January 2, 2024 at 03:06PM
Info-stealing malware can still access compromised Google accounts even after passwords are changed, due to a zero-day exploit first mentioned by the cybercriminal “PRISMA.” The exploit involves regenerating session tokens to access emails and cloud storage. CloudSEK identified the exploit in the undocumented Google OAuth endpoint “MultiLogin.” The discover reveals a high level of cybercriminal sophistication.
From the meeting notes, it is clear that there is a significant security threat involving infostealer malware targeting Google accounts. Security researchers have identified that even after changing passwords, the malware can still access compromised Google accounts. This is made possible through a zero-day exploit in Google account security, utilizing the undocumented Google OAuth endpoint “MultiLogin” to manipulate session tokens.
The exploit involves stealing session tokens and using them to log into compromised accounts even after the password has been changed. The stolen token paired with GAIA ID are then used with MultiLogin to regenerate Google service cookies for login purposes. This exploitation tactic has been implemented by several malware families, such as Lumma and Rhadamanthys, and is seen as a sophisticated and advanced cyber threat, involving tactics such as encryption and the use of SOCKS proxies to bypass Google’s IP-based restrictions.
Furthermore, it is noted that the malware developers have actively worked to conceal the inner workings of their exploit by encrypting the traffic between the malware’s command-and-control server and MultiLogin, making it more difficult for standard security measures to detect malicious activity.
Despite the severity of this threat, Google had not responded to inquiries about plans to address the issue at the time of publication. It is recommended that users log out and back in to invalidate session tokens and prevent exploitation. The discovery reflects a shift in malware development towards concealment and protection of exploit methodologies, rather than just focusing on the effectiveness of the exploits themselves.
In summary, the meeting notes highlight a critical security issue involving infostealer malware and a zero-day exploit in Google account security, which poses a significant threat to Google users.