HQ/EMEAFind out how we can help your business
A new wave of information-stealing malware that exploits the Google OAuth2 vulnerability could enable attackers to establish persistent access to victims’ Google accounts.
Based on reports, multiple malware-as-a-service (MaaS) offerings have leveraged this dangerous capability, with the Lumma Stealer as the leading malware that exploits the flaw.
The Lumma Stealer, a notorious infostealer malware available as a service, is the first MaaS that leveraged an “undocumented OAuth2 functionality” through a technique known as “blackboxing.”
This method hides the malicious activity from users, providing the attackers with an advantage against security solutions, especially the standard ones. Researchers emphasise that the hackers exploiting the flaw have a sophisticated and deep understanding of Google’s internal authentication mechanisms since they run their operations efficiently.
This especially problematic threat is hostile to various entities since it manipulates the OAuth 2.0 security protocol, a widely used standard for accessing Google-connected accounts through single sign-on. Even after a victim resets their password, attackers can maintain access to the infected account due to the session persistence facilitated by the exploited vulnerability.
Lumma Stealer’s exploit on the Google OAuth2 vulnerability has paved the way for other threat groups to run their campaigns.
The Lumma Stealer’s blackboxing approach and exploit of the Google OAuth vulnerability has caught the attention of other malicious actors, including Rhadamanthys, RisePro, Meduza, and Stealc Stealer. Hence, these groups have quickly adopted and spread the exploit.
Researchers attribute the discovery of this vulnerability to an attacker named PRISMA, who revealed a zero-day exploit for the flaw in a late October post on a Telegram channel. According to PRISMA, exploiting the vulnerability allows “session persistence,” enabling the maintenance of a session even after a password change and generating valid authentication cookies during session disruptions.
Furthermore, hackers that exploit compromised Google accounts could manipulate Drive, email logins, and other OAuth-connected services. The threat actors can potentially abuse these accounts as part of a malicious infrastructure, posting harmful content online, abusing streaming services, and accessing anything linked to Google.
Users should remain vigilant, update their security measures, and be cautious about their online activities to thwart these attempts and avoid falling victim to this sophisticated and persistent attack on Google accounts.
