A sophisticated threat to company security, five coordinated malicious Chrome extensions target finance and human resources platforms that are utilized by thousands of organizations globally.
Together, these extensions enable total account takeover through session hijacking, disable security restrictions, and breach authentication tokens.
Workday, NetSuite, and SuccessFactors, essential platforms where financial teams and human resources departments handle sensitive employee and business data, are impacted by the campaign.
The threat actors publish four extensions under the name databycloud1104, and a fifth extension, softwareaccess, runs under a different branding but uses the same attack tactics and infrastructure patterns.
Over 2,300 people in enterprise settings have been reached by these extensions collectively.
With each extension playing a distinct part in an all-encompassing attack strategy intended to overcome conventional security systems, the synchronized deployment exhibits meticulous planning. Despite false marketing claims, Socket.dev analysts found these extensions through code analysis that exposed concealed dangerous behavior.
The research team found that although these extensions pose as trustworthy productivity tools that simplify access across several accounts, they really steal login credentials and prevent security teams from reacting to intrusions.
The Software Access extension’s bidirectional cookie injection feature is the most hazardous feature.
By using this method, threat actors can directly insert compromised authentication cookies into their own browsers, giving them instant access to victim accounts without the need for passwords or circumventing multi-factor authentication safeguards.
In order to guarantee that attackers retain their current credentials even when users log out and back in during regular business operations, other extensions constantly retrieve session tokens every 60 seconds.
To prevent incident response, these extensions use a complex infection method that combines targeted administrative interface blockage with credential theft.
The attack uses DOM manipulation, in which extensions continuously check the content of pages and instantly remove security administration pages when users try to access them.
Workday’s 44 administration pages are blocked by Tools Access 11, while Data By Cloud 2 raises this to 56 pages, including crucial features like password updates, account deactivation, multi-factor authentication device management, and defence audit logs.
The blocking approach uses MutationObserver routines to continuously watch the site, checking it every 50 milliseconds.
The extensions cause users to be redirected to faulty URLs and replace the entire page content with blank space when administrators try to reset passwords or disable compromised accounts.
As a result, organizations are forced to either permit ongoing unlawful access or transfer impacted users to completely new accounts in a containment failure scenario where security teams are able to identify unauthorized access but are unable to carry out typical remedial operations.