware

Threat Overview

Cyber Threats and Vulnerabilities: Protect Your Organization from Attack

Threat Overview for Security Operation Center

Cyber threats are becoming increasingly sophisticated, with attackers using new techniques to exploit vulnerabilities in systems and networks. The latest threat report from AlienVault highlights the exploitation of a vulnerability in Apache ActiveMQ by actor group Mauri Ransomware Threat Actors.

Tactics, Techniques, and Procedures (TTPs)

According to the AlienVault report, Mauri ransomware actors are exploiting the CVE-2023-46604 vulnerability to attack Korean systems. The attackers use XML configuration files to add backdoor accounts, install remote access tools like Quasar RAT, and set up proxies using Frpc.

The Maui Ransomware is built on open-source code and has been found in customized configurations. While primarily targeting cryptocurrency mining, some cases involve system control and potential data theft.

Vulnerabilities to Watch Out For

Apache ActiveMQ Vulnerability (CVE-2023-46604): This vulnerability allows remote code execution on unpatched servers. It is essential to patch vulnerable Apache ActiveMQ versions as soon as possible.
Zero-Day Exploits: With the rise of zero-day exploits, it is crucial to stay up to date with the latest security patches and implement robust security controls around access to sensitive systems.
Phishing Attacks: Phishing attacks remain a significant threat, so ensure that employees are aware of these risks and how to avoid them.
Ransomware: In recent years, ransomware attacks have become increasingly common. Implementing a robust backup system can help minimize the impact of these attacks.

Recommendations for Prevention

Patch Vulnerabilities Promptly: Regularly update software packages to prevent exploitation by exploiting zero-day vulnerabilities. Patching vulnerabilities promptly is essential in maintaining the security and integrity of your network.
Implement Firewalls and Intrusion Detection Systems (IDS): Configure firewalls and IDS systems to monitor traffic going into and out of your network, helping identify potential threats before they can cause significant damage.
Regularly Back Up Critical Data: Keep backups of critical data both in-house and by utilizing cloud backup services. The most recent security patches are necessary to utilize cloud services with reliable encryption keys so an attacker cannot recover any of the encrypted backups.
Use An Antivirus Program: Utilize reputable antivirus applications and, for enterprise businesses, you can use a dedicated malware detection tool like AlienVault Labs OTX.

Stay Vigilant

Staying informed about the latest threat reports is crucial in maintaining the security and well-being of your organization. The most recent updates on current threats can be found on various threat intelligence platforms. When it comes to cybersecurity, a proactive approach will prevent losses due to cyber-attacks.

Related

17 January

Cyber Threat Report: Ivanti Vulnerabilities Exploited in the Wild

Threat Overview

A recently published threat report by AlienVault, titled “Threat Brief: CVE-2025-0282 and CVE-2025-0283”, highlights critical vulnerabilities in Ivanti Connect Secure, Policy Secure, and ZTA gateway products that are being actively exploited.

Vulnerabilities

The report details two high-severity vulnerabilities:

* CVE-2025-0282: Allows for remote code execution (RCE) on the targeted systems.

* CVE-2025-0283: Enables privilege escalation, granting attackers elevated access.

Attack Activity Observed

Attacks exploiting CVE-2025-0282 have been observed in the wild, involving a series of malicious activities:

* Initial access to target systems.

* Credential harvesting to maintain persistence.

* Lateral movement within compromised networks.

* Defense evasion techniques employed to avoid detection.

Custom Tools Used

Attackers have been observed using custom tools such as SPAWNMOLE, SPAWNSNAIL, and SPAWNSLOTH during these attacks.

Activity Cluster Identification

The activity cluster CL-UNK-0979 has been identified in relation to these incidents, potentially linking them to UNC5337 threat actor group.

Recommendations

Given the critical nature of these vulnerabilities and the observed attacks, the following actions are strongly recommended:

* Immediate Patching: Apply the available patches for Ivanti products to fix CVE-2025-0282 and CVE-2025-0283.

* Network Monitoring: Actively monitor network traffic for unusual activities related to these vulnerabilities.

Protective Measures

Users of Palo Alto Networks products can enable the following protections:

* WildFire: Provides effective sandbox analysis to detect and block malicious files.

* Threat Prevention: Offers URL filtering and other protective measures against known threats.

References

For more detailed information on this threat, please refer to the original reports:

* Palo Alto Unit 42 threat brief: https://unit42.paloaltonetworks.com/threat-brief-ivanti-cve-2025-0282-cve-2025-0283/

Related

Empowering communities through knowledge, collaboration, and open dialogue. Join us in making a difference!

Programs

Usefull Links

Contact