Incident Details
In October 2023, a critical vulnerability was discovered by the developer, PRISMA, that allows for the creation of persistent Google cookies by manipulating tokens. This vulnerability permits ongoing access to Google services even after a user has reset their password. Following this discovery, a threat actor client reverse-engineered the script and integrated it into Lumma Infostealer, safeguarding the technique with advanced blackboxing methods. This incident set off a chain reaction, with the vulnerability quickly spreading among various malware groups in order to stay up to date with distinct features.
CloudSEK's team of threat researchers, utilizing both human intelligence sources and technical analysis, pinpointed the origin of the vulnerability to an undisclosed Google Oauth endpoint called "MultiLogin". This article explores the discovery of the vulnerability, its progression, and the wider implications for cybersecurity.
Incident
How Did the Breach Happen?
The security breach occurred by exploiting a vulnerability that enables the creation of lasting Google cookies by manipulating tokens.
What Data has been Compromised?
This vulnerability grants uninterrupted connection to Google services post a user resets their password, enabling the threat actor to circumvent usual security protocols.
Why Did the company's Security Measures Fail?
The security system of the company was compromised due to an exploit that made use of a Google Oauth endpoint called 'MultiLogin' that was not officially documented. Through this exploit, expired Google service cookies were able to be regenerated, granting unauthorized access to compromised accounts without the requirement of a password, thus enabling continuous access.
What Immediate Impact Did the Breach Have on the company?
The breach quickly led to the exploit being disseminated across multiple malware groups, resulting in a rise in unauthorized entry to Google accounts.
How could this have been prevented?
Preventing this breach was possible by detecting and fixing the vulnerability in the Google OAuth endpoint called 'MultiLogin' that was not documented before it got exploited.
What have we learned from this data breach?
The significance of ongoing vulnerability monitoring and proactive vigilance against evolving cyber threats has been highlighted by this breach. Effective detection and comprehension of advanced attacks require a combined effort of technical expertise and human insights.
Summary of Coverage
During October 2023, a significant vulnerability was identified that enabled the creation of enduring Google cookies by manipulating tokens. Consequently, the exploit quickly propagated among different malicious organizations, leading to illicit entry into Google accounts. The vulnerability exploited an unregistered Google OAuth endpoint known as 'MultiLogin'. This incident emphasizes the importance of ongoing surveillance and cooperation between technological and human insight to address evolving cyber risks.