Whilst we are all becoming increasingly aware of cyber threats, cyber criminals are constantly finding new, innovative routes of attack.
A trend we are currently seeing is malicious Google Chrome extensions targeting enterprise environments, especially HR and ERP platforms like Workday, Sage X3, Sage Intacct and Sage 200, as well as NetSuite, and SAP SuccessFactors.
These extensions are uploaded to the official Chrome web store, masquerading as productivity enhancers or security tools. In reality, they are part of a coordinated malware campaign designed to steal and exfiltrate sensitive browser data.
The threat in practice
Cybersecurity researchers at Socket recently identified five extensions linked to such a campaign. Four were published under “databycloud1104”, with a fifth as “Software Access.” Before removal, these tools had been installed over 2,300 times, giving attackers access to numerous enterprise user sessions.
Once installed, the extensions deployed sophisticated attack mechanisms. User sessions details were sent to attacker-controlled servers every 60 seconds, enabling continuous access even if users logged out or changed passwords.
The extensions also disrupted security critical administrative pages. Tool Access 11 blocked up to 44 pages, while Data by Cloud 2 blocked as many as 56, including password change interfaces, multi-factor authentication (MFA) management, account deactivation, and security audit logs. By impairing these functions, attackers extended their “dwell time,” exploiting compromised accounts whilst remaining undetected for longer.
The extensions promised premium dashboards, improved productivity, and enhanced access controls. Permissions appeared normal for enterprise tools, making them seem legitimate. However, hidden credential stealing behaviours were embedded in their code.
On this occasion, the number of affected users was kept to a minimum. However, the consequences of such hijacks have the potential to cause severe disruption and damage. The systems being targeted hold highly sensitive corporate data, including employee records, payroll information, financial workflows, and privileged administrative functions. A single compromised session could lead to large scale data theft, business email compromise, or enable ransomware attacks.
Minimise risk with robust IT security
This campaign illustrates how browser-based threats can bypass traditional defences. At CPiO, we can help organisations reduce these risks through IT security service reviews, and mitigation strategies.
With centralised administration, CPiO ensures organisations maintain visibility and control over user devices, reducing the risk from malicious browser extensions and unauthorised software. Our IT security and support services are designed to protect users wherever they work, keeping access to critical systems monitored and secure.
If you’re concerned about the security or the platforms your teams rely on every day, CPiO can help you take a proactive approach to protecting your environment.
Contact CPiO today on 0344 880 6140 or email info@cpio.co.uk to find out how our IT security services can protect your users, devices, and business-critical systems.