by jdpoteet | Jan 4, 2024 | Threat Advisories
Malware using Google MultiLogin Exploit to Maintain Access
DOWNLOAD PDF
SUMMARY
A hidden Google OAuth feature known as MultiLogin is being used to compromise and control user sessions, providing persistent access across Google services even after users reset their password. The discovery of this technique was initially identified by the hacker group PRISMA and posted on their Telegram channel on October 20, 2023. The exploit has since been integrated into multiple malware platforms, including Lumma, Rhadamanthys, Stealc, Meduza, RisePro, and WhiteSnake.
TECHNICAL DETAILS
Multiple malware strains are exploiting the “MultiLogin” vulnerability, reviving expired authentication cookies, granting unauthorized and persistent access to user accounts even after password changes. Session cookies contain vital authentication data and typically have a set lifespan to limit misuse. However, cybersecurity group CloudSEK performed an in-depth analysis to find that the intricate workings of this zero-day exploit uses a component of the Gaia Auth API, designed for seamless account synchronization across various Google services, including platforms like YouTube. CloudSEK’s research also found that the restoration of chrome account credentials within browser authentication cookies worked for multiple Google domains.
The malware strains extract crucial details, such as the service (GAIA ID) and encrypted_token, from Chrome profiles associated with a Google account. These tokens are then decrypted by Chrome’s ‘Local State’ file, which also deciphers saved browser passwords. With the token:GAIA pairs, threat actors use the MultiLogin endpoint to revive expired Google Service cookies, creating persistent unauthorized access to the compromised accounts.
Google’s response was that users possess the capability to nullify these compromised sessions by simply logging out from the impacted browser or remotely revoking access via the user’s device management page. Though Google disagreed with some of these findings, they advised users to activate Enhanced Safe Browsing in Chrome, modify passwords to thwart potential misuse, and diligently monitor account activities for any anomalous sessions originating from unfamiliar IP addresses or locations.
RECOMMENDATIONS
- Immediately change your Google account password to invalidate any potential compromise resulting from the exploit.
- Enable Enhanced Safe Browsing in Google Chrome to add an extra layer of protection against phishing attempts and malware downloads.
- Regularly monitor your Google account activity for any suspicious sessions or unauthorized access, especially from unfamiliar IP addresses or locations.
- If you suspect your account might be compromised, log out from all active sessions in the impacted browser. This will help invalidate any stolen sessions.
- Remotely revoke access to your Google account sessions through the user’s device management page. This ensures that even if a session is compromised, you can revoke access remotely.
- Ensure that your web browser, especially Google Chrome, is up to date. Regularly update your operating system and security software to patch vulnerabilities and protect against potential exploits.
- Enable two-factor authentication for an additional layer of security. This ensures that even if your password is compromised, an extra verification step is required for access.
- Stay informed about security updates from Google and other relevant sources. Implement updates promptly to benefit from the latest security enhancements and patches.
REFERENCES
by jdpoteet | Dec 27, 2023 | Videos/Podcasts
Blackswan Cybersecurity CEO, Prof. Mike Saylor discusses Stellar Cyber Open XDR and why it was Blackswan’s preferred platform in 2023.
“An MSSP should be capable enough to focus on what the client’s true needs are both from a services and technology perspective, but also being as economical about it as you can. When we deploy Stellar, we are able to build deployment packages very quickly, whenever we need them.”
“The biggest benefit of working with Stellar is their people. The communication, the availability, the responsiveness, the innovation, the thought leadership. Those are all things that I look for in a partner. And those are all things that I’ve just been thoroughly and continually impressed with.”
Stellar Cyber Open XDR is a unified, AI-powered approach to detection and response that collects and correlates data from all existing security tools to protect the entire enterprise attack surface effectively and efficiently. Open XDR, unlike “closed” XDR, works with any underlying security control, including any EDR, eliminating the need for organizations to essentially hand over the control of their security stack to any single vendor.
Architecturally, Open XDR is about unifying and simplifying the entire security stack to improve detection and response radically. At any given organization, a security stack will consist of numerous capabilities like SIEM, EDR, NDR, SOAR, and more. These capabilities were never designed to work with each other, and teams spend too much time managing multiple tools, leading to today’s problems –
Too many tools, not enough people, and not the right data. That’s where Open XDR comes in to unify all capabilities, correlate alerts from individual tools into holistic incidents, and simplify by reducing administrative overhead. AI and automation come in as the only technically feasible way of protecting the entire attack surface effectively and efficiently, which is why it is a key architectural attribute of Open XDR.
The outcome of Open XDR is protecting your environments from threats from a single platform versus multiple tools with weak or non-existent connections band-aiding it all together. And the outcome of Open XDR is radically improved detection and response at a price anyone can afford.
Ingest and Normalize Data
Stellar Cyber ingests data from API based connectors (cloud or on prem), or from streaming log sources via protocols like Syslog. On prem data sources can be captured because of Stellar Cyber’s Sensors which can be deployed physically or virtually to hook into those environments. Data, regardless of its origin, gets normalized into a standard data model. Common fields like source IP, timestamp, or logon type are always standardized when possible to make workflows easy. Third party specific data is kept in a vendor data namespace. Data is also enriched with geolocation and asset context to increase the value of all telemetry.
Centralized Threat Detection — Stellar Cyber uses several methods to root out potential threats:
Easy-to-find sources of known bad are found through rules in Stellar Cyber, with new and updated rules being shipped continuously to all customers, sourced from our internal detection team and open communities like SigmaHQ.
Harder-to-find sources of known bad are identified using supervised machine learning detection. Stellar Cyber’s security research team develops models based on publicly available or internally generated datasets and continuously monitors model performance across the fleet.
Unknown and zero-day threats are uncovered using unsupervised machine learning techniques. These models look for anomalous behavior indicative of a threat. These models baseline over several weeks on a per-customer/per-tenant basis.
Sensor-Driven Threat Detection
Stellar Cyber’s sensors not only collect logs from cloud and on-prem sources, they also create visibility and deploy network based detections to the edge. Sensors package together Deep Packet Inspection (DPI), Intrusion Detection System (IDS), and Malware Sandbox into a single configurable software package.
AI-Enabled Investigations
Correlation across detections and other data signals occurs through a Graph ML based AI that aids analysts by automatically assembling related data points. The AI determines connection strength between discrete events that can be sourced from any data source, based on property, temporal, and behavioral similarities. This AI is trained on real world data generated by Stellar Cyber and is continuously improved with its operational exposure.
Automated Response
Users have complete customizability over the context, conditions, and output of playbooks. Playbooks can be deployed globally or on a per tenant basis. Use any out-of-the box playbook for a standard response, or create a custom playbook for taking action back into an EDR, calling a web-hook, or simply sending an email.
by jdpoteet | Dec 21, 2023 | News
NSA — 2023 Cybersecurity Year in Review
DOWNLOAD PDF
The National Security Agency (NSA) just published its 2023 Cybersecurity Year in Review. Some highlights include:
Establishing the Artificial Intelligence (AI) Security Center.
Detecting stealthy People’s Republic of China (PRC) intrusions into U.S. critical infrastructure and joined forces with partners (CISA, FBI, NIST, etc.) to expose those intrusions.
Collaborating with industry, government stakeholders, and academia to modernize cryptography to scale cybersecurity solutions and address the quantum threat.
