{ "name": "Targeted supply chain attack against Chrome browser extensions", "slug": "targeted-supply-chain-attack-against-chrome-browser-extensions", "description": "In December 2024, a threat actor successfully compromised around a dozen legitimate Chrome browser extensions by exploiting extension developers' permissions gained through phishing attacks. The malicious code injected into the compromised extensions aimed to harvest sensitive user data like API keys, session cookies, and authentication tokens from websites such as ChatGPT and Facebook for Business. The analysis sheds light on the targeted phishing campaign, the adversary's infrastructure, and provides remediation steps along with technical indicators.", "published": "2025-01-22T15:27:16+00:00", "created_at": "2025-01-22T15:27:16+00:00", "modified_at": "2025-01-22T15:48:59+00:00", "created_at_opencti": "2025-01-22T15:27:16+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2025-01-22", "browser extensions", "credentials", "data harvesting", "phishing", "supply-chain" ], "related_entities": { "observables": [ { "id": "", "name": "185.92.222.127" }, { "id": "", "name": "149.248.56.63" }, { "id": "", "name": "144.202.101.155" }, { "id": "", "name": "140.82.45.42" }, { "id": "", "name": "136.244.113.231" }, { "id": "", "name": "65.20.99.178" }, { "id": "", "name": "45.77.5.196" }, { "id": "", "name": "45.76.225.148" }, { "id": "", "name": "155.138.253.165" }, { "id": "", "name": "149.28.117.236" }, { "id": "", "name": "149.248.44.88" }, { "id": "", "name": "149.248.2.160" }, { "id": "", "name": "137.220.48.214" }, { "id": "", "name": "136.244.115.219" }, { "id": "", "name": "108.61.23.192" }, { "id": "", "name": "149.28.124.84" }, { "id": "", "name": "https://graphqlnetwork.pro/ai-graphqlnetwork" }, { "id": "", "name": "https://app.checkpolicy.site/extension-privacy-policy?e=victime@example.com" }, { "id": "", "name": "https://app.checkpolicy.site/accept-terms-policy?e=victim@example.com" }, { "id": "", "name": "savegpt.pro" }, { "id": "", "name": "promptheusgpt.info" }, { "id": "", "name": "openaigptforgg.site" }, { "id": "", "name": "internxtvpn.pro" }, { "id": "", "name": "gpt4chrome.live" }, { "id": "", "name": "chromewebstore-noreply.com" }, { "id": "", "name": "chataiassistant.pro" }, { "id": "", "name": "adsblockforyoutube.site" }, { "id": "", "name": "savegptforchrome.com" }, { "id": "", "name": "savegptforyou.live" }, { "id": "", "name": "geminiforads.com" }, { "id": "", "name": "goodenhancerblocker.site" }, { "id": "", "name": "chatgptforsearch.com" }, { "id": "", "name": "ytbadblocker.com" }, { "id": "", "name": "youtubeadsblocker.live" }, { "id": "", "name": "wakelet.ink" }, { "id": "", "name": "vidnozflex.live" }, { "id": "", "name": "videodownloadhelper.pro" }, { "id": "", "name": "ultrablock.pro" }, { "id": "", "name": "tinamind.info" }, { "id": "", "name": "searchgptchat.info" }, { "id": "", "name": "searchcopilot.co" }, { "id": "", "name": "searchaiassitant.info" }, { "id": "", "name": "savgptforchrome.pro" }, { "id": "", "name": "savechatgpt.site" }, { "id": "", "name": "pieadblock.pro" }, { "id": "", "name": "locallyext.ink" }, { "id": "", "name": "linewizeconnect.com" }, { "id": "", "name": "internetdownloadmanager.pro" }, { "id": "", "name": "gptforads.info" }, { "id": "", "name": "graphqlnetwork.pro" }, { "id": "", "name": "gptforbusiness.site" }, { "id": "", "name": "gptdetector.live" }, { "id": "", "name": "geminiaigg.pro" }, { "id": "", "name": "extensionpolicy.net" }, { "id": "", "name": "extensionpolicyprivacy.com" }, { "id": "", "name": "extensionbuysell.com" }, { "id": "", "name": "cyberhavenext.pro" }, { "id": "", "name": "dearflip.pro" }, { "id": "", "name": "checkpolicy.site" }, { "id": "", "name": "chatgptextent.pro" }, { "id": "", "name": "chatgptextension.site" }, { "id": "", "name": "blockforads.com" }, { "id": "", "name": "bardaiforchrome.live" }, { "id": "", "name": "aiforgemini.com" }, { "id": "", "name": "adskiper.net" }, { "id": "", "name": "supportchromestore.com" }, { "id": "", "name": "chromeforextension.com" }, { "id": "", "name": "parrottalks.info" }, { "id": "", "name": "yujaverity.info" }, { "id": "", "name": "wayinai.live" }, { "id": "", "name": "uvoice.live" }, { "id": "", "name": "primusext.pro" }, { "id": "", "name": "policyextension.info" }, { "id": "", "name": "moonsift.store" }, { "id": "", "name": "iobit.pro" }, { "id": "", "name": "castorus.info" }, { "id": "", "name": "chromewebstore-noreply@supportchromestore.com" }, { "id": "", "name": "chromewebstore-noreply@chromeforextension.com" }, { "id": "", "name": "d303047205dabec8e2d34431e920ebe3478ca80a18f57bf454da094aca0e10aa" }, { "id": "", "name": "b0827dc54349b10098a7370ada4ea44ba668b264ccca2db5676be1c32e6cc154" } ], "attack_patterns": [ { "id": "2969e5a7-1049-4df8-b1ba-8a0675de6b94", "name": "T1589" }, { "id": "6babd5aa-5112-4f14-a660-60d756a65d6d", "name": "T1586" }, { "id": "7e3e3784-9547-42ca-b888-482972d14be3", "name": "T1528" }, { "id": "5e3b3612-8bf8-46e1-943e-b4c1524bef11", "name": "T1587" }, { "id": "c9de6d3f-08cf-448d-8b9f-9aeff59fc48f", "name": "T1550" }, { "id": "b7c6c1ad-f183-4128-8427-3891029c73dc", "name": "T1539" }, { "id": "1e043fe4-2413-4b8e-887c-0fe45d095a24", "name": "T1583" }, { "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571", "name": "T1105" }, { "id": "dc342445-1b78-48b4-aa06-89ed2ad7c28e", "name": "T1071" }, { "id": "7d7ac733-6442-416f-8669-c302dd0843b9", "name": "T1036" }, { "id": "fa3b8b48-d97c-4242-83a6-07d435a5a79e", "name": "T1041" }, { "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d", "name": "T1566" }, { "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221", "name": "T1059" } ] }, "external_refs": [ "https://blog.sekoia.io/targeted-supply-chain-attack-against-chrome-browser-extensions/", "https://otx.alienvault.com/pulse/67911c6446b0ab9591b82cad" ] }