New Gmail Attack Bypasses Passwords and 2FA To Read All Email (forbes.com) 37
An anonymous reader quotes a report from Forbes: According to cyber security firm Volexity, the threat research team has found the North Korean 'SharpTongue' group, which appears to be part of, or related to, the Kimsuky advanced persistent threat group, deploying malware called SHARPEXT that doesn't need your Gmail login credentials at all. Instead, it "directly inspects and exfiltrates data" from a Gmail account as the victim browses it. This quickly evolving threat, Volexity says it is already on version 3.0 according to the malware's internal versioning, can steal email from both Gmail and AOL webmail accounts, and works across three browsers: Google Chrome, Microsoft Edge, and a South Korean client called Whale.
The U.S. Cybersecurity & Infrastructure Security Agency, CISA, reports that Kimsuky has been operating since 2012, and is "most likely tasked by the North Korean regime with a global intelligence gathering mission." While CISA sees Kimsuky most often targeting individuals and organizations in South Korea, Japan, and the U. S., Volexity says that the SharpTongue group has frequently been seen targeting South Korea, the U. S. and Europe. The common denominator between them is that the victims often " work on topics involving North Korea, nuclear issues, weapons systems, and other matters of strategic interest to North Korea."
The report says that SHARPEXT differs from previous browser extensions deployed by these hacking espionage groups in that it doesn't attempt to grab login credentials but bypasses the need for these and can grab email data as the user reads it. The good news is that your system needs to be compromised by some means before this malicious extension can be deployed. Unfortunately, we know all too well that system compromise is not as difficult as it should be. Once a system has been compromised by phishing, malware, unpatched vulnerabilities, whatever, the threat actors can install the extension using a malicious VB script that replaces the system preference files. Once that's done and the extension runs quietly in the background, it is tough to detect. The user logs in to their Gmail account from their normal browser on the expected system. The security researchers recommend "enabling and analyzing PowerShell ScriptBlock logging" to detect whether you've been targeted by this attack, reports Forbes. Additionally, they recommend reviewing installed extensions regularly, especially looking for ones you don't recognize or are not available from the Chrome Web Store.
The U.S. Cybersecurity & Infrastructure Security Agency, CISA, reports that Kimsuky has been operating since 2012, and is "most likely tasked by the North Korean regime with a global intelligence gathering mission." While CISA sees Kimsuky most often targeting individuals and organizations in South Korea, Japan, and the U. S., Volexity says that the SharpTongue group has frequently been seen targeting South Korea, the U. S. and Europe. The common denominator between them is that the victims often " work on topics involving North Korea, nuclear issues, weapons systems, and other matters of strategic interest to North Korea."
The report says that SHARPEXT differs from previous browser extensions deployed by these hacking espionage groups in that it doesn't attempt to grab login credentials but bypasses the need for these and can grab email data as the user reads it. The good news is that your system needs to be compromised by some means before this malicious extension can be deployed. Unfortunately, we know all too well that system compromise is not as difficult as it should be. Once a system has been compromised by phishing, malware, unpatched vulnerabilities, whatever, the threat actors can install the extension using a malicious VB script that replaces the system preference files. Once that's done and the extension runs quietly in the background, it is tough to detect. The user logs in to their Gmail account from their normal browser on the expected system. The security researchers recommend "enabling and analyzing PowerShell ScriptBlock logging" to detect whether you've been targeted by this attack, reports Forbes. Additionally, they recommend reviewing installed extensions regularly, especially looking for ones you don't recognize or are not available from the Chrome Web Store.
Re: (Score:2, Funny)
Important detail - Windows only?? (Score:5, Insightful)
From the summary:
The security researchers recommend "enabling and analyzing PowerShell ScriptBlock logging" to detect whether you've been targeted by this attack,
So this seems to indicate the attack is Windows only, is that the case? Kind of an important detail that would be nice to have in the summary.
Re:Important detail - Windows only?? (Score:5, Informative)
The fact that it is limited to three browsers, Chrome, Edge, and Whale (which uses the Chromium engine) also likely means Windows only.
Since PowerShell is limited on Linux and macOS, it seems to be limited to just Windows. The workaround until more details are divulged? Firefox.
Re:Important detail - Windows only?? (Score:5, Informative)
The workaround until more details are divulged? Firefox.
As far as I'm concerned the workaround is to use an email client rather than the browser. I suspect it's a lot more secure, even if it's only a variant of 'security through obscurity'. I also find it much more convenient.
Re:Important detail - Windows only?? (Score:5, Interesting)
As far as I'm concerned the workaround is to use an email client rather than the browser.
It's a browser extension doing what browser extensions do. That's really just a misdirection. The real issue has always been how easy it is to get it transparently installed onto Windows.
Re: (Score:3)
What email client is more secure than a browser?
No email client I know of has the extensive sandboxing that browsers do. None that I know of store your email in anything other than unencrypted files in some part of the filesystem that is accessible to you without any need for privilege escalation.
At best you get security through obscurity, unless it's Outlook in which case it's probably just as big a target as any browser.
Re: (Score:2)
Thanks AmiMoJo - I wrote my 'mea culpa' for this in response to another poster who pointed out that clients are also vulnerable, but didn't think to add it as a reply to my own mistake. My bad - again. :-(
Re: (Score:2)
No worries, it's an interesting debate.
Good old Firefox (Score:4, Informative)
The workaround until more details are divulged? Firefox.
Firefox doesn't get much love these days but it sure is nice to have as an option when you don't want to use Chrome and Safari is either not going to work or misbehaving!
I always keep a copy installed.
Re: (Score:2)
Yesterday I was about to buy clothes from a French clothing company website: It didn't work well in Firefox. I couldn't even get a correct email with a link to reset credentials (it was just after account creation). The email did get sent but the link included was rubbish. Other functions of the website didn't work right either.
I had to use Edge to complete the account creation and purchase.
And this is not a small pop and mom shop: It's a brand that has stores in several e
Re:Important detail - Windows only?? (Score:5, Informative)
Alternatives do exist. (Score:3)
Re: (Score:2, Offtopic)
Re:Yes, Windows is assumed. (Score:4, Informative)
Because desktop Linux is still largely irrelevant.
But Linux servers are not, and a compromised Linux server is a big headline. Success there is rather rare, though, despite how wide and deep Linux server usage is. It's a lot of work to compromise Linux to any usable degree. A large number of compromised Linux servers would be a huge accomplishment, but it never happens.
However, Windows is targeted because it's so easy to compromise. The story is the same for Windows desktops and Windows servers, as there is hardly any difference between the two.
Re: (Score:2)
On RHEL with SElinux enabled it is even harder to compromise .
Re: (Score:2)
Re:Important detail - Windows only?? (Score:5, Insightful)
Yes, it's a Windows-only vulnerability. It is neither new nor clever. It's a browser extension; that's all.
Once a system has been compromised by phishing, malware, unpatched vulnerabilities, whatever, the threat actors can install the extension using a malicious VB script that replaces the system preference files.
I know, I know. I read the article. Shame on me.
Re: (Score:2)
It is neither new nor clever. It's a browser extension; that's all.
exactly, plus the fearsome hackers aren't even russian or chinese, just regular north koreans nobody cares about anymore. what kind of stupid clickbait is this?
Re: (Score:2)
it looks that way . VB scripts will not run on linux and there is no MS system registry to edit
Re: (Score:2)
Actually, isn't this the same if you are infected with a malware / backdoor / RAT / whatever which monitors whatever you are doing / seeing?
Whats so special with this? Cos it only seems to target gmail or only windows (which seems to be the majority of all these sort of software anyway)? or seems to be chrome engine specific?
I really don't get whats so special about this compared to the many others around.
PS : Firefox is my primary browser, so I guess am safe from this anyway.
Works on three browsers... (Score:4, Funny)
Ha! I use IE6 - "Security by obsolescence!!!" /s
I am glad to see that Firefox is unaffected.
Ummmm, no. (Score:2)
Not a pw + 2FA bypass, just browser hijacking (Score:5, Interesting)
It's kind of odd to say this "bypasses passwords and 2FA" when it's just looking at your browser's content and scraping what your own valid login has access to. Then it ships that off to the attacker. This isn't the first malware to be able to do that, either (though perhaps the first to do it through your browser as opposed to your email client).
That's kind of like saying an attack can bypass your security system and the lock on your front door when all they're doing is walking into the house behind you.
Re: (Score:2)
This isn't the first malware to be able to do that, either (though perhaps the first to do it through your browser as opposed to your email client).
Damn - I wish I'd read your post before I put my foot in my mouth in the one I just wrote. I wasn't aware of this being done in email clients. Glad my toes don't taste too bad today.
I guarantee Google will fix this, pronto! (Score:3)
They don't want to share your personal information with anyone else!
no gmail for me (Score:2)
Firefox FTW! (Score:2)
Native apps FTW (Score:1)
Now my last ditch firewall of spam comes into play (Score:1)
Chrom* (Score:2)
>"and works across three browsers: Google Chrome, Microsoft Edge, and a South Korean client called Whale."
No, it works against ONE browser- Chrom*. There are really only three browsers left, Chrom*, Safari, and Firefox. Two if you restrict to multiplatform. And even then, it requires an extension to be loaded, so it really isn't the browser.
>"The security researchers recommend "enabling and analyzing PowerShell ScriptBlock"
Ah, so now it is only one browser, Chrom*, under one OS, MS-Windows? Monocu