Among others, developers of the infamous Lumma, an infostealer malware, are already using the exploit by employing advanced tactics like token manipulation and encryption in targeted attacks.
CloudSEK’s threat research team has reported a critical exploit affecting Google services, allowing threat actors to generate Google cookies continuously while ensuring continuous access to Google services even after a user performs a password reset. In a technical report, CloudSEK shared details of the exploit.
On October 20, 2023, CloudSEK’s AI digital risk platform XVigil discovered that on the Telegram channel, a developer/threat actor PRISMA had released a 0-day solution to address issues with incoming sessions of Google accounts.
The solution offers session persistence, allowing the attacker to bypass security measures and enable cookie generation, gaining unauthorized access even when the account password is changed. The developer expressed openness to cooperation and potential collaboration on this newfound exploit.
Afterwards, Lumma Infostealer announced the feature’s integration with an advanced blackboxing approach on November 14, 2023. Rhadamanthys and WhiteSnake also announced similar blackboxing approaches. Lumma updated the exploit to counteract Google’s fraud detection measures on November 24, 2023. Other hackers, such as Stealc, Meduza, RisePro, and Whitesnake, implemented the feature. Hudson Rock posted a video from Darkweb demonstrating a hacker exploiting generated cookies on December 27, 2023.
CloudSEK threat researchers revealed that an undocumented Google Oauth endpoint named “MultiLogin” is the root of the exploit. The endpoint responsible for regenerating cookies was revealed through Chromium’s source code, which is an internal mechanism designed for synchronizing Google accounts across services.
The MultiLogin endpoint, as revealed through Chromium’s source code, operates by accepting a vector of account IDs and auth-login tokens, essential for managing simultaneous sessions or switching between user profiles seamlessly.
Chromium codebase examination confirmed that while the MultiLogin feature plays a vital role in user authentication, it also presents an exploitable avenue if mishandled. Threat actors employ sophisticated tactics in cyber threats, such as Lumma’s exploitation of the undocumented Google OAuth2 MultiLogin endpoint.
Lumma’s approach entails manipulation of the token:GAIA ID pair, a critical component in Google’s authentication process. By applying encryption to this component, Lumma effectively masks the core mechanism of their exploit, hindering other malicious entities from duplicating their method. This strategic move preserves their exploit’s uniqueness in the competitive cybercrime landscape and provides them an edge in the illicit market.
Lumma’s subsequent adaptation involves using SOCKS proxies to circumvent Google’s IP-based restrictions on cookie regeneration, inadvertently exposing some details of the requests and responses, potentially compromising the exploit’s obscurity. Encrypted communication between the malware C2 and the MultiLogin endpoint is less likely to trigger alarms in network security systems, as standard security protocols generally overlook encrypted traffic.
This exploit can continuously regenerate cookies for Google services, demonstrating sophistication in Google’s internal authentication mechanisms and a shift towards stealth-oriented cyber threats, emphasizing concealment over effectiveness.
RELATED ARTICLES
- Scammers Weaponize Google Forms in New BazarCall Attack
- Google Workspace Vulnerabilities Lead to Network-Wide Breaches
- Hackers Stole $59 Million of Crypto Via Malicious Google and X Ads
- Google’s Latest Android Feature Drop: Dark Web Search for Gmail ID
- Fantom Foundation Suffers Wallet Hack Via Google Chrome 0-Day Flaw