Five malicious Chrome extensions targeted Workday, NetSuite and SuccessFactors customers with cookie stealing and security disrupting capabilities, Socket’s Threat Research Team reported Thursday.The extensions, published under developer names databycloud1104 and softwareaccess, claim to offer bulk tool management and security features for the targeted human resources (HR) and enterprise resource management (ERP) platforms.In reality, the extensions worked to relay authenticated sessions to attackers and prevent victims from responding to breaches by blocking access to key security pages, such as password reset and device management pages.The five extensions exhibited different, coordinated capabilities with similarities confirming their connection to the same threat actor. These similarities include an identical list of 23 security-focused Chrome extensions each monitors for, and similar API endpoint structure for command and control (C2) communications despite the use of two different C2 domains (databycloud[.]com and software-access[.]com). The extensions DataByCloud Access and Data by Cloud 1 extract authentication cookies for the targeted platforms and send them to the databycloud C2 server via the Fetch API. The extensions sustain active sessions by injecting the stolen cookies into future HTTP requests and monitor login status every 60 seconds to continuously extract fresh authentication tokens.
Related reading:
The extension Software Access also steals authentication cookies but additionally allows for direct session relay to the attacker’s browser. This extension includes a mechanism to inject stolen tokens stored on the software-access C2 server to the browser of an attacker who also has Software Access installed and requests access to a specific account.The extensions Tool Access 11 and Data by Cloud 2 serve to disrupt incident response by preventing users from accessing key security pages on the Workday platform. This is achieved through DOM manipulation — removing page contents by setting document.body.innerHTML to an empty string. The extension then forces a redirect to a URL with an invalid .htmld extension, leading to an error page.Tool Access 11 performs this manipulation for 44 specific administrative Workday pages, while Data by Cloud 2 expands this to 56 different pages, including pages for changing passwords, disabling Workday accounts, managing trusted devices and viewing sign-on history. This serves to block administrators from both detecting suspicious activity and rotating credentials or removing compromised accounts when a breach is discovered.Anti-analysis methods are also included in the Data by Cloud 1 and Software Access extensions, which use the DisableDevtool library to prevent code inspection in the browser.Socket reported the malicious extensions to Google; the extensions did not appear to be available on the Chrome Web Store as of Friday afternoon. The extensions had about 2,300 installations combined before they were discovered by the researchers, according to Socket.Socket recommends organizations block the C2 domains api[.]databycloud[.]com and api[.]software-access[.]com, audit browsers for suspicious extensions and check authentication logs for Workday, NetSuite and SuccessFactor for simultaneous sessions from multiple IPs. The company also recommends Chrome Enterprise customers utilize allowlists for extension installations.
Identity, Threat Management, Threat Intelligence, Decentralized identity and verifiable credentials
Workday, NetSuite and SuccessFactors sessions targeted by malicious Chrome extensions
(Credit: mehaniq41 – stock.adobe.com)
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds