NEWS  Security  January 3, 2024  Reading time: ~1 minute)

Max (RS editor)

A clandestine vulnerability has surfaced – the exploitation of an undocumented Google OAuth endpoint named MultiLogin. Threat actors, spearheaded by the revelation of PRISMA on October 20, 2023, have actively employed this exploit to perpetrate information-stealing malware, allowing persistent access to Google services even after password resets.

CloudSEK sheds light on the critical exploit, enabling session persistence and cookie generation, affording unauthorized access to valid sessions. This technique has been assimilated into various malware-as-a-service (MaaS) stealer families, including Lumma, Rhadamanthys, Stealc, Meduza, RisePro, and WhiteSnake.

A deep analysis of Lumma Stealer's code reveals the modus operandi – targeting Chrome's token_service table of WebData to extract tokens and account IDs. These extracted tokens are then combined with the MultiLogin endpoint to regenerate Google authentication cookies.

Security researcher Pavan Karthick details three token-cookie generation scenarios, emphasizing the need for user vigilance. While Google acknowledges the attack method, they assure users that compromised accounts can be secured by logging out of the affected browser. Google recommends activating Enhanced Safe Browsing in Chrome as an added layer of protection against phishing and malware downloads.

However, the incident underscores the sophistication of the exploit, prompting the need for advanced security solutions. Alon Gal, co-founder and CTO of Hudson Rock, acknowledges Google's efforts but emphasizes the evolving nature of cyber threats, especially infostealers, urging users to monitor account activity and adopt proactive security measures. As the digital landscape evolves, understanding and countering such threats becomes paramount for user security.

 SOURCE: THE HACKER NEWS | COVER IMAGE BY MACROVECTOR ON FREEPIK.