According to CloudSEK, this critical vulnerability exploits session persistence and cookie generation, allowing threat actors to maintain access to valid sessions in an unauthorized manner.
On October 20, 2023, a threat actor named PRISMA first disclosed the technique on his Telegram channel. Since then, the technique has been incorporated into variousmalicious softwareAs-a-Service (MaaS) stealer program families such as Lumma, Rhadamanthys, Stealc, Meduza, RisePro, and WhiteSnake.
The MultiLogin authentication endpoint is primarily used to synchronize Google accounts across services when a user logs in to their account (i.e. profile) via Chrome.
Security researcher Pavan Karthick M said, "Reverse engineering of the Lumma Stealer code shows that the technique targets "Chrome's WebData token_service table to extract tokens and account IDs for logged-in Chrome profiles . "The table contains two key columns: the service (GAIA ID) and the cryptographic token.
This token:GAIA ID pair is then combined with the MultiLogin endpoint to regenerate the Google authentication cookie.
Test different token-cookie generation scenarios in three ways
When a user logs in using a browser, in this case the token can be used multiple times.
When a user changes their password but still keeps Google logged in, in this case the token can only be used once because the token has already been used once to keep the user logged in.
If the user logs out of the browser, then the token will be canceled and deleted from the browser's local storage and will be regenerated when logging in again.
Google acknowledged the existence of this method of attack in an interview, but noted that users can undo the stolen sessions by logging out of the affected browsers.
Google has taken note of recent reports of malware families stealing session tokens." Attacks involving malware stealing cookies and tokens are not new; we regularly upgrade our defenses against such techniques and to ensure the safety of users who fall victim to malware. In this case, Google has taken action to ensure the safety of all compromised accounts detected.
However, it is important to note that there is a misconception in the report that users cannot revoke stolen tokens and cookies," it further added." This is incorrect, stolen sessions can be deactivated by exiting the affected browser or revoking them remotely through the user's device page. We will continue to monitor the situation and provide updates as necessary.
Users are advised to turn on the Enhanced Safe Browsing feature in Chrome to prevent phishing and malware downloads.
Safety Recommendations:
Change passwords to prevent attackers from using the password reset process to restore access.
Monitor account activity and look out for suspicious logins from unfamiliar IPs and locations.
The incident highlights the potential challenges of traditional account security methods and the need for more advanced security solutions to address information theft threats commonly used by cybercriminals.
A complex vulnerability was revealed through the security incident, which could challenge traditional methods of account security. While Google's measures are valuable, this situation highlights the need for more advanced security solutions to address evolving cyber threats, such as the information-stealing programs that are so popular among cybercriminals today.
Original article by Chief Security Officer, if reproduced, please credit https://cncso.com/en/malware-using-google-multilogin-exploit.html
