January 3, 2024 at 06:08AM
Prisma uncovered a critical exploit within an undocumented Google OAuth endpoint, enabling attackers to hijack user sessions and maintain continuous unauthorized access to Google services. The exploit has been integrated into various malware and has continued to evolve, posing a significant threat. CloudSEK has emphasized the need for enhanced cybersecurity measures to combat such advanced threats.
From the meeting notes, it is clear that attackers have been exploiting an undocumented Google OAuth endpoint to hijack user sessions and gain continuous access to Google services, even after a password reset. The threat actor “Prisma” uncovered the critical exploit, allowing for the generation of persistent Google cookies through token manipulation. Following this, prominent infostealers like Lumma and Rhadamanthys integrated the capability into their malware, and the exploit rapidly spread among various malware groups.
The exploit targets an undocumented Google OAuth endpoint named “MultiLogin,” which allows the generation of valid cookies even after a session disruption, enhancing the attacker’s ability to maintain unauthorized access. The vulnerability in the OAuth standard presents a risk to organizations if not implemented correctly, and attackers have found ways to abuse it effectively.
CloudSEK researchers identified the exploit’s root at the “MultiLogin” endpoint, which is designed for synchronizing Google accounts across services. Unfortunately, its vital role in user authentication can be abused if its cross-account communication is mishandled, as seen in the case of Lumma’s approach.
Lumma’s exploitation process was blackboxed to keep its core mechanics a secret and evade detection by standard security protocols. Manipulating the token:GAIA ID pair allowed Lumma to continuously regenerate cookies for Google services, even after users reset their passwords. Additionally, Lumma introduced the use of SOCKS proxies to circumvent Google’s IP-based restrictions on cookie regeneration, inadvertently exposing details of its techniques and paving the way for other infostealers to adopt the exploit.
This advanced behavior demonstrates the need for organizations to employ continuous monitoring of technical vulnerabilities and human intelligence sources to stay ahead of emerging cyber threats, as sophisticated threats demand an equally sophisticated defense.