Week of January 5th, 2024

Welcome to Your Cybersecurity Recap: a bite-sized weekly newsletter by cybersecurity enthusiasts, for cybersecurity enthusiasts.

Here are this week’s top takeaways:

Have You Heard? Malware is Using Google MultiLogin Exploit to Maintain Access Despite Password Reset

As announced this week, information-stealing malware are manipulating an undocumented Google OAuth endpoint named “MultiLogin” in order to take over user sessions–and subsequently allow continuous access to Google services even after a user has reset their password.

According to CloudSEK, a contextual AI firm, this critical exploit facilitates session persistence and cookie generation… which then enables threat actors to maintain access to a valid session without authorization.

This session-hijacking technique was first revealed by a threat actor named PRISMA on October 20, 2023, and has since been incorporated into various malware-as-a-service (MaaS) groups such as Stealc and RisePro.?

A reverse engineering of the Lumma Stealer code has uncovered that the technique targets the Chrome's token_service table of WebData to extract tokens and account IDs of Chrome profiles logged in. As such, there are three ways that these tokens are being exploited:

• When the user is logged in with the browser, in which case the token in question can be used any number of times
• When the user changes the password but is still signed in to the Google account, in which case the token can only be used once as the token was already used once to let the user remain signed in
• If the user signs out of the browser, then the token will be revoked and deleted from the browser's local storage, which will be regenerated upon logging in again

When reached for comment by publication The Hacker News, Google publicly noted that users can revoke the stolen sessions by logging out of the impacted browser. "Google is aware of recent reports of a malware family stealing session tokens," the company stated. "Attacks involving malware that steal cookies and tokens are not new; we routinely upgrade our defenses against such techniques and to secure users who fall victim to malware. In this instance, Google has taken action to secure any compromised accounts detected."

Australian Court Records Impacted By Threat Actors

On Thursday, it was made known that threat actors successfully accessed the court recordings database in Australia's Victoria state and disrupted the audio-visual in-court technology network. This has impacted both recordings and transcription services.?

Recordings of court hearings between November and December, 2023, may have been stolen, Court Services Victoria CEO Louise Anderson said in a statement. An ongoing investigation has been launched into whether court hearings from before November may have also been impacted by the attack.?

Hearings in January would proceed after the affected network was isolated and disabled, and court officials were working closely with the government's cybersecurity experts. Court Services Victoria did not reveal whether it received any ransomware demands.

Historically, ransomware has ignited crisis-level concerns for global businesses of all sizes. In recent years, the number of ransomware attacks has been exponentially increasing, and this trend is forecasted to continue over the next decade.?

In 2021, ransomware damages were estimated to be around $20 billion USD— an almost 60X increase above the recorded costs in 2015, and forecasted damages are expected to reach a staggering $250 billion USD by 2031. The number of ransomware attacks increased by 13% above 2020 and accounted for 25% of all successful cyber breaches. Although the industries most impacted by ransomware attacks were healthcare, financial services, and IT in recent years, the impact of ransomware spanned across all industries and has included national governments and critical infrastructure–with this attack in Australia being a reminder for organizations across all countries to renew their ransomware protection efforts.