Introduction
In the ever-evolving landscape of cyber threats, a new menace has emerged, exploiting an undocumented Google OAuth endpoint called MultiLogin. This exploit allows information-stealing malware to maintain access to Google services even after users reset their passwords. Unveiled by a threat actor named PRISMA and subsequently integrated into various malware-as-a-service (MaaS) stealer families, this critical exploit poses a significant challenge to user security.
The MultiLogin Exploit: An Overview
The MultiLogin authentication endpoint was initially designed to synchronize Google accounts across services, particularly when users sign in through the Chrome web browser profiles. However, threat actors have ingeniously repurposed it to facilitate session persistence and cookie generation, enabling unauthorized access to valid user sessions.
Lumma Stealer: Peeling Back the Layers
A deep dive into the Lumma Stealer code reveals the mechanics of this exploit. The malware targets Chrome's token_service table of WebData, extracting tokens and account IDs of logged-in Chrome profiles. These crucial pieces of information are then combined with the MultiLogin endpoint to regenerate Google authentication cookies.
Security researcher Pavan Karthick M explained that the token: GAIA ID pair derived from this process can be utilized in three different scenarios:
- When the user is logged in with the browser, allowing the token to be used multiple times.
- If the user changes the password but keeps Google signed in, the token can only be used once, as it was already utilized to maintain the user's signed-in status.
- When the user signs out of the browser, the token is revoked and deleted from the browser's local storage, regenerating upon subsequent login.
Google's Response and User Mitigation
Upon being notified of the attack method, Google acknowledged its existence and took action to secure compromised accounts. While emphasizing that stolen sessions can be invalidated, Google clarified that users can achieve this by simply signing out of the affected browser or remotely revoking sessions via the user's devices page.
The company also recommended users activate Enhanced Safe Browsing in Chrome to enhance protection against phishing and malware downloads. Additionally, users are advised to change passwords to thwart threat actors from exploiting password reset authentication flows and to monitor account activity for suspicious sessions from unrecognized IPs and locations.
Evaluating the Incident: A Call for Advanced Security Measures
Alon Gal, co-founder and CTO of Hudson Rock, emphasized the significance of Google's clarification on user security. However, he also highlighted the sophistication of the exploit, suggesting that it necessitates more advanced security solutions to counter evolving cyber threats. The incident underscores the challenges posed by infostealers, which have become increasingly popular among cybercriminals.
Conclusion
The MultiLogin exploit targeting Google services serves as a stark reminder of the relentless ingenuity of cybercriminals. As technology advances, so do the threats, necessitating continuous vigilance and the adoption of advanced security measures. Google's proactive response is commendable, but users must also play a crucial role in safeguarding their accounts through proactive security practices. The incident signals a call to action for the cybersecurity community to develop and implement robust solutions to stay one step ahead of evolving threats.
0 Comments