CloudSEK’s threat research team has recently brought to light a critical exploit impacting various Google services. This exploit allows threat actors to perpetually generate Google cookies, ensuring uninterrupted access to Google services even after a user executes a password reset. Detailed insights into this exploit were shared by CloudSEK in a comprehensive technical report.
On October 20, 2023, CloudSEK’s AI-powered digital risk platform, XVigil, uncovered a significant development on a Telegram channel. A developer/threat actor known as PRISMA had released a 0-day solution aimed at addressing issues related to incoming sessions of Google accounts.
This solution introduces session persistence, providing attackers with the ability to bypass security measures and facilitate cookie generation. This unauthorized access remains intact even in the event of a password change. Notably, the developer expressed a willingness to collaborate on this exploit.
Subsequently, on November 14, 2023, Lumma Infostealer announced the integration of this feature with an advanced blackboxing approach. Following suit, Rhadamanthys and WhiteSnake also introduced similar blackboxing methods. Lumma further refined the exploit on November 24, 2023, countering Google’s fraud detection measures. Other hackers, including Stealc, Meduza, RisePro, and Whitesnake, implemented this feature. A video from the Darkweb, posted by Hudson Rock on December 27, 2023, demonstrated a hacker exploiting generated cookies.
CloudSEK’s threat researchers disclosed that the root cause of this exploit lies in an undocumented Google OAuth endpoint named “MultiLogin.” Unveiled through Chromium’s source code, this endpoint serves as an internal mechanism for synchronizing Google accounts across various services.
The examination of the Chromium codebase affirmed the pivotal role of the MultiLogin feature in user authentication. However, it also highlighted its exploitable nature if mishandled. Threat actors, exemplified by Lumma, adeptly leverage such vulnerabilities, as seen in the exploitation of the undocumented Google OAuth2 MultiLogin endpoint.
Lumma’s strategy involves manipulating the token: GAIA ID pair, a critical component in Google’s authentication process. Through encryption, Lumma successfully conceals the core mechanism of its exploit, safeguarding its uniqueness in the competitive cybercrime landscape and providing it an advantage in the illicit market.
Further adaptations by Lumma include the use of SOCKS proxies to bypass Google’s IP-based restrictions on cookie regeneration. This, however, inadvertently exposes certain details of requests and responses, potentially compromising the exploit’s obscurity. Encrypted communication between the malware Command and Control (C2) and the MultiLogin endpoint reduces the likelihood of triggering alarms in network security systems, as conventional security protocols often overlook encrypted traffic.
This exploit, characterized by its ability to continuously regenerate cookies for Google services, underscores the sophistication of Google’s internal authentication mechanisms. It also signals a shift towards stealth-oriented cyber threats, where emphasis is placed on concealment rather than sheer effectiveness.