Gmail Vulnerability Bypasses Passwords, 2-Factor Authentication To Access Emails

According to Volexity, the threat research team has found the North Korean ‘Sharp-Tongue’ group to be either a part of or linked to the Kimsuky advanced persistent threat group.

The malware directly inspects and exfiltrates data from a Gmail account while the user is browsing it.

The threat works in the garb of a harmless extension. Unlike previous extensions that try to steal user credentials, this one bypasses the need for stealing them entirely. 

Cybersecurity firm Volexity has found the North Korean group of cyber attackers that are able to gain access to Gmail credentials even if the account has two-factor authentication activated.

To the unaware, two-factor authentication adds an additional layer of security over the standard username and password. According to Volexity, the threat research team has found the North Korean ‘Sharp-Tongue’ group to be either a part of or linked to the Kimsuky advanced persistent threat group, deploying a malware dubbed Sharpnext.

How does it attack?

The malware directly inspects and exfiltrates data from a Gmail account while the user is browsing it. What’s scary is that as per the cybersecurity firm, the threat is already on its third version and is capable of stealing access to Gmail and AOL accounts from three of the most popular browsers — Google Chrome, Microsoft, Edge, as well as a South Korean client called Whale.

Advertisement

The threat works in the garb of a harmless extension. Unlike previous extensions that try to steal user credentials, this one bypasses the need for stealing them entirely. 

Now, there is some silver lining to this. The threat can only be deployed if the system has been compromised by some or the other means. However, the biggest challenge is that systems are not that difficult to infect — phishing, malware, and unpatched vulnerabilities all easily exist to make that happen. 

Once a system is infected, the infection can install the extension using a malicious VBS script that replaces system preference files. Once that’s done and the extension is installed, it runs in the background and is almost impossible to detect.

Sadly, there’s nothing that will alert Google that a malicious login has taken place. Essentially, the threat allows the bad actors to read the emails as if they’re the user themselves. 

According to cyber security firm Volexity, the threat research team has found the North Korean ‘SharpTongue’ group, which appears to be part of, or related to, the Kimsuky advanced persistent threat group, deploying malware called SHARPEXT that doesn’t need your Gmail login credentials at all.

Instead, it “directly inspects and exfiltrates data” from a Gmail account as the victim browses it. This quickly evolving threat, Volexity says it is already on version 3.0 according to the malware’s internal versioning, can steal email from both Gmail and AOL webmail accounts, and works across three browsers: Google Chrome, Microsoft Edge, and a South Korean client called Whale.

How to stay safe from this vulnerability?

Volexity has a solution to detect and attack this vulnerability.

  • It recommends enabling and analysing PowerShell ScriptBlock logging as PowerShell plays a key role in the setup and installation of the malware. 
  • It also asks users to review installed extensions regularly, especially those that you don’t recognise or are not available from the Chrome Web Store. It also highlights that this attack concerns the targeted user.
Advertisement

Leave a Reply

Your email address will not be published. Required fields are marked *

four + two =