North Korean Hackers Utilizing Malicious Browser Extension to Surveillance Email Accounts, Cybersecurity Experts Warn - 1

North Korean Hackers Utilizing Malicious Browser Extension to Surveillance Email Accounts, Cybersecurity Experts Warn

  • Written by Ari Denial Cybersecurity & Tech Writer

A malicious browser extension capable of stealing email content from Gmail and AOL accounts has been deployed by a threat actor with aligned interests with North Korea.

German and South Korean intelligence agencies issued Joint Cybersecurity Advisory, alerting Kimsuky’s use of Chrome extensions to Illicitly access Gmail emails of targets.

North Korean threat group Kimsuky expands spear phishing operations to target diplomats, journalists, and government agencies in the USA and Europe. Cybersecurity experts issue joint security advisory warning of North Korean hacking group’s use of malicious chrome extension and android applications in two attack methods.

Malware linked to North Korean threat group Kimsuky by cybersecurity firm Volexity, attributed to SharpTongue activity cluster with similar overlaps. SharpTongue activity cluster has a track record of targeting individuals working on sensitive topics involving North Korea and nuclear issues in the USA, Europe, and South Korea.

Named ‘AF’, a malicious chrome extension used by North Korean hackers can only be detected in the browser extension list by entering the specific address, cybersecurity experts find.

Upon accessing Gmail through the infected browser, the ‘AF’ extension activates automatically and illicitly intercepts and steals the victim’s email content, cybersecurity experts caution.

The extension abuses the browser’s Devtools API (developer tools API) to send the stolen data to the attacker’s relay server, secretly stealing their emails without breaking or bypassing account security protections. Kimsuky has a history of exploiting malicious chrome extensions to steal emails from compromised systems.

Months after Kimsuky actor employed Konni Rat to target political institutions in Russia and South Korea, new research links hacking group to malicious chrome extension ‘AF’ used for stealing email content from compromised Gmail accounts, reports the cybersecurity firm.

To mitigate the risk of cyber attacks, experts recommend regularly updating software, exercising caution when opening unexpected emails or links, and conducting periodic monitoring of accounts to identify and respond to suspicious activity.

News Heading - 2

Coinbase Wallet Exposed to Attackers Due to ‘Red Pill’ Flaw, Causing Security Concerns

  • Written by Ari Denial Cybersecurity & Tech Writer

Vulnerability found in Coinbase Wallet and other decentralized Crypto Apps, allowing malicious smart contract behavior to evade security features through Red Pill attacks.

Coinbase is a top crypto exchange that enables users to store, manage, and purchase ERC-20 Tokens, Bitcoin & Ethereum through its popular wallet app. ZenGo discovered the Red Pill attack exploiting security flaws shared by Coinbase and other cryptocurrency wallet providers.

Transaction simulation is a common security feature in Web3 platforms that uses sandbox emulation to anticipate the results of cryptocurrency transactions before they are executed. Its main purpose is to prevent cryptocurrency scams and theft by allowing users to test and preview their transactions before initiating them.

ZenGo identified a technique called “red pill attack” that exploits transaction simulators and enables the theft of cryptocurrency. The attack relies on the malware identifying that it is operating in a simulation, allowing it to deceive anti-malware solutions and reveal its malicious intent only when executed in a real environment, according to ZenGo’s research blog.

Smart contracts can also be exploited by threat actors for malicious purposes, such as stealing cryptocurrency that has been sent or draining a wallet of its assets.

Distinguishing between malicious and legitimate contract signing requests is difficult, posing a challenge for cryptocurrency holders trying to navigate potential dangers.

The six cryptocurrency wallet apps that were found to be vulnerable to “red pill attacks” by ZenGo Wallet are Coinbase wallet, Rabby wallet, Blowfish, PocketUniverse, Fire Extension, and an unnamed extension that has yet to address the issue.

Following the report from ZenGo Wallet, all of the mentioned vendors, except for one unnamed extension, have implemented fixes on their transaction simulation to address the vulnerability.

To prevent the use of vulnerable variables as “red pills” in malicious contracts, the fix for this attack is to stop using arbitrary values for such variables.