Malicious Chrome Extensions Impersonate Workday and NetSuite to Hijack Accounts: A Comprehensive Analysis
The Issue:
Malicious Chrome extensions have been discovered, posing as Workday and NetSuite to hijack user accounts. These extensions steal authentication tokens, block incident response, and enable complete account takeover through session hijacking.
The Discovery:
Cybersecurity researchers uncovered five malicious Chrome extensions, each impersonating HR and ERP platforms like Workday, NetSuite, and SuccessFactors. These extensions work in unison to steal authentication tokens, block security administration pages, and facilitate session hijacking.
The Extensions:
1. DataByCloud Access (ID: oldhjammhkghhahhhdcifmmlefibciph, Published by: databycloud1104) - 251 installs
2. Tool Access 11 (ID: ijapakghdgckgblfgjobhcfglebbkebf, Published by: databycloud1104) - 101 installs
3. DataByCloud 1 (ID: mbjjeombjeklkbndcjgmfcdhfbjngcam, Published by: databycloud1104) - 1,000 installs
4. DataByCloud 2 (ID: makdmacamkifdldldlelollkkjnoiedg, Published by: databycloud1104) - 1,000 installs
5. Software Access (ID: bmodapcihjhklpogdpblefpepjolaoij, Published by: Software Access) - 27 installs
The Impact:
All extensions, except Software Access, have been removed from the Chrome Web Store. However, they remain accessible on third-party software download sites. These extensions are advertised as productivity tools, offering access to premium tools for Workday, NetSuite, and other platforms.
The Methodology:
The extensions use identical functionality and infrastructure patterns, indicating a coordinated operation. They exfiltrate cookies to a remote server, manipulate the Document Object Model (DOM) to block security administration pages, and facilitate session hijacking via cookie injection.
DataByCloud Access:
- Requests permissions for cookies, management, scripting, storage, and declarativeNetRequest across Workday, NetSuite, and SuccessFactors domains.
- Collects authentication cookies and transmits them to 'api.databycloud[.]com' every 60 seconds.
Tool Access 11 (v1.4):
- Blocks access to 44 administrative pages within Workday by erasing page content and redirecting to malformed URLs.
- Prevents authentication management, security proxy configuration, IP range management, and session control interfaces.
DataByCloud 2:
- Expands blocking to 56 pages, including password changes, account deactivation, 2FA device management, and security audit log access.
- Targets both production environments and Workday's sandbox testing environment at 'workdaysuv[.]com'.
DataByCloud 1:
- Steals cookies and prevents code inspection using web browser developer tools with the DisableDevtool library.
- Encrypts command-and-control (C2) traffic.
Software Access:
- Combines cookie theft with the ability to receive stolen cookies from 'api.software-access[.]com' and inject them into the browser for direct session hijacking.
- Protects password input fields to prevent user inspection of credentials.
The Commonality:
All extensions feature an identical list of 23 security-related Chrome extensions, designed to monitor and flag their presence to the threat actor.
The Possibilities:
The presence of a similar extension ID list across all extensions suggests either a common toolkit or the work of the same threat actor.
The Advice:
Chrome users with installed extensions should remove them, reset passwords, and review for unauthorized access signs from unfamiliar IP addresses or devices.
The Concern:
The combination of credential theft, administrative interface blocking, and session hijacking creates a challenging scenario for security teams, making unauthorized access detection difficult but remediation through normal channels impossible.
