Info-Stealing Malware Now Includes Google Session Hijacking – Source: www.databreachtoday.com

Access Management
,
Cybercrime
,
Cybercrime as-a-service

Google OAuth2 Vulnerability Being Actively Abused by Attackers, Researchers Warn

Chris Riotta (@chrisriotta) •
December 29, 2023    

Multiple malware-as-a-service info stealers now include the ability to manipulate authentication tokens to give users persistent access to a victim’s Google account, even after a user has reset their passwords, researchers warn.

See Also: JavaScript and Blockchain: Technologies You Can’t Ignore

Since November, this capability has been built into the Lumma Stealer, which is information-stealing malware available as a service, cybersecurity firm CloudSEK reported on Friday.

The firm’s researchers said the vulnerability is particularly concerning because it enables hackers to manipulate the OAuth 2.0 security protocol, which is widely used to allow access to Google-connected accounts via single sign-on (see: Experts’ View: Avoid Social Networks’ Single Sign-On).

Google did not immediately respond to a request for comment.

Lumma Stealer appears to have been the first malware-as-a-service offering to provide its users with the ability to exploit the “undocumented OAuth2 functionality” via “blackboxing,” aka hiding from users what it’s doing and how. “This strategic move not only preserves the uniqueness of their exploit in the competitive landscape of cybercrime but also provides them with an edge in the illicit market,” CloudSEK said in its report, adding that the exploitation technique reveals a high “level of sophistication and understanding of Google’s internal authentication mechanisms.”

Despite Lumma Stealer’s blackboxing approach, other malware distribution groups have also been exploiting the vulnerability.

“The exploit rapidly spread among various malware groups,” including Rhadamanthys, RisePro, Meduza and Stealc Stealer, and Eternity Stealer recently said it is working to add the functionality, CloudSEK said.

The firm’s research team said the vulnerability appears to have been discovered by an attacker who uses the handle PRISMA and who first revealed a zero-day exploit for the flaw in a late October post to a Telegram channel. As described by PRISMA, exploiting the vulnerability allows for “session persistence,” including the ability to maintain a session even if a user changes their password, as well as the ability to generate valid authentication cookies even if a session is disrupted, so the attacker can “maintain unauthorized access,” CloudSEK said.

Using the exploit to compromise a Google account “will allow threat actors to use Drive, email login,” as well as other OAuth-connected services, meaning the exploit could have “a very severe impact” on affected users and organizations, Pavan Karthick M, a threat researcher for CloudSEK, told Information Security Media Group.

“If infected, their Google accounts can be abused to be part of a malicious infrastructure,” he said, adding that threat actors can use the exploit to post malicious content online, abuse streaming services and access “anything connected to Google.”