Malicious Chrome Extensions Hijack Workday, Netsuite Accounts

A set of malicious Google Chrome Extensions which steal cookies, takeover accounts and actively block incident response have been identified targeting widely used human resource (HR) and enterprise resource planning (ERP) platforms, including Workday, Netsuite and SAP SuccessFactors. Identified by the threat research team at application security firm Socket, the extensions posed as productivity tools for users managing multiple HR and ERP accounts and were available in the Chrome Web Store. Following disclosure, the malicious extensions have been removed, but not before they were downloaded by 2300 users. The extensions were named DataByCloud 2, Tool Access 11, DataByCloud Access, Data By Cloud 1 and Software Access. Researchers noted that the extensions all targeted the same enterprise platforms and shared identical security tool detection lists, API endpoint patterns and code structures, indicating a coordinated operation despite the extensions having been listed as developed separate publishers. The Chrome Web Store listings were designed to look polished and professional. Some even claimed they contained security features to prevent account compromise, despite the fact that compromising accounts was their actual goal. Once installed, the malicious extensions engaged in a range of actions to take control of accounts. This included extracting authentication cookies and uploading them to a command and control (C2) server every 60 seconds, as well as extracting session tokens, encrypting C2 traffic and the ability to take control of session control interfaces. The extensions were also designed to actively prevent incident response actions against them. Techniques deployed included preventing passwords being changed to help ensure stolen access tokens remained valid indefinitely and preventing security teams from locking out compromised accounts during remediation. In another trick designed to help prevent response capabilities, administrators attempting to disable an affected user's account would encounter a blank page and redirect loop. “The coordinated deployment of cookie theft, administrative blocking, and session hijacking across five extensions represents a sophisticated attack on enterprise HR and ERP platforms,” said Kush Pandya, security engineer and researcher at Socket “Similar patterns targeting other enterprise platforms should be anticipated,” he added. To prevent accounts being compromised by this or similar malicious campaigns, Socket said that security teams should implement Chrome Enterprise extension allowlists to prevent installation of unauthorized extensions. Socket also recommended that orgnaizations monitor for extensions targeting the same enterprise platforms with similar permission requests. Infosecurity has contacted Google for comment.