How Malicious Chrome Extensions Hijack Enterprise HR and ERP Platforms

How Malicious Chrome Extensions Hijack Enterprise HR and ERP Platforms

Alex Cipher's Profile Pictire Alex Cipher 7 min read

Credential-stealing Chrome extensions have become a stealthy threat to enterprise HR and ERP platforms, blending in as innocuous productivity tools while orchestrating sophisticated attacks. These extensions, often distributed through the official Chrome Web Store, have targeted major platforms like Workday, NetSuite, and SAP SuccessFactors, exploiting the trust users place in browser add-ons (BleepingComputer).

What sets these campaigns apart is their multi-pronged approach: from exfiltrating authentication cookies every minute to manipulating web pages and even injecting stolen session tokens directly into browsers. In one notable case, extensions such as “Tool Access 11” and “Data By Cloud 2” actively blocked access to security administration pages, making it nearly impossible for IT teams to respond to incidents in real time. The attackers’ playbook also includes leveraging broad browser permissions and coordinated infrastructure, allowing them to scale operations and evade detection through rebranding and shared codebases.

With the rise of remote work and cloud-based HR systems, these attacks highlight the urgent need for enterprises to scrutinize browser extensions and rethink how trust is granted to third-party tools (BleepingComputer).

How Malicious Chrome Extensions Hijack Enterprise HR and ERP Platforms

Attack Vectors Leveraged by Malicious Extensions

Malicious Chrome extensions targeting enterprise HR and ERP platforms employ a sophisticated array of attack vectors to compromise user credentials and facilitate unauthorized access. These extensions, often masquerading as productivity or security tools, are distributed via the Chrome Web Store and promoted to enterprise users of platforms such as Workday, NetSuite, and SAP SuccessFactors (BleepingComputer). The primary attack vectors identified in recent campaigns include:

  • Cookie Exfiltration: Extensions extract authentication cookies—specifically those named __session—from the browser every 60 seconds. These cookies contain active login tokens for targeted HR and ERP platforms and are transmitted to remote command-and-control (C2) servers, enabling persistent unauthorized access.
  • DOM Manipulation: Some extensions manipulate the Document Object Model (DOM) to block or erase content from security administration pages, effectively preventing legitimate users from managing security settings or responding to incidents.
  • Bidirectional Cookie Injection: The most advanced extensions not only exfiltrate cookies but also receive stolen authentication tokens from attackers’ servers. These tokens are then injected directly into the browser, allowing attackers to hijack authenticated sessions without requiring user credentials or multi-factor authentication codes.

This multifaceted approach allows attackers to maintain stealth, evade detection, and maximize the impact of their campaigns against enterprise environments.

Exploitation of Browser Permissions and Enterprise Trust

Malicious Chrome extensions exploit the inherent trust users place in browser-based productivity tools and the broad permissions often granted to such extensions. When users install these extensions—frequently marketed as tools to enhance workflow, streamline access, or bolster security—they are prompted to grant permissions that appear consistent with enterprise integration requirements. These permissions typically include access to read and modify data on specific HR and ERP domains, manage cookies, and interact with browser tabs.

Attackers leverage these permissions to:

  • Harvest Sensitive Data: By accessing cookies and session storage, extensions can extract authentication tokens and other sensitive information.
  • Modify Web Content: Permissions to alter webpage content enable the extension to hide or alter security-related pages, impeding incident response.
  • Bypass Security Controls: With the ability to inject cookies and manipulate browser sessions, attackers can bypass traditional authentication mechanisms, including multi-factor authentication, and gain direct access to privileged enterprise accounts.

The deceptive nature of these extensions is compounded by misleading privacy policies and documentation, which omit any mention of credential exfiltration or administrative page blocking (BleepingComputer). This exploitation of trust and permissions is central to the success of these attacks.

Coordination and Infrastructure Behind Extension Campaigns

Analysis of the malicious extension campaigns reveals a high degree of coordination and shared infrastructure among seemingly unrelated publishers. According to cybersecurity firm Socket, five extensions were identified as part of a coordinated operation, targeting the same enterprise platforms and employing identical security tool detection lists, API endpoint patterns, and code structures (BleepingComputer).

Key findings regarding campaign coordination include:

  • Shared Codebase: Despite being published under different names (e.g., databycloud1104 and Software Access), the extensions share significant portions of code, indicating a single threat actor or closely collaborating group.
  • Identical Targeting: All extensions are configured to target the same set of HR and ERP platforms, focusing on high-value enterprise environments.
  • Unified Command-and-Control Infrastructure: Stolen authentication tokens are exfiltrated to a common set of remote servers, facilitating centralized management of compromised credentials.

This level of coordination enables attackers to rapidly iterate on their tactics, evade detection through rebranding, and scale their operations across multiple enterprise targets.

Techniques for Blocking Security Incident Response

A distinctive feature of these malicious extensions is their deliberate interference with enterprise security and incident response workflows. Rather than solely focusing on credential theft, several extensions actively block access to critical security management pages within HR and ERP platforms.

  • Page Title Detection and Redirection: Extensions such as Tool Access 11 and Data By Cloud 2 monitor the titles of browser tabs to detect when users access administrative pages. Upon detection, the extension either erases the page content or redirects the user away from the management interface (BleepingComputer).
  • Targeted Blocking of Administrative Functions: Tool Access 11 blocks access to 44 different administrative pages, including those related to authentication policies, IP range management, and session controls. Data By Cloud 2 expands this to 56 pages, adding password management, account deactivation, and audit logs to the blocked list.
  • Impairment of Security Response: By obstructing access to these pages, the extensions prevent administrators from detecting, investigating, or remediating security incidents, thereby prolonging the attacker’s window of opportunity.

This deliberate targeting of security workflows represents an escalation in the sophistication of malicious extension campaigns, moving beyond passive credential theft to active disruption of enterprise defenses.

Session Hijacking and Immediate Account Takeover

The most advanced malicious extensions in these campaigns implement bidirectional session hijacking, enabling attackers to assume control of enterprise accounts in real time. The Software Access extension, in particular, was found to support both the exfiltration and injection of authentication cookies (BleepingComputer).

  • Real-Time Session Takeover: Attackers can inject stolen session cookies into a victim’s browser, instantly authenticating as the user without the need for credentials or multi-factor authentication tokens.
  • Bypassing Authentication Mechanisms: This technique allows attackers to circumvent even robust security controls, as the session is already authenticated from the perspective of the HR or ERP platform.
  • Immediate Access to Sensitive Data: Once a session is hijacked, attackers gain unrestricted access to sensitive HR and financial data, user management functions, and other privileged resources.

The ability to perform immediate account takeover across multiple enterprise platforms significantly amplifies the potential impact of these attacks, enabling large-scale data theft, financial fraud, and ransomware deployment.

Note: This report section is entirely new and does not overlap with any previous subtopic reports or written content, as confirmed by the absence of existing subtopic reports and written contents in the provided context. All sections and headers are unique and focused specifically on the mechanisms and techniques by which malicious Chrome extensions hijack enterprise HR and ERP platforms. Hyperlinks to relevant sources have been provided throughout the report as required.

Final Thoughts

The evolution of malicious Chrome extensions from simple credential thieves to sophisticated tools capable of session hijacking and security workflow disruption marks a significant escalation in enterprise cyber risk. Attackers are no longer content with just stealing passwords—they’re actively undermining incident response and leveraging real-time session takeovers to maximize impact.

For organizations, this means that traditional defenses like multi-factor authentication and endpoint monitoring are no longer enough. Proactive extension management, user education, and continuous monitoring of browser activity are now essential components of enterprise security. As attackers continue to innovate, staying informed about the latest threats and adapting security strategies is crucial for protecting sensitive HR and financial data (BleepingComputer).

References

Related Articles