Cybersecurity firm Volexity has found the North Korean group of cyber attackers that are able to gain access to Gmail credentials even if the account has two-factor authentication activated.
To the unaware, two-factor authentication adds an additional layer of security over the standard username and password. According to Volexity, the threat research team has found the North Korean ¡®Sharp-Tongue¡¯ group to be either a part of or linked to the Kimsuky advanced persistent threat group, deploying a malware dubbed Sharpnext.
The malware directly inspects and exfiltrates data from a Gmail account while the user is browsing it. What¡¯s scary is that as per the cybersecurity firm, the threat is already on its third version and is capable of stealing access to Gmail and AOL accounts from three of the most popular browsers -- Google Chrome, Microsoft, Edge, as well as a South Korean client called Whale.
The threat works in the garb of a harmless extension. Unlike previous extensions that try to steal user credentials, this one bypasses the need for stealing them entirely.?
Now, there is some silver lining to this. The threat can only be deployed if the system has been compromised by some or the other means. However, the biggest challenge is that systems are not that difficult to infect -- phishing, malware, and unpatched vulnerabilities all easily exist to make that happen.?
Once a system is infected, the infection can install the extension using a malicious VBS script that replaces system preference files. Once that¡¯s done and the extension is installed, it runs in the background and is almost impossible to detect.
Sadly, there¡¯s nothing that will alert Google that a malicious login has taken place. Essentially, the threat allows the bad actors to read the emails as if they're the user themselves.?
Volexity has a solution to detect and attack this vulnerability -- it recommends enabling and analysing PowerShell ScriptBlock logging as PowerShell plays a key role in the setup and installation of the malware.?
It also asks users to review installed extensions regularly, especially those that you don¡¯t recognise or are not available from the Chrome Web Store. It also highlights that this attack concerns the targeted user.
For?more in the world of?technology?and?science, keep reading?Indiatimes.com