New Gmail attack bypasses passwords and 2FA to read all emails


August 4 update below. This article was originally published on August 2

Among the best practices for protecting Gmail security, hardening your login credentials and enabling two-step verification are high on the list, as I mentioned in an article over the weekend. But what if I told you that security researchers have now uncovered evidence of a likely state-sponsored attack group that has found a way to circumvent even those protections?

MORE FORBESGmail Hackers Are Targeting Google Accounts – Here’s How to Stop Them

North Korean hacking group can access Gmail without compromising login credentials

According to cybersecurity firm Volexity, the threat research team discovered that the North Korean group “SharpTongue”, which appears to be part of or related to the advanced persistent threat group Kimsuky, deploy malware called SHARPEXT which does not need your Gmail login credentials at all.

Instead, it “directly inspects and exfiltrates data” from a Gmail account when the victim browses it. According to Volexity, this rapidly evolving threat is already in version 3.0 according to the internal version of the malware, can steal emails from both Gmail and AOL webmail accounts and works on three browsers: Google
Chromium, Microsoft
Edge and a South Korean customer named Whale.

CISA says Kimsuky hackers ‘likely mandated by North Korean regime’

The US Cybersecurity and Infrastructure Security Agency, CISA, reports that Kimsuky has been operating since 2012 and is “most likely tasked by the North Korean regime with a global intelligence-gathering mission.”

While CISA sees Kimsuky most often targeting individuals and organizations in South Korea, Japan, and the United States, Volexity says the SharpTongue group has often been seen targeting South Korea, the United States, and the United States. Europe. The common denominator between them is that the victims “often work on matters involving North Korea, nuclear issues, weapons systems, and other matters of strategic interest to North Korea.”

MORE FORBESInside the Russian Cybergang Supposed to Attack Ukraine – The Trickbot Leaks

How is Gmail’s SHARPEXT threat different?

The report states that SHARPEXT differs from previous browser extensions deployed by these hacking and spying groups in that it does not attempt to retrieve login credentials, but circumvents the need for them and can retrieve mail data. electronically as the user reads them.

The good news is that your system must be compromised by some means before this malicious extension can be deployed. Unfortunately, we know very well that compromising the system is not as difficult as it should be.

Once a system has been compromised by phishing, malware, unpatched vulnerabilities, etc., hackers can install the extension using a malicious VBS script that overrides system preference files. Once this is done and the extension runs quietly in the background, it is difficult to detect. The user logs into their Gmail account from their normal browser on the expected system.

August 4 update:

He has now confirmed that the SharpTongue/Kimsuky group is using, as it has always done, “spear phishing and social engineering” tactics tied to a malicious document to launch the SHARPEXT attacks against Gmail users. There is also confirmation that, so far at least, only Windows users seem to be targeted. Microsoft users’ concerns don’t stop there, however, as new reports like the SHARPEXT campaign have revealed, multi-factor authentication is also being circumvented by other threat actors targeting email accounts.

The “large-scale” campaign, spotted by Zscaler ThreatLabz researchers, however, does not target Gmail users. Instead, Microsoft’s email services, especially enterprise ones, are in the crosshairs. According to a report by Bleeping Computer, the ultimate goal is the compromise of these corporate email accounts to help “divert payments to bank accounts under their control using falsified documents.”

The fact that this threat can bypass multi-factor authentication account protections immediately sets it apart from your average phishing campaign. “It uses an adversary-in-the-middle (AiTM) attack technique capable of bypassing multi-factor authentication,” notes Zscaler’s research, “there are several evasion techniques used at different stages of the attack designed to circumvent conventional email security and network security solutions.”

Take-out? While any form of additional verification of your login credentials is still a must-have security feature, that doesn’t mean you should rest on your laurels if you have 2FA/MFA enabled. The AiTM part of the attack uses a proxy between the victim and the Microsoft servers. The MFA request is relayed by the proxy server to the victim who enters their code but on the attacker’s device, and this is then transmitted. By stealing “authentication cookies”, attackers have their method of evading MFA to get back into the account. Where things are no different from most phishing expeditions is in the “how it all starts” phase: an email is sent to the target that contains a malicious link.

Just last month, the Microsoft Threat Intelligence Center (MSTIC) and the Microsoft 365 Defender Research Team confirmed that they had phishing campaigns detected using the AiTM technique to bypass the authentication process with MFA enabled. Based on threat data compiled by Microsoft researchers, at least 10,000 organizations have been targeted by such attacks since September 2021. Microsoft says the Microsoft 365 Defender product “detects suspicious activity related to AiTM phishing attacks and their follow-up activities. Activities mentioned include stealing session cookies and using them to log into compromised accounts.

Microsoft security analysis indicated that the campaigns it saw used an off-the-shelf phishing kit known as Evilginx2 for the AiTM framework. Zscaler’s report, however, suggests that this latest campaign uses a “custom proxy-based phishing kit capable of bypassing multi-factor authentication.”

Microsoft says this is not an MFA vulnerability, but rather the theft of session cookies which are then used to access an authenticated session, and which is authenticated regardless of the user’s login methods .

US and UK geographies are targeted, along with Australia and New Zealand currently. Industry verticals appear to be mostly limited to fintech, insurance, lending, and energy.

SHARPEXT reads Gmail emails silently without triggering Google’s unusual use protections

Nothing alerts Google and the user that someone has logged into Gmail from a different browser, computer, or location. Bypassing this protection is crucial because it means threat actors can remain truly persistent, reading all emails received and sent as if they themselves were the user.

To detect and investigate a SHARPEXT attack, Volexity recommends enabling and analyzing PowerShell ScriptBlock logging because PowerShell plays a key role in configuring and installing the malware. Periodically review installed extensions, especially ones that you don’t recognize or aren’t available on the Chrome Web Store.

That said, the average user shouldn’t worry too much because victims from this group will be specifically targeted. Of course, if you work in a field that may interest them, then you are in the crosshairs.

A Google spokesperson provided me with the following statement: “The extension in question is not in the Chrome store, and this report does not identify an exploit in Gmail. It discusses a scenario where a system must already be compromised, through spear phishing or social engineering – in order for the malicious extension to be deployed. Enabling anti-malware services and using security-hardened operating systems like ChromeOS are best practices to prevent this and other similar types of attacks.

A SHARPEXT threat assessment by a former military intelligence and law enforcement analyst

I also spoke to Ian Thornton-Trump, CISO at threat intelligence specialist Cyjax. A former criminal intelligence analyst with the Royal Canadian Mounted Police and having also served with the Canadian Forces Military Intelligence Branch, he is well placed to assess this type of alleged nation-state-aligned threat.

“It interests me for a number of reasons. First, I think North Korea is trying to be more proactive and threatening, as the world’s attention is much more focused on the geopolitical ambitions of Russia and China. North Korea isn’t getting the attention it used to The threat of North Korea’s nuclear weapons, missile tests and cyberattacks has been reduced to little more than background noise, the focus being put on the pandemic, the war in Europe and global climate change,” Thornton-Trump said.

While confirming that malicious browser extensions are nothing new when it comes to threat actors aligned with North Korean interests, Thornton-Trump admitted to being somewhat surprised that the threat doesn’t focus on ransomware or cryptocurrency wallets. “North Korea remains an international pariah state when it comes to access to financial services,” he says, “and has survived through the efficient operation of cryptocurrency exchanges and wallets to support its economy.”

Direct targeting of Gmail content is likely geared towards spying

As for SHARPEXT, Thornton-Trump agrees that directly targeting Gmail (and AOL webmail) content displayed in a web browser is much more spy-oriented. “It could be seen as a change in tactics,” he told me, “but email attacks have a broad impact and are great for lateral movement in third-party apps as well as accessing sensitive information”.

Once the host was compromised, he added that it would be interesting to know if the threat actor switched to listen-only mode via exfiltration or switched to active exploitation.

“Remarkably, the malware is delivered and installed by PowerShell, something all too typical, and one would think that at present Microsoft’s built-in OS protections, third-party Extended Detection and Response (XDR) and endpoint detection and response (EDR), as well as browser malware protection in the Windows version of Chrome,” he concludes, “would easily prevent these PowerShell call attacks. ‘one would think that PowerShell activities would be rare for most users in the victimized organization.”


Comments are closed.