January 3, 2024 at 08:36AM
Malware utilizing an undocumented Google OAuth endpoint named MultiLogin to hijack user sessions, allowing continuous access to Google services even after a password reset. Threat actor PRISMA first revealed the technique, which has been incorporated into various malware-as-a-service (MaaS) stealer families. Google acknowledges the attack and advises users to log out of affected browsers to revoke stolen sessions.
From the meeting notes, it is clear that there is a serious issue with the MultiLogin authentication endpoint, which is being exploited by information-stealing malware. The malware enables threat actors to maintain unauthorized access to Google services even after a password reset, posing a significant security threat.
The malware, named Lumma, has been incorporating this technique, alongside other malware-as-a-service stealer families, such as Rhadamanthys, Stealc, Meduza, RisePro, and WhiteSnake.
While Google has acknowledged the existence of this attack method, they have advised that users can revoke the stolen sessions by logging out of the impacted browser. Additionally, Google has emphasized the importance of turning on Enhanced Safe Browsing in Chrome to protect against phishing and malware downloads.
It’s important to note that users can take action to protect themselves, such as logging out of the affected browser and enabling Enhanced Safe Browsing in Chrome. However, it’s crucial to ensure ongoing awareness and monitoring of the situation for any updates or further recommendations from Google.
This issue requires immediate attention and communication to all impacted parties to ensure necessary actions are taken to mitigate the risk and protect user accounts and data.