Attackers are exploiting undocumented Google OAuth2 functionality to hijack user sessions. The approach gives them continuous access to Google services, even after a password reset.
Researcher Pavan Karthick M at CloudSEK has detailed how the threat actor called “Prisma” was the first to use a critical OAuth exploit which “allows the generation of persistent Google cookies through token manipulation.”
OAuth 2.0 is a protocol utilized by Google APIs for authentication and authorization, such as enabling “Log in with Google” across the web. It allows users to grant specific data access to applications while safeguarding sensitive information like passwords.
The exploit has two key features:
- Session Persistence: The session remains valid even when the account password is changed, providing a unique advantage in bypassing typical security measures.
- Cookie Generation: The capability to generate valid cookies in the event of a session disruption enhances the attacker’s ability to maintain unauthorized access.
2023 Adoption Timeline:
Oct 20: The exploit is first revealed on a Telegram channel.
Nov 14: Lumma announces the feature’s integration with an advanced blackboxing approach. The feature started Booming because of the Security Field posting about Lumma’s unique feature.
Nov 17: Rhadamanthys announces the feature with similar blackboxing approach as Lumma
Nov 24: Lumma updates the exploit to counteract Google’s fraud detection measures.
Dec 1: Stealc implements the google account token restore feature
Dec 11: Meduza implements the google account token restore
Dec 12: RisePro Implements the google account token restore feature
Dec 26: WhiteSnake implemented the google account token restore
Dec 27: Hudson Rock posts video from Darkweb where a hacker shows exploiting the generated cookies.
“This analysis… highlights the necessity for continuous monitoring of both technical vulnerabilities and human intelligence sources to stay ahead of emerging cyber threats. The collaboration of technical and human intelligence is crucial in uncovering and understanding sophisticated exploits like the one analyzed in this report,” Karthick M concludes.
Troy Batterberry, CEO and Founder, EchoMark had this to say:
“As we navigate the evolving landscape of cybersecurity, the sophistication of threat actors is on the rise, leading to a potential surge in zero-day exploits in 2024. Lumma’s recent assault is a poignant example. The adept concealment of their proprietary attack mechanism and exploit methodologies, coupled with their ability to circumvent detection and sustain persistent access despite routine security measures, underscores the imperative for individuals and businesses alike to heed this wake-up call. Organizations operate on trust and secure data sharing and must prioritize proactive security measures and continuous monitoring to effectively combat the ever-emerging challenges posed by cyber threats.”
This proves that to everyone needs to work hard to stay level with threat actors at the very least. Because threat actors are always looking for new angles to launch new attacks. Which will end badly for all of us if they succeed.
Related
This entry was posted on January 4, 2024 at 8:52 am and is filed under Commentary with tags CloudSEK. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Google OAuth2 Abused To Regenerate Tokens For Persistent Session Access
Attackers are exploiting undocumented Google OAuth2 functionality to hijack user sessions. The approach gives them continuous access to Google services, even after a password reset.
Researcher Pavan Karthick M at CloudSEK has detailed how the threat actor called “Prisma” was the first to use a critical OAuth exploit which “allows the generation of persistent Google cookies through token manipulation.”
OAuth 2.0 is a protocol utilized by Google APIs for authentication and authorization, such as enabling “Log in with Google” across the web. It allows users to grant specific data access to applications while safeguarding sensitive information like passwords.
The exploit has two key features:
2023 Adoption Timeline:
Oct 20: The exploit is first revealed on a Telegram channel.
Nov 14: Lumma announces the feature’s integration with an advanced blackboxing approach. The feature started Booming because of the Security Field posting about Lumma’s unique feature.
Nov 17: Rhadamanthys announces the feature with similar blackboxing approach as Lumma
Nov 24: Lumma updates the exploit to counteract Google’s fraud detection measures.
Dec 1: Stealc implements the google account token restore feature
Dec 11: Meduza implements the google account token restore
Dec 12: RisePro Implements the google account token restore feature
Dec 26: WhiteSnake implemented the google account token restore
Dec 27: Hudson Rock posts video from Darkweb where a hacker shows exploiting the generated cookies.
“This analysis… highlights the necessity for continuous monitoring of both technical vulnerabilities and human intelligence sources to stay ahead of emerging cyber threats. The collaboration of technical and human intelligence is crucial in uncovering and understanding sophisticated exploits like the one analyzed in this report,” Karthick M concludes.
Troy Batterberry, CEO and Founder, EchoMark had this to say:
“As we navigate the evolving landscape of cybersecurity, the sophistication of threat actors is on the rise, leading to a potential surge in zero-day exploits in 2024. Lumma’s recent assault is a poignant example. The adept concealment of their proprietary attack mechanism and exploit methodologies, coupled with their ability to circumvent detection and sustain persistent access despite routine security measures, underscores the imperative for individuals and businesses alike to heed this wake-up call. Organizations operate on trust and secure data sharing and must prioritize proactive security measures and continuous monitoring to effectively combat the ever-emerging challenges posed by cyber threats.”
This proves that to everyone needs to work hard to stay level with threat actors at the very least. Because threat actors are always looking for new angles to launch new attacks. Which will end badly for all of us if they succeed.
Share this:
Like this:
Related
This entry was posted on January 4, 2024 at 8:52 am and is filed under Commentary with tags CloudSEK. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.