Hackers find ways into Google accounts

B2B Cyber ​​Security ShortNews

Share post

According to researchers at Cloudsek.com, hackers are abusing an undocumented Google OAuth endpoint called “MultiLogin.” The experts are currently observing that other groups of cyber attackers are copying the technology and using it in their infostealers. Is a bigger wave coming now?

Several information-stealing malware families exploit an undocumented Google OAuth endpoint called “MultiLogin” to recover expired authentication cookies and log in to user accounts. Even for accounts where the account password has been reset.

Infostealer groups want to exploit vulnerabilities

The experts at Cloudsek.com report: The Lumma Infostealer, which contains the discovered exploit, was implemented on November 14th. Subsequently, Rhadamanthys, Risepro, Meduza and Stealc Stealer adopted this technique. On December 26th, White Snake also implemented the exploit. Currently, Eternity Stealer is actively working on an update that highlights a worrying trend of rapid integration of various infostealer groups.

The threat intelligence company Hudson Rock has published a video on YouTube in which a cybercriminal demonstrates how the cookie restore exploit works.

Published by Explorers

Here's how the whole thing was discovered: On October 20, 2023, CloudSEK's contextual AI digital risk platform XVigil was discovered that a threat actor named "PRISMA" made a major announcement on their Telegram channel and presented an effective 0-day attack solution , which addresses challenges with inbound sessions from Google accounts. This attack solution has two main features:

  • Session Persistence: The session remains valid even if the account password is changed, providing a unique advantage in bypassing typical security measures.
  • ‍Cookie generation: The ability to generate valid cookies in the event of a session interruption increases the attacker's attack surface. s ability to maintain unauthorized access.
  • The developer hinted at a possible willingness to collaborate or share insights on this newly discovered exploit.

According to the bleeding computer In a later publication, the Limma group updated the exploit to counteract Google's remedial measures. This suggests that the tech giant is aware of the actively exploited zero-day vulnerability. Specifically, Lumma used SOCKS proxies to bypass Google's abuse detection measures and implemented encrypted communication between the malware and the MultiLogin endpoint.

To date, Google has not commented on the misuse of the MultiLogin endpoint. Therefore, the status of the exploitation and the corresponding countermeasures remain unclear at this time.

More at Cloudsek.com


Matching articles on the topic

Report: 40 percent more phishing worldwide

The current spam and phishing report from Kaspersky for 2023 speaks for itself: users in Germany are after ➡ Read more

BSI sets minimum standards for web browsers

The BSI has revised the minimum standard for web browsers for administration and published version 3.0. You can remember that ➡ Read more

Stealth malware targets European companies

Hackers are attacking many companies across Europe with stealth malware. ESET researchers have reported a dramatic increase in so-called AceCryptor attacks via ➡ Read more

IT security: Basis for LockBit 4.0 defused

Trend Micro, working with the UK's National Crime Agency (NCA), analyzed the unpublished version that was in development ➡ Read more

MDR and XDR via Google Workspace

Whether in a cafe, airport terminal or home office – employees work in many places. However, this development also brings challenges ➡ Read more

Test: Security software for endpoints and individual PCs

The latest test results from the AV-TEST laboratory show very good performance of 16 established protection solutions for Windows ➡ Read more

FBI: Internet Crime Report counts $12,5 billion in damage 

The FBI's Internet Crime Complaint Center (IC3) has released its 2023 Internet Crime Report, which includes information from over 880.000 ➡ Read more

HeadCrab 2.0 discovered

The HeadCrab campaign against Redis servers, which has been active since 2021, continues to successfully infect targets with the new version. The criminals' mini-blog ➡ Read more