Cyberhaven Breach Likely Part of a Long-Term Criminal Campaign

Published on:

January 7, 2025

On This Page

Overview

On 27 December 2024, the technology company Cyberhaven reported that an unnamed actor replaced its Google Chrome extension on the Google Chrome Web Store with a malicious version. The actor used a phishing email to compromise a developer’s account via authorizing a malicious third-party application. DomainTools researchers reviewed publicly available information related to this incident and discovered that the Cyberhaven incident is part of a months-long campaign likely attempting to impact multiple companies primarily in the technology sector.

Summary of the Cyberhaven Incident

Cyberhaven’s initial analysis of the incident revealed that the actor sent a phishing email claiming that the recipient’s Chrome extension was at risk of being removed from the Chrome Web Store due to policy violations. A link in the email purported to allow the recipient to acknowledge those policies and avoid removal of the extension. Clicking on the link led the recipient through the process of adding a malicious third-party application named “Privacy Policy Extension” to the recipient’s Google account - a tactic commonly known as OAuth phishing. The malicious application received permissions to publish Chrome Web Store extensions, allowing the actor to replace Cyberhaven’s extension with a new version containing malicious code.

The malicious code comprised two altered JavaScript files:

worker.js: This script contacted the actor-controlled domain, cyberhavenext[.]pro, which served as command and control (C2) for the incident. The server hosted configuration data, which it stored in Chrome’s local storage and monitored events from the second script, content.js.
content.js: This script collected user data from specific websites. The file used in the Cyberhaven incident specifically targeted Facebook-related data such as access tokens, user IDs, account details, business accounts, ad account information, cookies, and user agent strings. The script exfiltrated all compromised data to actor-controlled infrastructure.

Connections to a Broader Campaign

Cyberhaven shared indicators of compromise (IOCs) related to the attack. DomainTools researchers analyzed this information and discovered a large network of infrastructure likely used in similar attacks against other targets. Some of the related domains include:

cyberhavenext[.]pro
api.cyberhaven[.]pro
app.checkpolicy[.]site

The reported C2 domain for the incident, cyberhavenext[.]pro, resolved to the IP address 149.28.124[.]84 which is allocated to the hosting provider Vultr. Passive DNS data in the Iris Investigate platform shows 18 domains resolving to this IP address since 5 November 2024 with the majority beginning to resolve in the last week of December 2024. It is likely that these domains are part of a broader campaign that includes the Cyberhaven incident. This assessment is made with high confidence based on the following factors:

IP address overlap - likely related domains resolve to the same IP addresses within close time proximity
Whois similarities - Domains share similarities in whois information: Namecheap registry, registrar-servers[.]com for NS and MX, and use of Let’s Encrypt certificates
Domain naming conventions - Domain names spoof specific software products such as AI tools, VPNs, adblockers, and other general web browsing tools.
Top Level Domains (TLDs) - Heavy use of .pro TLD along with .live, .info, .com, .net, .ink, and .vip

Research revealed additional related domains on other Vultr IP addresses:

149.248.2[.]160
136.244.115[.]219
45.76.225[.]148

Data from the urlscan platform shows that some of the related domains hosted configurations similar to that reported by Cyberhaven. For example, urlscan data for the domain internxtvpn[.]pro shows a similarly formatted configuration for targeting data from the ChatGPT platform

‍

{"code":2000,"internxtvpna":"https:\/\/chatgpt.com\/api\/*","internxtvpnb":"https:\/\/chatgpt.com\/public-api\/conversation_limit","internxtvpnc":"chatgpt.com","internxtvpnd":"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","internxtvpne":"backend-api\/me","internxtvpnf":"https:\/\/chatgpt.com","internxtvpng":"https:\/\/chatgpt.com\/backend-api\/compliance","internxtvpnh":"https:\/\/chatgpt.com\/api\/auth\/session","internxtvpni":"auth","internxtvpnk":"https:\/\/chatgpt.com"}

‍

Configuration Recorded by URLscan on 29 December 2024

Urls can data also shows some of the identified infrastructure hosting credential phishing pages as far back as February 2024. Figure 2 shows a credential phishing page for an unidentified service hosted on admin-set.tkpartner[.]pro (left) and a phishing page likely meant to spoof Facebook’s Business Manager service hosted on tkadmin7.tkv2[.]pro (right). There is not enough evidence to determine how potential victims were directed to these pages or how the actor responsible leveraged compromised credentials.

‍

Figure 2. Credential phishing pages hosted on infrastructure likely related to that used in the Cyberhaven incident.

Conclusion

It is likely that the Cyberhaven incident was part of a months-long campaign seeking access to sensitive data related to popular web services such as Facebook and ChatGPT. This assessment is made with high confidence based on identified infrastructure, the usage time frame of the infrastructure, and code within the actor’s configuration files. Observed tactics, techniques, and procedures (TTPs) indicate this actor is more likely criminal than state-sponsored.

IOCs

149.28.124[.]84	136.244.115[.]219
cyberhavenext[.]pro graphqlnetwork[.]pro yescaptcha[.]pro videodownloadhelper[.]pro castorus[.]info bookmarkfc[.]info uvoice[.]live iobit[.]pro primusext[.]pro yujaverity[.]info parrottalks[.]info internxtvpn[.]pro censortracker[.]pro vpncity[.]live wayinai[.]live readermodeext[.]info moonsift[.]store	extensionpolicyprivacy[.]com policyextension[.]info extensionpolicy[.]net checkpolicy[.]site extensionbuysell[.]com aiforgemini[.]com blockforads[.]com ytbadblocker[.]com geminiforads[.]com adskiper[.]net
149[.]248[.]2[.]160	45.76.225[.]148
Here are the base domains extracted from the provided list: chatgptextension[.]site graphqlnetwork[.]pro tkv2[.]pro iobit[.]pro internetdownloadmanager[.]pro searchgptchat[.]info pieadblock[.]pro gptdetector[.]live castorus[.]info searchaiassitant[.]info ultrablock[.]pro internxtvpn[.]pro savechatgpt[.]site tkpartner[.]pro wakelet[.]ink yescaptcha[.]pro videodownloadhelper[.]pro parrottalks[.]info proxyswitchyomega[.]pro bookmarkfc[.]info dearflip[.]pro cyberhavenext[.]pro uvoice[.]live primusext[.]pro yujaverity[.]info censortracker[.]pro vidnozflex[.]live extensionpolicyprivacy[.]com tinamind[.]info locallyext[.]ink vpncity[.]live policyextension[.]info wayinai[.]live moonsift[.]store readermodeext[.]info checkpolicy[.]site extensionpolicy[.]net linewizeconnect[.]com extensionbuysell[.]com savgptforchrome[.]pro bardaiforchrome[.]live searchcopilot[.]co chatgptextent[.]pro youtubeadsblocker[.]live geminiaigg[.]pro gpt4summary[.]ink blockadsonyt[.]vip chataiassistant[.]pro savegptforyou[.]live goodenhancerblocker[.]site	ultrablock[.]pro proxyswitchyomega[.]pro dearflip[.]pro vidnozflex[.]live wakelet[.]ink pieadblock[.]pro locallyext[.]ink tinamind[.]info

‍

IOCs on GitHub

If the community has any additional input, please let us know.

https://github.com/DomainTools/SecuritySnacks/blob/main/2025/CyberhavenCampaign