Among the best practice items for Gmail security protection, strengthening your login credentials and enabling two-step verification are high on the list, as I mentioned in an article over the weekend. But what if I were to tell you that security researchers have now uncovered evidence of one likely state-sponsored attack group that has found a way to bypass even these protections?
MORE FROM FORBESGmail Hackers Target Google Accounts-Here’s How To Stop ThemBy Davey Winder
North Korean hacking group can access Gmail without compromising login credentials
According to cyber security firm Volexity, the threat research team has found the North Korean ‘SharpTongue’ group, which appears to be part of, or related to, the Kimsuky advanced persistent threat group, deploying malware called SHARPEXT that doesn’t need your Gmail login credentials at all.
Instead, it “directly inspects and exfiltrates data” from a Gmail account as the victim browses it. This quickly evolving threat, Volexity says it is already on version 3.0 according to the malware’s internal versioning, can steal email from both Gmail and AOL webmail accounts, and works across three browsers: GoogleGOOG
Edge, and a South Korean client called Whale.
CISA says Kimsuky hackers ‘most likely tasked by North Korean regime’
The U.S. Cybersecurity & Infrastructure Security Agency, CISA, reports that Kimsuky has been operating since 2012, and is “most likely tasked by the North Korean regime with a global intelligence gathering mission.”
CISA has analyzed Kimsuky as part of the National Cyber Awareness System
While CISA sees Kimsuky most often targeting individuals and organizations in South Korea, Japan, and the U. S., Volexity says that the SharpTongue group has frequently been seen targeting South Korea, the U. S. and Europe. The common denominator between them is that the victims often ” work on topics involving North Korea, nuclear issues, weapons systems, and other matters of strategic interest to North Korea.”
MORE FROM FORBESInside The Russian Cybergang Thought To Be Attacking Ukraine-The Trickbot LeaksBy Davey Winder
What’s different about the SHARAR
T threat to Gmail?
The report says that SHARPEXT differs from previous browser extensions deployed by these hacking espionage groups in that it doesn’t attempt to grab login credentials but bypasses the need for these and can grab email data as the user reads it.
The good news is that your system needs to be compromised by some means before this malicious extension can be deployed. Unfortunately, we know all too well that system compromise is not as difficult as it should be.
Once a system has been compromised by phishing, malware, unpatched vulnerabilities, whatever, the threat actors can install the extension using a malicious VBVB
S script that replaces the system preference files. Once that’s done and the extension runs quietly in the background, it is tough to detect. The user logs in to their Gmail account from their normal browser on the expected system.
SHARPEXT reads Gmail emails silently without triggering Google unusual usage protections
There is nothing to alert Google and the user that someone has logged into Gmail from a different browser, machine, or location. Bypassing this protection is crucial as it means the threat actors can remain truly persistent, reading all the received and sent emails as if they were the user themselves.
To detect and investigate a SHARPEXT attack, Volexity recommends enabling and analyzing PowerShell ScriptBlock logging as PowerShell plays a key role in the setup and installation of the malware. Review installed extensions regularly, especially looking for ones you don’t recognize or are not available from the Chrome Web Store.
That said, the average user should not worry too much as this group’s victims will be specifically targeted. Of course, if you work in a field that may interest them, then you are in the crosshairs.
I reached out to Google to see if it had any further advice, but a spokesperson only said that Google “can confirm the extension code the malware uses is not present in the Chrome Web Store.”
MORE FROM FORBESGoogle Chrome: 0Day Targets Journalists, 11 New Security Holes Plugged In Latest UpdateBy Davey Winder
A SHARPEXT threat assessment by former military and law enforcement intelligence analyst
I also spoke to Ian Thornton-Trump, CISO at threat intelligence specialists Cyjax. A former criminal intelligence analyst with the Royal Canadian Mounted Police and having also served with the Canadian Forces’ Military Intelligence Branch, he’s well placed to assess this kind of suspected nation-state aligned threat.
“This is interesting to me for a couple of reasons. Firstly, I think North Korea is trying to be more proactive and threatening as the world’s attention is far more focused on Russian and China’s geopolitical ambitions. North Korea is not getting the attention it used to. The threat of nukes from North Korea, missile tests, and cyberattacks has been reduced to slightly more than background noise with the focus on the pandemic, the war in Europe, and global climate change,” Thornton-Trump says.
While confirming that malicious browser extensions are nothing new regarding threat actors aligned to North Korean interests, Thornton-Trump confessed to being somewhat surprised that the threat focus wasn’t ransomware or cryptocurrency wallets. “North Korea remains an international pariah state when it comes to accessing financial services,” he says, “and has been surviving on effective exploitation of cryptocurrency exchanges and wallets to prop up its economy.”
Directly targeting Gmail content is likely espionage oriented
Regarding SHARPEXT, Thornton-Trump agrees that directly targeting Gmail (and AOL webmail) contents displayed in a web browser is far more espionage oriented. “This could be perceived as a change in tactics,” he told me, “but email attacks have broad impact and are perfect for lateral movement into third-party apps as well as access to sensitive information.”
Once the host is compromised, he added that it would be interesting to know if the threat actor went into listen-only mode via exfiltration or pivoted into active exploitation.
“Remarkably, the malware is delivered and installed by PowerShell, something all too typical, and you would think that by now, the built-in protections to the Microsoft Operating System, third-party extended detection and response (XDR), and endpoint detection and response (EDR), along with browser malware protection in the Windows version of Chrome,” he concludes, “would easily prevent these invoke- PowerShell attacks. Especially on workstations where you would think PowerShell activities would be rare for most victim organization’s users.”