Among the best practice items for Gmail security protection, strengthening your login credentials and enabling two-step verification are high on the list, as I mentioned in an article over the weekend. But what if I were to tell you that security researchers have now uncovered evidence of one likely state-sponsored attack group that has found a way to bypass even these protections?
North Korean hacking group can access Gmail without compromising login credentials.
According to cyber security firm Volexity, the threat research team has found the North Korean ‘SharpTongue’ group, which appears to be part of, or related to, the Kimsuky advanced persistent threat group, deploying malware called SHARPEXT that doesn’t need your Gmail login credentials at all.
Instead, it “directly inspects and exfiltrates data” from a Gmail account as the victim browses it. This quickly evolving threat, Volexity says it is already on version 3.0 according to the malware’s internal versioning, can steal email from both Gmail and AOL webmail accounts, and works across three browsers: Google Chrome, Microsoft Edge, and a South Korean client called Whale.
The U.S. Cybersecurity & Infrastructure Security Agency, CISA, reports that Kimsuky has been operating since 2012, and is “most likely tasked by the North Korean regime with a global intelligence gathering mission.”
While CISA sees Kimsuky most often targeting individuals and organizations in South Korea, Japan, and the U. S., Volexity says that the SharpTongue group has frequently been seen targeting South Korea, the U. S. and Europe. The common denominator between them is that the victims often ” work on topics involving North Korea, nuclear issues, weapons systems, and other matters of strategic interest to North Korea.”
What’s different about the SHARPEXT threat to Gmail?
The report says that SHARPEXT differs from previous browser extensions deployed by these hacking espionage groups in that it doesn’t attempt to grab login credentials but bypasses the need for these and can grab email data as the user reads it.
The good news is that your system needs to be compromised by some means before this malicious extension can be deployed. Unfortunately, we know all too well that system compromise is not as difficult as it should be.
Once a system has been compromised by phishing, malware, unpatched vulnerabilities, whatever, the threat actors can install the extension using a malicious VBS script that replaces the system preference files. Once that’s done and the extension runs quietly in the background, it is tough to detect. The user logs in to their Gmail account from their normal browser on the expected system.
It has now been confirmed that the SharpTongue/Kimsuky group is using, as was always likely the case, “spear phishing and social engineering” tactics linked with a malicious document to initiate the SHARPEXT attacks against Gmail users. There is also confirmation that, so far at least, only Windows users appear to be targeted. The concerns for Microsoft users don’t end there, though, as new reports have revealed, like the SHARPEXT campaign, multi-factor authentication is also being bypassed by other threat actors targeting email accounts.
The ‘large scale’ campaign, spotted by researchers from the Zscaler ThreatLabz, does not target Gmail users, though. Instead, it is Microsoft’s email services, specifically those within enterprises, that are in the crosshairs. According to a Bleeping Computer report, the ultimate goal is the compromise of these corporate email accounts to aid in “diverting payments to bank accounts under their control using falsified documents.”
That this threat can bypass multi-factor authentication account protections immediately makes it stand out from your average phishing campaign. “It uses an adversary-in-the-middle (AiTM) attack technique capable of bypassing multi-factor authentication,” the Zscaler research notes, “there are multiple evasion techniques used in various stages of the attack designed to bypass conventional email security and network security solutions.”
The takeaway? While any form of additional verification of your login credentials remains a must-have security essential, that doesn’t mean you should rest on your laurels if you have 2FA/MFA enabled. The AiTM part of the attack employs a proxy between the victim and the Microsoft servers. The MFA request is relayed by the proxy server to the victim who enters their code but on the attacker’s device, and this is then forwarded on. By stealing the ‘authentication cookies’ the attackers have their method of evading MFA to get back into the account. Where things don’t differ from most phishing expeditions is in the ‘how it all starts’ phase: an email is sent to the target which contains a malicious link.
Only last month, the Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Research Team confirmed that they had spotted phishing campaigns using the AiTM technique in order to skip the authentication process with MFA enabled. Based on the threat data compiled by Microsoft researchers, at least 10,000 organizations have been targeted by such attacks since September 2021. Microsoft says that the Microsoft 365 Defender product “detects suspicious activities related to AiTM phishing attacks and their follow-on activities.” The activities mentioned include the session cookie thefts and the use of the same to sign into compromised accounts.
The Microsoft security analysis stated that the campaigns it saw were using an off-the-shelf phishing kit known as Evilginx2 for the AiTM infrastructure. The Zscaler report, however, suggests this latest campaign is using a “custom proxy-based phishing kit capable of bypassing multi-factor authentication.”
Microsoft says that this isn’t MFA vulnerability, but rather the theft of session cookies which are then used to access an authenticated session, and one that is authenticated regardless of user sign-in methods.
Both the U.S. and U.K. geographies are being targeted, along with Australia and New Zealand currently. The industry verticals seem to be mainly confined to fintech, insurance, lending, and energy.
SHARPEXT reads Gmail emails silently without triggering Google unusual usage protections
There is nothing to alert Google and the user that someone has logged into Gmail from a different browser, machine, or location. Bypassing this protection is crucial as it means the threat actors can remain truly persistent, reading all the received and sent emails as if they were the user themselves.
To detect and investigate a SHARPEXT attack, Volexity recommends enabling and analyzing PowerShell ScriptBlock logging as PowerShell plays a key role in the setup and installation of the malware. Review installed extensions regularly, especially looking for ones you don’t recognize or are not available from the Chrome Web Store.
That said, the average user should not worry too much as this group’s victims will be specifically targeted. Of course, if you work in a field that may interest them, then you are in the crosshairs.
A Google spokesperson provided me with the following statement: “The extension in question is not in the Chrome store, and this report does not identify an exploit in Gmail. It speaks to a scenario where a system needs to already be compromised—by spear phishing or social engineering–in order for the malicious extension to be deployed. Enabling anti-malware services and using security hardened operating systems like ChromeOS are best practices to prevent this and similar types of attacks.”
A SHARPEXT threat assessment by former military and law enforcement intelligence analyst
I also spoke to Ian Thornton-Trump, CISO at threat intelligence specialists Cyjax. A former criminal intelligence analyst with the Royal Canadian Mounted Police and having also served with the Canadian Forces’ Military Intelligence Branch, he’s well placed to assess this kind of suspected nation-state aligned threat.
“This is interesting to me for a couple of reasons. Firstly, I think North Korea is trying to be more proactive and threatening as the world’s attention is far more focused on Russian and China’s geopolitical ambitions. North Korea is not getting the attention it used to. The threat of nukes from North Korea, missile tests, and cyberattacks has been reduced to slightly more than background noise with the focus on the pandemic, the war in Europe, and global climate change,” Thornton-Trump says.
While confirming that malicious browser extensions are nothing new regarding threat actors aligned to North Korean interests, Thornton-Trump confessed to being somewhat surprised that the threat focus wasn’t ransomware or cryptocurrency wallets. “North Korea remains an international pariah state when it comes to accessing financial services,” he says, “and has been surviving on effective exploitation of cryptocurrency exchanges and wallets to prop up its economy.”
Directly targeting Gmail content is likely espionage oriented
Regarding SHARPEXT, Thornton-Trump agrees that directly targeting Gmail (and AOL webmail) contents displayed in a web browser is far more espionage oriented. “This could be perceived as a change in tactics,” he told me, “but email attacks have broad impact and are perfect for lateral movement into third-party apps as well as access to sensitive information.”
Once the host is compromised, he added that it would be interesting to know if the threat actor went into listen-only mode via exfiltration or pivoted into active exploitation.
“Remarkably, the malware is delivered and installed by PowerShell, something all too typical, and you would think that by now, the built-in protections to the Microsoft Operating System, third-party extended detection and response (XDR), and endpoint detection and response (EDR), along with browser malware protection in the Windows version of Chrome,” he concludes, “would easily prevent these invoke- PowerShell attacks. Especially on workstations where you would think PowerShell activities would be rare for most victim organization’s users.”