Security experts have identified an exploit which leverages an undocumented Google OAuth endpoint to regenerate persistent Google cookies. CloudSEK's analysis reveals that the exploit manipulates token:GAIA ID pairs to sustain access to Google services, posing significant security threats to user accounts.
Malware Leveraging Zero-Day Exploit
The exploit was first detected by a developer with the pseudonym PRISMA in October 2023. Threat actors are exploiting this zero-day to breach security on several fronts. Malware such as Lumma Infostealer, having incorporated the exploit on November 14, have paved the way for similar malware to follow suit. Researchers have observed other malicious software integrating the exploit, including Rhadamanthys, Risepro, Meduza, Stealc Stealer, and the recently spotted White Snake.
The Google 0-Day that all Infostealer groups are exploiting: https://t.co/V5EuU0LFzz pic.twitter.com/xZnobAuuap
— Hudson Rock (@RockHudsonRock) December 27, 2023
A Closer Look at the Malware Mechanism
The attacking malware targets Chrome's token_service table in the WebData to extract tokens and account IDs. By decrypting the encrypted tokens with a key from Chrome's Local State directory, similar to the storage method for passwords, the malware can continuously regenerate cookies. CloudSEK points out that even a user's password reset would not impede the exploit, hinting at a concerning level of persistence and risk of unnoticed exploitation.
Speculation suggests that a penetration test on Google Drive's services on Apple devices could be the origin of the exploit. The analysis concludes that an imperfect testing of Google Drive has inadvertently revealed this exploit. As of this report, Google has not confirmed the active use of this zero-day in its MultiLogin endpoint. Experts continue to monitor the situation and recommend vigilance for signs of suspicious account activity.
Recent OAuth App Warning from Microsoft
Last month, Microsoft security how hackers are leveraging OAuth apps for attacks. Microsoft Security revealed how threat actors misuse OAuth applications to automate financially driven attacks. The post explained how these attacks work, what are some examples of recent attacks, and what are some recommendations for customers and organizations to protect themselves from OAuth token abuse.
Threat actors can create malicious OAuth applications and trick users into granting them access to their online accounts. Once the access is granted, the threat actors can use the OAuth tokens to access user data, such as email, contacts, and financial information, from various cloud services and applications.