Get Help Now
CONTACT US

Get expert threat analysis weekly. Sign up to receive our Threat Briefing:

    RESOURCES  >   THREAT INTEL BRIEFINGS

    Date: 8/3/2022

    SHARPEXT – A Mail-Stealing Browser Extension

    Overview

    Security researchers from the Volexity security firm have identified a malicious browser extension named SHARPEXT. This extension is being used as a post-exploitation tool for the North Korean threat actor group Kimsuky, also known as SharpTongue. The primary purpose of the extension is to maintain persistence on compromised assets.

    Potential Impact

    SHARPEXT is unlike other malicious browser extensions. Instead of attempting to steal credentials, SHARPEXT exfiltrates data from victim email boxes. This allows for heavy amounts of data loss and confidentiality impact. However, researchers believe that SHARPEXT is actively being developed and that additional capabilities are possible.

    Recommended Actions

    Although malicious browser extensions are expected, SHARPEXT is unique in its deployment as a post-exploitation tool. Threat actors constantly evolve in their attack patterns, and post-exploitation browser extensions might become a more mainstream attack vector.

    Organizations should consider adequate network traffic monitoring and analysis to identify potentially malicious traffic. Organizations can protect themselves from attacks like this by conducting routine security awareness training to help end users identify suspicious browser extensions and act accordingly. Additionally, network security monitoring is an effective measure to detect post-exploitation tool communications.

    Request Consultation

    For more information, fill out the form below and we will be in touch shortly

      VMware Critical Vulnerability

      Overview

      VMware has warned of several critical security vulnerabilities affecting various products, including CVE-2022-31656. In response, VMware has released a security patch available on their site VMSA-2022-0021 (vmware.com). This vulnerability has been given a CVSS base score of 9.8 due to its ability to allow remote code execution without needing authentication.

      Potential Impact

      These vulnerabilities include authentication bypass, remote code execution, SQL injection, local privilege escalation, and URL injection. Many of these vulnerabilities are rated as critical with CVSS scores above 7.5 and should be patched as quickly as possible.

      Recommended Actions

      VMware has published an effective patch for each vulnerability, whether in a large secure update or a singular patch. These can be found on the VMware site, along with additional information on each vulnerability, its severity, and potential impact.

      Sources

      https://www.bleepingcomputer.com/news/security/vmware-urges-admins-to-patch-critical-auth-bypass-bug-immediately/?&web_view=true
      https://www.vmware.com/security/advisories/VMSA-2022-0021.html

      New Critical Google Patch for Android Users

      Overview

      This month’s monthly security bulletin from Google includes over 30 vulnerabilities patched in the latest Android security updates. This includes remote code execution via Bluetooth without the need for privileges. This vulnerability has been marked as CVE-2022-20345 and rated as a High Risk. The additional vulnerabilities impact multiple Android components like Framework, System, Kernel, and Qualcomm components.

      Potential Impact

      Android devices have a large presence in the mobile device market for personal and business use. Vulnerabilities in these devices can leave organizations at risk for losing data availability, integrity, or confidentiality.

      Recommended Actions

      Although Android device vulnerabilities are frequent, Google has regularly published security updates. Organizations implement strong patching policies for any business-owned Android devices and strongly encourage end users to monitor for security patches for their personal devices.

      Sources
      https://www.infosecurity-magazine.com/news/google-patches-critical-android/?&web_view=true

      For strategic clients, your vCISO will add this to your next Office Hours for further discussion. However, if you have an immediate need, concern, or question, please reach out to them directly.

      For non-strategic clients, please reach out to your Advisor for further discussion.

      For those not yet clients of GreyCastle Security, please click the “Contact Us” button below and we’ll be glad to provide assistance as well as answer any questions you might have.


      Let’s Discuss Your Cybersecurity Needs

      Contact Us
      Privacy Settings
      We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
      Youtube
      Consent to display content from Youtube
      Vimeo
      Consent to display content from Vimeo
      Google Maps
      Consent to display content from Google
      Spotify
      Consent to display content from Spotify
      Sound Cloud
      Consent to display content from Sound
      Contact Us