As previously said in a post over the weekend, two-step verification and strengthening your login credentials are among the greatest practices for Gmail security protection.
But what if the security researchers have recently discovered proof of one attack organization that is most certainly state-sponsored that has managed to get beyond even these defenses?
Gmail can be accessed by a North Korean hacker squad without divulging login information.
The threat research team has discovered the North Korean “SharpTongue” group, which appears to be associated with or related to the Kimsuky advanced persistent threat group, deploying malware called SHARPEXT that does not require your Gmail login credentials at all. This information is provided by cyber security company Volexity.
Instead, as the victim browses a Gmail account, it “directly inspects and exfiltrates data.” This rapidly expanding threat may take email from Gmail and AOL webmail accounts and operates on three different browsers: GoogleGOOG Chrome, MicrosoftMSFT Edge, and a South Korean client dubbed Whale, according to Volexity, which claims the malware is already at version 3.0.
According to CISA, Kimsuky hackers were “most likely assigned by the North Korean leadership.”
Kimsuky has reportedly been in operation since 2012 and is “presumably tasked by the North Korean leadership with a global intelligence collecting mission,” according to the U.S. Cybersecurity & Infrastructure Security Agency, CISA.
Volexity claims that the SharpTongue group has regularly been seen targeting South Korea, the U.S., and Europe, but CISA believes Kimsuky primarily targets people and organizations in South Korea, Japan, and the U.S. Their frequent “work on topics affecting North Korea, nuclear issues, weapons systems, and other matters of strategic relevance to North Korea” is the common factor among them.
What makes the SHARPEXT threat to Gmail unique?
According to the research, SHARPEXT is different from earlier browser extensions used by these computer espionage companies in that it can capture email data as the user reads it and without the need for login credentials.
The good news is that before this malicious extension can be installed, your machine must first be compromised in some way. Unfortunately, we are all too aware of how easily systems may be compromised.
Threat actors can use a malicious VBS script to install the extension once a system has been penetrated via malware, phishing, unpatched vulnerabilities, or any other method, and the system preference files have been replaced. Once that is complete, the extension operates stealthily in the background and is difficult to spot. On the anticipated system, the user logs in to their Gmail account using their regular browser.
It is now established that the SharpTongue/Kimsuky group launches the SHARPEXT attacks against Gmail users using, as was always assumed to be the case, “spear phishing and social engineering” techniques associated with a malicious document. Additionally, it is confirmed that, at least thus far, only Windows users seem to be the target. However, there are still more reasons for Microsoft customers to be concerned because, according to recent reports, other threat actors who target email accounts also manage to get through multi-factor authentication, just like they did with the SHARPEXT campaign.
However, users of Gmail are not the focus of the “big scale” effort, which was discovered by experts from the Zscaler ThreatLabz. Instead, Microsoft’s email services, particularly those used by businesses, are under attack. The ultimate objective, according to research by Bleeping Computer, is to infiltrate these business email accounts to help “divert money to bank accounts under their control using forged paperwork.”
This threat stands out from typical phishing campaigns right away since it can get around multi-factor authentication account safeguards. The Zscaler research states that the attack “uses an adversary-in-the-middle (AiTM) attack technique capable of bypassing multi-factor authentication” and that “there are numerous evasion techniques used in various stages of the attack designed to bypass conventional email security and network security solutions.”
Even if you have 2FA or MFA enabled, you shouldn’t take it easy despite the fact that any extra security verification of your login information is still a must-have. A proxy is used by the AITM component of the attack to connect the victim and Microsoft servers. The victim receives the MFA request from the proxy server and inputs their code on the attacker’s device; this code is then sent on. The attackers can get around MFA and log back into the account by obtaining the “authentication cookies.” In the “how it all starts” phase, where an email is sent to the target and contains a malicious link, things are similar to other phishing operations.
The Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Research Team only recently acknowledged that they had discovered phishing operations that used the AiTM approach to avoid the authentication procedure when MFA was enabled. Since September 2021, at least 10,000 organizations have been the subject of such attacks, according to threat data gathered by Microsoft experts. AiTM phishing attempts and associated follow-up actions are “detected suspicious activity related to,” according to Microsoft, the Microsoft 365 Defender software. Session cookie theft and the usage of those cookies to sign into stolen accounts are among the activities described.
According to the Microsoft security investigation, the campaigns it observed used the Evilginx2 commercial phishing kit for the AiTM infrastructure. To circumvent multi-factor authentication, the Zscaler report claims that this most recent effort is utilising a “custom proxy-based phishing kit.”
According to Microsoft, this is not an MFA vulnerability, but rather a session cookie theft that allows access to an authenticated session that is authenticated independently of the user sign-in mechanism.
At the moment, Australia and New Zealand are being targeted together with the geographic areas of the U.S. and the U.K. The financial, insurance, finance, and energy sectors appear to make up the majority of the industry verticals.
SHARPEXT discreetly reads Gmail emails without invoking Google’s unusual usage safeguards.
Nothing indicates to Google or the user that a login attempt has been made from a different browser, device, or location. It is critical to get around this security because it allows threat actors to continue to be incredibly persistent by reading all sent and received emails as if they were the user themselves.
PowerShell plays a crucial part in the setup and installation of the virus, hence Volexity advises activating and analyzing PowerShell ScriptBlock logs to spot and investigate a SHARPEXT assault. Review installed extensions on a regular basis, paying close attention to any that you don’t recognize or that aren’t offered by the Chrome Web Store.
Despite this, the typical user shouldn’t worry too much because only the victims of this group will be attacked. Of course, you are in their sights if you work in a field that they would find interesting.
When contacted by Google to ask for more assistance, a representative merely responded with the statement, “Google can confirm the extension code the virus utilizes is not present in the Chrome Web Store.”
A former military and law enforcement intelligence analyst’s SHARPEXT threat assessment
He also had a conversation with Ian Thornton-Trump, the CISO of Cyjax, a threat intelligence company. He is qualified to evaluate this type of suspected nation-state-aligned danger because he was a former criminal intelligence analyst with the Royal Canadian Mounted Police and also worked with the Military Intelligence Branch of the Canadian Forces.
“He finds this intriguing for a few different reasons. First off, he believed North Korea is attempting to be more proactive and threatening while the world’s attention is much more on the geopolitical aspirations of Russia and China. The interest in North Korea has decreased. The focus on the epidemic, the conflict in Europe, and global climate change has lowered the threat of nuclear weapons from North Korea, missile testing, and cyberattacks to barely audible background noise “says Thornton-Trump.
Thornton-Trump acknowledged that North Korean-aligned threat actors had long used malicious browser extensions, but she admitted to being surprised that ransomware or cryptocurrency wallets weren’t the main targets of the threat. According to him, North Korea continues to be an international pariah state when it comes to using financial services and has been effectively utilizing bitcoin exchanges and wallets to support its economy.
Directly targeting Gmail content is likely espionage oriented
Regarding SHARPEXT, Thornton-Trump concurs that it is much more espionage-oriented to target Gmail (and AOL webmail) contents directly as they are displayed in a web browser. He explained to me that while this would appear to be a change in strategy, email attacks still have a significant impact and are ideal for lateral movement into third-party apps and gaining access to sensitive data.
He continued, “It would be fascinating to know if the threat actor pivoted into active exploitation or went into listen-only mode via exfiltration once the host is penetrated.”
“Surprisingly, the malware is delivered and installed by PowerShell, which is something that happens all too frequently. You would think that by now, the built-in protections to the Microsoft Operating System, third-party extended detection and response (XDR), endpoint detection and response (EDR), along with browser malware protection in the Windows version of Chrome, would easily prevent these invoke-PowerShell attacks, the author says. Particularly on workstations, where you could expect that PowerShell actions would be uncommon for the majority of users in the affected organizations.”