Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Privacy

New Gmail Attack Bypasses Passwords and 2FA To Read All Email (forbes.com) 37

An anonymous reader quotes a report from Forbes: According to cyber security firm Volexity, the threat research team has found the North Korean 'SharpTongue' group, which appears to be part of, or related to, the Kimsuky advanced persistent threat group, deploying malware called SHARPEXT that doesn't need your Gmail login credentials at all. Instead, it "directly inspects and exfiltrates data" from a Gmail account as the victim browses it. This quickly evolving threat, Volexity says it is already on version 3.0 according to the malware's internal versioning, can steal email from both Gmail and AOL webmail accounts, and works across three browsers: Google Chrome, Microsoft Edge, and a South Korean client called Whale.

The U.S. Cybersecurity & Infrastructure Security Agency, CISA, reports that Kimsuky has been operating since 2012, and is "most likely tasked by the North Korean regime with a global intelligence gathering mission." While CISA sees Kimsuky most often targeting individuals and organizations in South Korea, Japan, and the U. S., Volexity says that the SharpTongue group has frequently been seen targeting South Korea, the U. S. and Europe. The common denominator between them is that the victims often " work on topics involving North Korea, nuclear issues, weapons systems, and other matters of strategic interest to North Korea."

The report says that SHARPEXT differs from previous browser extensions deployed by these hacking espionage groups in that it doesn't attempt to grab login credentials but bypasses the need for these and can grab email data as the user reads it. The good news is that your system needs to be compromised by some means before this malicious extension can be deployed. Unfortunately, we know all too well that system compromise is not as difficult as it should be. Once a system has been compromised by phishing, malware, unpatched vulnerabilities, whatever, the threat actors can install the extension using a malicious VB script that replaces the system preference files. Once that's done and the extension runs quietly in the background, it is tough to detect. The user logs in to their Gmail account from their normal browser on the expected system.
The security researchers recommend "enabling and analyzing PowerShell ScriptBlock logging" to detect whether you've been targeted by this attack, reports Forbes. Additionally, they recommend reviewing installed extensions regularly, especially looking for ones you don't recognize or are not available from the Chrome Web Store.
This discussion has been archived. No new comments can be posted.

New Gmail Attack Bypasses Passwords and 2FA To Read All Email

Comments Filter:
  • by SuperKendall ( 25149 ) on Tuesday August 02, 2022 @04:29PM (#62757084)

    From the summary:

    The security researchers recommend "enabling and analyzing PowerShell ScriptBlock logging" to detect whether you've been targeted by this attack,

    So this seems to indicate the attack is Windows only, is that the case? Kind of an important detail that would be nice to have in the summary.

    • by ctilsie242 ( 4841247 ) on Tuesday August 02, 2022 @05:33PM (#62757260)

      The fact that it is limited to three browsers, Chrome, Edge, and Whale (which uses the Chromium engine) also likely means Windows only.

      Since PowerShell is limited on Linux and macOS, it seems to be limited to just Windows. The workaround until more details are divulged? Firefox.

    • Re: (Score:2, Offtopic)

      Comment removed based on user account deletion
      • by StormReaver ( 59959 ) on Tuesday August 02, 2022 @07:18PM (#62757518)

        Because desktop Linux is still largely irrelevant.

        But Linux servers are not, and a compromised Linux server is a big headline. Success there is rather rare, though, despite how wide and deep Linux server usage is. It's a lot of work to compromise Linux to any usable degree. A large number of compromised Linux servers would be a huge accomplishment, but it never happens.

        However, Windows is targeted because it's so easy to compromise. The story is the same for Windows desktops and Windows servers, as there is hardly any difference between the two.

    • by StormReaver ( 59959 ) on Tuesday August 02, 2022 @07:06PM (#62757488)

      Yes, it's a Windows-only vulnerability. It is neither new nor clever. It's a browser extension; that's all.

      Once a system has been compromised by phishing, malware, unpatched vulnerabilities, whatever, the threat actors can install the extension using a malicious VB script that replaces the system preference files.

      I know, I know. I read the article. Shame on me.

      • by znrt ( 2424692 )

        It is neither new nor clever. It's a browser extension; that's all.

        exactly, plus the fearsome hackers aren't even russian or chinese, just regular north koreans nobody cares about anymore. what kind of stupid clickbait is this?

    • it looks that way . VB scripts will not run on linux and there is no MS system registry to edit

    • Actually, isn't this the same if you are infected with a malware / backdoor / RAT / whatever which monitors whatever you are doing / seeing?

      Whats so special with this? Cos it only seems to target gmail or only windows (which seems to be the majority of all these sort of software anyway)? or seems to be chrome engine specific?

      I really don't get whats so special about this compared to the many others around.

      PS : Firefox is my primary browser, so I guess am safe from this anyway.

  • by yababom ( 6840236 ) on Tuesday August 02, 2022 @04:45PM (#62757150)

    Ha! I use IE6 - "Security by obsolescence!!!" /s

    I am glad to see that Firefox is unaffected.

  • by Khopesh ( 112447 ) on Tuesday August 02, 2022 @05:32PM (#62757258) Homepage Journal

    It's kind of odd to say this "bypasses passwords and 2FA" when it's just looking at your browser's content and scraping what your own valid login has access to. Then it ships that off to the attacker. This isn't the first malware to be able to do that, either (though perhaps the first to do it through your browser as opposed to your email client).

    That's kind of like saying an attack can bypass your security system and the lock on your front door when all they're doing is walking into the house behind you.

    • This isn't the first malware to be able to do that, either (though perhaps the first to do it through your browser as opposed to your email client).

      Damn - I wish I'd read your post before I put my foot in my mouth in the one I just wrote. I wasn't aware of this being done in email clients. Glad my toes don't taste too bad today.

  • by 93 Escort Wagon ( 326346 ) on Tuesday August 02, 2022 @06:06PM (#62757320)

    They don't want to share your personal information with anyone else!

  • When gmail added their "security" change, I stopped using my last remaining gmail account. I moved that email to my own domain. Far less drama.
  • "works across three browsers: Google Chrome, Microsoft Edge, and a South Korean client ca"led Whale.
  • All the more reason to consider using native apps instead of browser based apps, as a user I mean. Somehow I think if all productivity apps had native versions, browsers wouldn't be so targeted by hackers and they wouldn't try to do anything and everything and become such security holes every other week.
  • Let's see if those bastards can read anything with all the f*ing spam in my gmail account...
  • >"and works across three browsers: Google Chrome, Microsoft Edge, and a South Korean client called Whale."

    No, it works against ONE browser- Chrom*. There are really only three browsers left, Chrom*, Safari, and Firefox. Two if you restrict to multiplatform. And even then, it requires an extension to be loaded, so it really isn't the browser.

    >"The security researchers recommend "enabling and analyzing PowerShell ScriptBlock"

    Ah, so now it is only one browser, Chrom*, under one OS, MS-Windows? Monocu

"An idealist is one who, on noticing that a rose smells better than a cabbage, concludes that it will also make better soup." - H.L. Mencken

Working...