News Bits on Email Security
In today’s evolving threat landscape, email authentication is one crucial aspect that no organization can afford to ignore. With threat actors updating their techniques and methodologies to bypass authentication systems, it has become necessary to be aware of these developments.
1. A New Gmail Attack Variant Bypasses Passwords and 2FA
According to the threat research team of cyber security firm Volexity, the North Korean ‘SharpTongue’ group, which appears related to the Kimsuky APT (advanced persistent threat) group, deployed malware named SHARPEXT that doesn’t require users’ Gmail login credentials.
Instead, it “inspects and exfiltrates data directly ” from the victim’s Gmail account as they browse it. It is a quickly evolving threat, and experts at Volexity state it has already reached version 3.0 as per the malware’s internal versioning. The SHARPEXT malware can steal email from AOL and Gmail webmail accounts and targets Microsoft Edge, Google Chrome, and Whale, a South Korean client.
How is the SHARPEXT threat Different?
The report states that SHARPEXT differs from previous browser extensions that the hacking espionage groups have deployed. It doesn’t grab the user’s login credentials but bypasses their need and grabs email data as the victim reads it.
However, the good news is that the victim’s system must be compromised earlier if the malicious extension needs to be deployed. Unfortunately, it is a well-known fact that system compromise is not a difficult task for cyber adversaries.
Once a system gets compromised by unpatched vulnerabilities, phishing, malware, etc., the cybercriminals can use a malicious VBS script to replace the system preference files and install the extension. The extension runs silently in the background and is difficult to detect.
This incident tells why it’s important to deploy email authentication measures such as DMARC, DKIM, and SPF.
2. Healthcare Professionals Switching From Email To ‘More Secure’ Fax – A Cloud Fax Company
A new study states that many healthcare professionals say that flaws in the web security landscape are prompting them to return to an “extremely” secure medium: fax. The eFax research, published earlier this month, surveyed 1,000 IT decision-makers in Europe and the UK.
According to the report, 62% of the healthcare sector respondents said that security was the primary reason they wanted to migrate to cloud-based fax systems. Furthermore, 21% of respondents believed digital fax systems are an “extremely” secure technology.
What is ‘cloud fax’?
Cloud faxing removes the requirement of on-premise equipment on both sides of the transmission. The users can use an online service to send fax quickly, to be viewed or printed by the recipient.
37% of respondents among fax users in healthcare said they used “cloud-based fax” systems, and 21% said they used both traditional and cloud faxing.
The research was conducted by eFax, a company that displays the slogan: “The fast and easy way to receive and send faxes by email.”
3. XSS Discovered in Gmail’s AMP for Email
A security researcher received a $5,000 bug bounty payout when he discovered a cross-site scripting (XSS) vulnerability in Gmail’s dynamic email feature, AMP for Email.
Bringing AMP functionality to interactive emails, AMP for Email leverages the open-source HTML framework suitable for optimizing websites for mobile browsing.
Adi Cohen, the security researcher who unearthed the security flaw, said he had little trouble finding a vector triggering an XSS in the AMP playground. However, he noted that bypassing Gmail’s XSS filter was a much tougher assignment.
Cohen further elaborated that tricking the XSS filter into a different rendering context than how the browser uses it to render a given piece of code is the easiest way to circumvent it.
Since AMP for Email forbids templates, math, SVG, and CSS, he targeted stylesheets as the potential path for XSS payload having multiple rendering contexts.
It required a discrepancy in how the stylesheet is rendered by the browser and by “tricking the filter into believing a fake style tag is real.”
Cohen’s initial vector was successful in the sandbox because AMP will leave the CSS context whenever it encounters the ‘</style’ string, even if there is no closing bracket (>) or whitespace after it. Then he tricked the filter into believing it was back in the HTML context while the browser ignored </styleX> entirely and stayed within the CSS realm.
4. Another Phishing Attack Targets Microsoft Email Users, Bypassing Multi-Factor Authentication
Cybersecurity researchers at Zscaler recently uncovered the latest large-scale phishing campaign that targets Microsoft email users. The primary targets of the malicious campaign are corporate users, especially end users in Enterprise environments using Microsoft email services.
Cybercriminals use Adversary-in-The-Middle (AiTM) techniques for bypassing multi-factor authentication (MFA). Microsoft informed about a similar attack in early July that targeted over 10,000 organizations, using AiTM techniques to bypass MFA protections.
Zscaler described the latest attack as highly sophisticated, which uses multiple evasion techniques in various stages of the attack. These techniques are designed to bypass conventional network and email security solutions.
Most enterprises targeted by the malicious campaign are in the United Kingdom, United States, Australia, and New Zealand. FinTech, Lending, Accounting, Energy, Finance, Insurance, and Federal Credit Union are the main sectors targeted.
How does The Attack Take Place?
The attack starts when phishing emails are sent out to Microsoft email addresses. The progression of the attack depends on phishing emails and the users interacting with them. The malicious emails can contain a link to a phishing domain or HTML attachments containing the link. In any case, the user must click on the link to start the infection chain.
Strikingly similar to the phishing campaign described by Microsoft earlier, phishing emails in this campaign use a variety of topics to gain the user’s attention. One email lured the user by suggesting it contained an invoice for review, and another said a new document needed to be viewed online.
The legitimacy of an email’s true ownership is critical for communication. In a Business Email Compromise (BEC) cyberattack, the victimized organization can face brand erosion, financial loss, and lost consumer trust. It is clear from the discussion that security standards like MFA and 2FA are not enough to stop attackers. Individuals and organizations need email authentication standards, using SPF, DKIM, and DMARC protocols for protecting the email and domain from unwanted threats.