Cyberhaven Chrome Extension Breach Part of Expanding Supply Chain Attack

Cyberhaven, a data detection and response platform, suffered a compromise of its Chrome extension on December 24, 2024, after a phishing attack gave threat actors access to the company’s Chrome Web Store account. The attackers published a malicious version of the extension designed to steal Facebook access tokens and user information. Although Cyberhaven detected and removed the malicious extension within approximately 24 hours, this incident is part of a broader campaign that has compromised at least 29 Chrome extensions over the past 18 months, potentially affecting over 2.5 million users.

New Phishing Campaign Exploits Google Calendar to Evade Security Filters

A recent phishing campaign has been identified that leverages Google Calendar invites to bypass email security filters. Attackers send seemingly legitimate calendar invitations containing links to Google Forms or Google Drawings. When recipients interact with these links, they are redirected through a series of deceptive pages, including fake reCAPTCHA prompts, ultimately leading to malicious websites designed to harvest financial information. This tactic exploits the inherent trust in Google’s services, allowing phishing emails to evade detection and reach users’ inboxes. To mitigate such threats, users are advised to enable the “known senders” setting in Google Calendar, exercise caution with unsolicited invitations, and implement robust email security measures.

Misconfigured Kubernetes RBAC in Azure Airflow Exposes Entire Cluster to Exploitation

Cybersecurity researchers have identified three security vulnerabilities in Microsoft’s Azure Data Factory Apache Airflow integration. The vulnerabilities could allow attackers to gain persistent access as shadow administrators over the entire Airflow Azure Kubernetes Service (AKS) cluster. The flaws involve misconfigured Kubernetes Role-Based Access Control (RBAC) in the Airflow cluster, improper secret handling in Azure’s internal Geneva service, and weak authentication for Geneva. Exploiting these vulnerabilities could enable unauthorised actions such as data exfiltration, malware deployment, and tampering with log data. Microsoft has classified these vulnerabilities as low severity. However, the researchers emphasise the importance of carefully managing service permissions and monitoring critical third-party services to prevent unauthorised access.

Seven-Year-Old RCE Vulnerability Patched in Kerio Control

A critical remote code execution (RCE) vulnerability, identified as CVE-2024-52875, has been discovered in Kerio Control, a Unified Threat Management solution by GFI Software. This flaw, present since version 9.2.5 released in 2018, affects versions 9.2.5 through 9.4.5. The vulnerability arises from improper input sanitisation in multiple HTTP response pages, allowing attackers to execute arbitrary code and potentially gain root access to the firewall. GFI Software has addressed the issue in the 9.4.5p1 update, which will be available to customers soon. Users are advised to apply the update promptly and consider interim mitigations, such as restricting access to trusted networks and implementing strict input validation, to safeguard their systems.

New “DoubleClickjacking” Exploit Bypasses Clickjacking Protections on Major Websites

Security researcher Paulos Yibelo has identified a novel attack method termed “DoubleClickjacking,” which leverages a double-click sequence to bypass existing clickjacking defenses, such as X-Frame-Options headers and SameSite cookies. This technique exploits the brief interval between two clicks to deceive users into performing unintended actions, potentially leading to account takeovers on major websites.

Malicious NPM Package Disguised as Ethereum Tool Deploys Quasar RAT

A malicious npm package named ethereumvulncontracthandler has been discovered masquerading as a tool for detecting vulnerabilities in Ethereum smart contracts. Published on December 18, 2024, by a user named “solidit-dev-416,” the package is heavily obfuscated and, upon installation, retrieves a malicious script from a remote server to deploy the Quasar Remote Access Trojan (RAT) on Windows systems. The malware avoids sandboxed environments and establishes persistence through Windows Registry modifications, connecting to a command-and-control server to receive further instructions. As of now, the package remains available on the npm registry and has been downloaded 66 times.

Hackers Hijack 35 Chrome Extensions, Exposing 2.6 Million Users

A sophisticated phishing campaign has compromised at least 35 Google Chrome extensions, affecting approximately 2.6 million users. Attackers targeted extension developers with deceptive emails, leading to the injection of malicious code into widely used extensions. The compromised extensions, including those from cybersecurity firm Cyberhaven, were manipulated to steal browser cookies and authentication sessions, particularly focusing on social media advertising and AI platforms. Users are advised to review installed extensions for any unauthorised updates and exercise caution when receiving unsolicited communications.

U.S. Army Soldier Arrested for AT&T and Verizon Data Breaches

On December 20, 2024, federal authorities arrested 20-year-old U.S. Army soldier Cameron John Wagenius, alleging his involvement in cybercrimes targeting major telecommunications companies. Operating under the alias “Kiberphant0m,” Wagenius is accused of unlawfully accessing and selling sensitive customer call records from AT&T and Verizon. His activities reportedly included collaboration with other cybercriminals and threats to leak high-profile individuals’ data. Wagenius, a communications specialist recently stationed in South Korea, faces charges of unlawful transfer of confidential phone records.

If you’re ready to learn how we can help protect your business from cyber threats, contact us using the form below 👇.