Everything You Need to Know About the MultiLogin Attack
Before we dive into this article, Nisha Infotech Blogs wants to give a special thanks to BleepingComputer. In this article, we’ll talk about the MultiLogin exploit and how much harm it can cause to our accounts. Let’s get started!
Introduction
There’s a new problem in online security that we need to be aware of. Bad actors on the internet are taking advantage of a hidden part of Google’s login system called “MultiLogin.” They’re using it to bring back old login information, even after it’s supposed to expire. This lets them get into people’s accounts without permission. This article looks into how this problem was found, how it works, and how it’s spreading among different types of malicious software.
Understanding Session Cookies
Before we get into the details of the exploit, it’s important to understand the role of session cookies. These are special cookies in your web browser that keep track of your login information. They make it easy for you to log in to websites without entering your username and password every time. However, these cookies are set to expire after a certain period to prevent them from being misused for an extended period if someone gets hold of them without your permission.
The Lumma and Rhadamanthys Revelation
In November 2023, there was a warning in the cybersecurity community about Lumma and Rhadamanthys, two types of harmful software. These malware can bring back old Google login cookies, even after you’ve done things like logging out or changing your password. This made people worried about the safety of their Google accounts.
Silent Response from Google
Even though there were concerning reports, when BleepingComputer tried to ask Google for more information, they didn’t respond. The fact that Google didn’t acknowledge the issue or share plans to fix it made it even more important to figure out how big the problem was and how it could affect users.
Unveiling the Zero-Day Exploit
Researchers from CloudSEK shared information about a new type of computer attack that wasn’t known before, called a zero-day exploit. This was first talked about by someone named PRISMA in October 2023. The exploit uses a secret part of Google called MultiLogin, which is supposed to help link accounts on different Google services. This discovery makes us wonder about how secure Google’s systems are and the possible dangers of hidden features that aren’t well-documented.
Mechanics of the MultiLogin Endpoint
Decoding Chrome Accounts Synchronization
CloudSEK looked into how the MultiLogin part works. This thing is meant to link different Chrome accounts together. It takes a list of account IDs and special login tokens. When someone asks it to sync, it checks if the accounts saved in cookies don’t match the ones in the browser. This difference opens up a possible weakness that bad actors can take advantage of.
Token Extraction and Decryption
The malware that steals information is using MultiLogin to grab tokens and account IDs from Chrome profiles that are connected to a Google account. This stolen information, including service details (GAIA ID) and encrypted tokens, becomes really important for the next stages of the attack.
Persistent Access through Regenerated Cookies
The bad guys, using the MultiLogin tool, can unscramble the stolen tokens. This lets them bring back expired Google Service cookies. It’s like giving them a key to keep getting into hacked accounts, and it helps them bypass the usual security measures.
Insights from CloudSek’s Reverse Engineering
BleepingComputer talked to CloudSek researcher Pavan Karthick, who figured out how the exploit works by going backward through its steps. Finding out that even if you change your Google password, the bad actors can still make new authentication cookies underscores how serious this security problem is.
Mitigation Strategies
Karthick suggests taking proactive steps to protect against this exploit. Users should log out of their Google accounts, change their passwords, and then log back in. This three-step process helps cancel out the bad actor’s persistence and secures the account.
Proliferation Among Malware Families
The timeline of how the exploit has been used is worrying. First, Lumma stealer started using it, and then Rhadamanthys followed suit. After that, other info stealers like Stealc, Medusa, RisePro, and Whitesnake also started using it. This shows that the exploit is being widely included in the toolkit of malicious software developers.
Must Read: How can you find out if your phone has been hacked?
Tech Giant’s Response and Countermeasures
Lumma’s Ongoing Evolution
The creators of Lumma were aware that there might be ways to stop their exploit. So, they used a technique called blackboxing to encrypt the token:GAIA pair with private keys. Even though Google tried to fix the issue without telling anyone, Lumma developers updated their exploit to work around these changes. They added SOCKS proxies and encrypted communication with the MultiLogin endpoint to keep things going.
Google’s Official Statement
On January 3, 2024, Google finally addressed the growing problem. The big tech company recognized the issue of a malware family stealing session tokens and assured everyone that they are continuously working on improving defenses against these types of threats. They also wanted to clear up any confusion about revoking tokens, saying users can make stolen sessions useless by signing out or remotely revoking sessions through the user’s devices page.
Conclusion
The exploitation of Google’s MultiLogin endpoint raises serious concerns about the security of authentication mechanisms. The collaboration between threat actors and the swift adoption of the exploit across multiple malware families underscore the need for robust endpoint security measures. As users grapple with potential risks, constant vigilance, proactive measures, and updates from cybersecurity experts become indispensable in navigating this evolving threat landscape
Originally published at https://nishainfotech.co.in on January 5, 2024.
