August 4 Update below. This post was originally published on August 2nd
Among the best practice items for protecting Gmail security, strengthening your login credentials and enabling two-step verification are high on the list, as I mentioned in an article over the weekend. But what if I told you that security researchers have now uncovered evidence of a possible state-sponsored attack group that has found a way to bypass even these protections?
North Korean hacking team can access Gmail without compromising login credentials
According to cybersecurity firm Volexity, the threat research team found the North Korean group ‘SharpTongue’, which appears to be part of or related to the advanced persistent threat group Kimsuky, developing malware called SHARPEXT that doesn’t need your Gmail login credentials not at all.
Instead, it “directly checks and extracts data” from a Gmail account as the victim browses through it. This fast-evolving threat, which Volexity says is already at version 3.0 according to its internal version of the malware, can intercept email from both Gmail and AOL webmail accounts and works in three browsers: Google
Edge, and a South Korean client called Whale.
CISA Says Kimsuky Hackers ‘Likely Commissioned by North Korean Regime’
The US Cybersecurity and Infrastructure Security Agency, CISA, says Kimsuky has been active since 2012 and “likely to have been tasked by the North Korean regime with a global intelligence-gathering mission.”
While CISA sees Kimsuky most often targeting individuals and organizations in South Korea, Japan and the US, Volexity says the SharpTongue group has often been seen targeting South Korea, the US and Europe. The common denominator between them is that the victims often “work on matters concerning North Korea, nuclear matters, weapons systems and other matters of strategic interest to North Korea.”
What is different about the SHARPEXT threat for Gmail?
The report says that SHARPEXT differs from previous browser extensions developed by these spy hacking groups in that it does not attempt to grab login credentials, but bypasses the need for them and can capture email data as the user reads it.
The good news is that your system must be compromised in some way before this malicious extension can be deployed. Unfortunately, we know very well that compromising the system is not as difficult as it should be.
Once a system has been compromised by phishing, malware, unpatched vulnerabilities, whatever, threat actors can install the extension using a malicious VBS script that overwrites system preference files. Once this is done and the extension runs quietly in the background, it is difficult to detect. The user logs into their Gmail account from their normal browser on the expected system.
Update August 4:
He’s got now confirmed that the SharpTongue/Kimsuky team is using, as has always been possible, “spear fishing and social engineering” tactics linked to a malicious document to launch SHARPEXT attacks against Gmail users. There is also confirmation that, at least so far, only Windows users seem to be targeted. The concerns for Microsoft users don’t stop there, however, as new reports such as the SHARPEXT campaign reveal, multi-factor authentication is also being bypassed by other threat actors targeting email accounts.
The “large-scale” campaign, he identified researchers from Zscaler ThreatLabz, however it does not target Gmail users. Instead, Microsoft’s email services, especially those within businesses, are being targeted. According to a Bleeping Computer report, the ultimate goal is to compromise these corporate email accounts to help “diverting payments to bank accounts under their control using forged documents.”
The fact that this threat can bypass multi-factor authentication account protections makes it stand out from the average phishing campaign. “It uses an adversary-in-the-middle (AiTM) attack technique capable of bypassing multi-factor authentication,” Zscaler research notes, “there are multiple evasion techniques used at various stages of the attack designed to bypass conventional email security and network security solutions.”
The takeaway? While any form of additional verification of your login credentials remains necessary for security, that doesn’t mean you should rest on your laurels if you’ve enabled 2FA/MFA. The AiTM portion of the attack uses a proxy server between the victim and Microsoft’s servers. The MFA request is relayed by the proxy to the victim who enters their password but on the attacker’s device, and then forwarded. By stealing “authentication cookies”, attackers have their method of bypassing MFA to get back into the account. Where things are no different from most phishing campaigns is in the “how it all starts” phase: an email is sent to the target containing a malicious link.
Just last month, the Microsoft Threat Intelligence Center (MSTIC) and the Microsoft 365 Defender research team confirmed that they had detected phishing campaigns using the AiTM technique to bypass the authentication process with MFA enabled. Based on threat data collected by Microsoft researchers, at least 10,000 organizations have been targeted by such attacks since September 2021. Microsoft says its Microsoft 365 Defender product “detects suspicious activities related to AiTM phishing attacks and their subsequent activities ». Activities reported include stealing session cookies and using them to log into compromised accounts.
Microsoft’s security analysis said the campaigns it saw used an off-the-shelf phishing kit known as Evilginx2 for the AiTM infrastructure. Zscaler’s report, however, suggests that this latest campaign uses a “custom proxy-based phishing kit capable of bypassing multi-factor authentication.”
Microsoft says that this is not an MFA vulnerability, but a theft of session cookies, which are then used to access an authenticated session and a session that is controlled independently of user login methods.
Both the US and UK geographies are targeted, along with Australia and New Zealand currently. Industry sectors seem to be mostly limited to fintech, insurance, lending and energy.
SHARPEXT Reads Gmail Emails Silently Without Triggering Unusual Google Usage Protections
There is nothing to notify Google and the user that someone has logged into Gmail from a different browser, machine or location. Bypassing this protection is crucial, as it means that threat actors can remain really persistent, reading all received and sent emails as if they were the users themselves.
To detect and investigate a SHARPEXT attack, Volexity recommends enabling and analyzing PowerShell ScriptBlock logging as PowerShell plays a key role in the setup and installation of the malware. Regularly check your installed extensions, especially looking for ones you don’t recognize or aren’t available from the Chrome Web Store.
That being said, the average user should not worry too much as victims of this group will be specifically targeted. Of course, if you work in a field that might be of interest to them, then you’re on target.
I contacted Google to see if they had any further advice, but a representative said only that Google “can confirm that the extension code used by the malware is not in the Chrome Web Store.”
A SHARPEXT threat assessment by a former military and law enforcement intelligence analyst
I also spoke to Ian Thornton-Trump, CISO at threat intelligence specialists Cyjax. A former criminal intelligence analyst with the Royal Canadian Mounted Police and having also served in the Military Intelligence Branch of the Canadian Forces, he is able to assess this type of suspected nation-state-aligned threat.
“This is interesting to me for a couple of reasons. First, I think North Korea is trying to be more assertive and threatening as the world’s attention is much more focused on the geopolitical ambitions of Russia and China. North Korea is not getting the attention that used The threat of North Korea’s nuclear weapons, missile tests and cyberattacks has been reduced to little more than background noise, centered on the pandemic, war in Europe and global climate change,” says Thornton-Trump.
While confirming that malicious browser extensions are nothing new when it comes to threat actors aligned with North Korea’s interests, Thornton-Trump admitted that he was somewhat surprised that the focus of the threat wasn’t ransomware or cryptocurrency wallets. “North Korea remains an international pariah state in terms of access to financial services,” he says, “and survives by effectively exploiting cryptocurrency exchanges and wallets to prop up its economy.”
Gmail’s direct content targeting is probably spy-oriented
As for SHARPEXT, Thornton-Trump agrees that directly targeting the contents of Gmail (and AOL webmail) displayed in a web browser is much more espionage-oriented. “This could be seen as a change in tactics,” he told me, “but email attacks have a broad impact and are ideal for lateral movement into third-party applications as well as access to sensitive information.”
Once the host is compromised, he added, it would be interesting to know if the threat actor went into listen-only mode via exfiltration or turned to active exploitation.
“Notably, the malware is delivered and installed from PowerShell, which is very typical, and you’d think that by now, the protections built into Microsoft’s operating system, third-party extended detection and response (XDR), and endpoint detection and response (EDR), along with browser malware protection in the Windows version of Chrome,” he concludes, “would easily prevent these PowerShell invocation attacks. Especially on workstations where you’d think PowerShell activity would be rare for most users of the victim organizations.”