January 13, 2025 issue
- Alberta Innovates Compromise
- Cybersecurity Implications of Canada's Bill C-26 on Critical Infrastructure
- Over 30 Chrome Extensions Infected with Malicious Code
Alberta Innovates Compromise
Alberta Innovates is an agency of the Government of Alberta that helps researchers, companies and entrepreneurs grow, fuel, build and advance industries and strengthen communities across the province. In November 2024, they faced a significant cyber incident involving unauthorized access to their network by a third party. The organization collaborated with internal teams and cybersecurity experts to address the intrusion and restore normal operations. While specific details about the threat remain undisclosed, this event underscores the persistent interest of cyber threat actors in Alberta.
This incident is part of a broader trend of cyber threats targeting Alberta based organizations. In fact, recent reports indicate that Alberta's critical infrastructure and economic assets have become increasingly attractive to cyber adversaries. One such report stems from an access to information request by Postmedia in 2022, which revealed that the Canadian Security Intelligence Service (CSIS) identified Alberta as an attractive target for hostile foreign states. Additionally, indiscriminate threats such as ransomware are prevalent in Alberta targeting public and private organizations alike, a trend that CyberAlberta has observed directly.
The Alberta Innovates incident serves as a reminder of the cyber threats facing Alberta. Organizations must remain vigilant and prepared to respond to cyber incidents to safeguard their operations and data. CyberAlberta has several helpful documents that organizations can reference to help them prepare, including:
- The Cyber Compromise Checklist: A guide for Alberta Businesses
- Data Breach Playbook: Respond to potential data loss incidents
- Data Loss Playbook: Proactive Measures
- Disaster Recovery Playbook: Comprehensive Guide to IT-DR
- Ransomware Playbook: Fortify Your Defense
Cybersecurity Implications of Canada's Bill C-26 on Critical Infrastructure
The recent passage of Bill C-26—first tabled in June of 2022—in Canada marks a significant milestone in the country's cybersecurity landscape. Officially known as "An Act respecting cyber security," this legislation, passed on 5 December 2024 but still awaiting Royal Assent, introduces comprehensive cybersecurity requirements for federally regulated organizations. The bill amends the Telecommunications Act and enacts the Critical Cyber Systems Protection Act (CCSPA), defining the scope and mandating stringent security protocols for critical infrastructure.
Bill C-26 has far-reaching implications for Alberta organizations, particularly those in the telecommunications sector. The legislation empowers the federal government to prohibit the use of products and services from high-risk suppliers, such as Huawei and ZTE, and enforce the removal of existing equipment from telecom networks by 2027. This move aligns with global efforts to secure telecommunications infrastructure against potential threats and should help ensure that Alberta's critical infrastructure is better protected against cyberattacks.
The urgency of such measures is underscored by the recent Salt Typhoon hacking campaign, attributed to a Chinese cyberespionage group. This campaign compromised several U.S. telecom firms, including AT&T and Verizon, by exploiting vulnerabilities in network devices from Fortinet and Cisco. The attackers' ability to infiltrate these networks highlights the critical need for more robust cybersecurity measures.
Bill C-26's stringent requirements aim to prevent similar breaches in Canada's telecom sector. By mandating enhanced security protocols and the removal of high-risk equipment, the legislation seeks to mitigate the risk of cyberattacks like Salt Typhoon. Additionally, the bill aims to foster collaboration between government entities and operators, ensuring a unified approach to cybersecurity.
As cybersecurity threats continue to evolve, the passage of Bill C-26 represents a proactive step towards safeguarding Canada's critical infrastructure. The lessons learned from the Salt Typhoon attack emphasize the importance of stringent security measures and continuous vigilance. By implementing robust cybersecurity protocols and fostering collaboration between government entities and operators, Canada is poised to better protect its telecom networks and ensure the safety and security of its critical infrastructure.
Over 30 Chrome Extensions Infected with Malicious Code
A widespread cyberattack campaign, that began by targeting developers of multiple Chrome extensions, has compromised at least 36 extensions, affecting over 2.6 million users. Attackers sent phishing emails impersonating Google Chrome Web Store support which convinced developers into granting access to a malicious OAuth application named "Privacy Policy Extension." This access allowed the attackers to inject malicious code into legitimate extensions that would subsequently target their users.
The first compromise was disclosed on 26 December 2024, after Cyberhaven announced an administrator account was compromised and abused to publish a malicious update that was automatically applied on Christmas Day. The injected code added capabilities for attackers to bypass multi-factor authentication and exfiltrate passwords, session cookies, and other sensitive data. Investigations by Secure Annex and ExtensionTotal discovered 35 additional extensions were compromised. Similar malicious code was identified in these extensions as early as April 2023, suggesting these attacks are part of a long-standing campaign.
The compromised extensions were leveraged as a foothold onto the devices which use them, enabling the attackers to then hijack Facebook accounts, particularly targeting Facebook Ads users. Attackers exfiltrated account tokens, user IDs, and other data to attacker-controlled servers. The motivation for doing so is unclear; however, taking over accounts could be used to facilitate fraudulent payments, disinformation campaigns, or the sale of access on cybercriminal markets.
As well as providing indicators of compromise, Secure Annex has published a Google Sheet tracking affected extensions. Users are advised to check for these extensions, and if found, further investigate to determine if a session and password reset is required for all implicated Google and Facebook accounts. Organizations are invited to consider implementing policies such as allow lists for managed browsers to prevent the installation of unwanted extensions.