Multiple information stealers have been adopting a new technique that allows them to restore Google cookies and compromise accounts even if the victims change their passwords, threat intelligence firm CloudSEK reports.
A vulnerability in Google's authentication process, described by some as a zero-day, allows threat actors to regenerate persistent Google cookies and gain continuous access to Google services, and information stealers have been exploiting it in the wild for over a month and a half, the cybersecurity firm says.
The issue is related to the undocumented MultiLogin endpoint, a mechanism for synchronizing accounts across Google services, when used in combination with account ID and tokens extracted from Chrome.
Part of Google's OAuth system, MultiLogin works by accepting a vector of account IDs and auth-login tokens, playing a vital role in user authentication.
What threat actors discovered was that they could extract the token-GAIA ID pair from Google and use it in conjunction with the MultiLogin endpoint to regenerate Google cookies, for persistent access.
The malware developer who made the discovery initially announced it in October and, by mid-November, the prominent infostealer family Lumma had implemented the technique.
Lumma, CloudSEK discovered, encrypted the token-GAIA ID pair with its own keys, to prevent other malware families from implementing the mechanism.
It did not take long for others to adopt it and, by the end of December, six other infostealers were leveraging the technique.
According to Hudson Rock, the technique will likely be adopted by all infostealer groups unless Google - which was alerted over a month ago - steps up.
SecurityWeek has emailed Google for a statement on this attack and will update this article as soon as a reply arrives.
This Cyber News was published on www.securityweek.com. Publication date: Wed, 03 Jan 2024 16:13:06 +0000