Blog

Lessons Learned from the Cyberhaven Cyber Incident

Alon Levin

Alon Levin

Dec 30, 2024 ・ 5 Min read
Lessons Learned from the Cyberhaven Cyber Incident

Cyberhaven recently experienced a cyber incident caused by a phishing attack on one of its employees. The targeted phishing message was built to look exactly like a legitimate message, luring the user to click the link and login using his Google user, allowing the adversary to take control and replace Cyberhaven’s extension, with a seemingly similar extension, however, the new uploaded extension included malicious code. This extension was automatically distributed to close to 400,000 users who are receiving automatic updates of Cyberhaven extension. This event is still under investigation and it seems like there are at least a few more extensions were impacted with the same malicious code. The number of users impacted is estimated at over 1 million. 

Cyberhaven Email Image
The phishing email that was sent to the Cyberhaven employee 

 According to reports, the malicious extensions intercepted sensitive data, including 2FA tokens, enabling unauthorized access to corporate systems. The breach serves as a stark reminder of the risks associated with unregulated browser extensions usage. As we analyze the event, it’s critical to understand both the risks that may have contributed to the incident and the cascading risks that could emerge as a result of it. 

What led to the Cyberhaven Incident? 

Cybersecurity breaches rarely happen in isolation; they’re often the result of multiple risk factors converging. Here are some potential risks and practices that could have led to this incident: 

  1. Phishing Risks in Modern Threat Landscapes: Attackers today can craft highly sophisticated phishing messages that closely mimic legitimate communications. These deceptive tactics are designed to entice users to interact with malicious links or provide sensitive information, making phishing one of the most effective entry points for cyberattacks. 
  2. Lack of Browser Protection: Browsers are central to modern workflows, making them attractive targets. Despite Google Advanced Protection being enabled, the safeguards were insufficient to prevent this attack. This highlights the sophisticated nature of phishing, where attackers can create highly convincing messages that mimic real communications, enticing users to interact with these malicious attempts. 
  3. Inadequate User Training and Awareness: Human error remains one of the most significant contributors to breaches. Without proper training, users may unknowingly compromise systems by clicking on malicious links or sharing sensitive information. 
  4. Overreliance on Traditional Security Approaches: Relying solely on endpoint detection or network-based protection methods may leave gaps. Attackers today often target user identities rather than devices or data directly. Their goal is to impersonate users within web applications, gaining unauthorized access and exploiting these platforms. This shift underscores the importance of securing identity and access management in addition to traditional defenses. 
  5. Reliance on Extension Store Screening: Users often rely on the fact that extensions that were downloaded from the browser extension store is safe to use as it was screened by the vendor. Unfortunately, it has been proven that it is possible to get around these screening processes and upload a new malicious extensions, or worse, modify an existing legitimate extension, to one which contains malicious code. 

Risks Emerging from the Incident 

While the root causes are concerning, the aftermath of a breach involving a widely distributed and allegedly trusted extension can present its own set of challenges. Here are some of the cascading risks: 

  1. Data Leakage and Confidentiality Breach: The malicious extension could intercept sensitive customer information, intellectual property, or internal communications, leading to financial and reputational damage.
  2. Further User Impersonation and Exploitation: By exploiting stolen credentials or session tokens, attackers can impersonate users within web applications, stage additional attacks, and escalate privileges, exacerbating the impact of the breach.

Before delving into how Seraphic addresses these challenges, it’s important to understand the evolving threat landscape around browser security. As organizations increasingly rely on web-based applications, browsers have become a primary target for attackers. Threat actors exploit weaknesses in extensions, phishing tactics, and user behaviors to gain unauthorized access. This underscores the need for robust, proactive measures that go beyond traditional security solutions to secure both the browser environment and user identities. 

Cyberhaven Code Image
Part of the extension’s malicious code

How Seraphic Helps Mitigate These Risks 

At Seraphic, we understand that proactive measures are crucial to minimizing the risks leading to and arising from cyber incidents. Our solutions are designed to provide comprehensive browser security, ensuring that users and systems are protected across all fronts: 

  1. Enhanced Browser Security: By deploying Seraphic’s lightweight JavaScript-based agent, organizations can enforce granular policies for browser usage. This protects against malicious extensions, phishing attempts never seen before, and risky behaviors. 
  2. Control Over Third-Party Extensions: Our platform offers advanced visibility and control over third-party browser extensions, enabling administrators to manage these based on a wide range of parameters, including risk levels, privacy risks, user ratings, number of users, and more. 
  3. User-Centric Security Policies: Seraphic empowers organizations to implement adaptive policies that align with user roles and behaviors, reducing the likelihood of human error leading to compromise. 
  4. User-identity protection: Seraphic protects user credentials and sessions, infostealers and malicious extensions are not able to steal session cookies and steal sessions. 
  5. Mitigation of Advanced Threats: Our solution’s AI-powered risk analysis engine identifies and mitigates advanced threats in real-time, addressing vulnerabilities before they can be exploited. 
  6. Comprehensive Visibility and Reporting: Administrators gain actionable insights into user activities, browser behaviors, and potential risks, ensuring compliance and informed decision-making. 

Conclusion 

The Cyberhaven cyber incident is a wake-up call for organizations to reassess their security posture, particularly in areas that are often overlooked, such as browser security and third-party extensions. Seraphic’s innovative approach provides the tools and confidence organizations need to stay resilient against modern threats. By prioritizing browser security and holistic risk management, we can collectively work toward a safer digital ecosystem. 

Additional Information

For more information about Seraphic, read our Enterprise Browser Security White Paper or request a demo.

Latest Posts

Malicious Browser Extensions
Blog

Malicious Browser Extensions Are on The Rise

Jan 7, 2025 6 Min read
Supply Chain Attacks Start with your 3rd Party Providers Spotlight
Blog

Supply Chain Attacks Start with your 3rd Party Providers

May 1, 2024 6 Min read
Blog

Why 2FA Multi-factor Authentication is no Longer Sufficient to Stop Phishing

Apr 8, 2024 5 Min read

Cookie Consent Settings

Accessibility Adjustments

©2025 Seraphic ltd. All rights reserved.

Access Seraphic's Enterprise Browser Security White Paper: A New Way to Protect Users, Devices, and Data

Download now
Request a demo

Please leave your details:

0

Sent successfully!

Close

Please leave your details to view content:

Request a Demo