Security researchers have uncovered a significant threat to Google accounts as multiple malware-as-a-service info stealers, including Lumma Stealer, gain the ability to manipulate authentication tokens. This manipulation allows attackers persistent access to a victim’s Google account, even after the user resets their password. Lumma Stealer, which introduced this capability in November, exploits the OAuth 2.0 security protocol, widely used for accessing Google-connected accounts through single sign-on. Despite its blackboxing approach to conceal malicious activities, other malware distribution groups, such as Rhadamanthys, RisePro, Meduza, Stealc Stealer, and Eternity Stealer, have rapidly adopted and spread this vulnerability.
The discovered vulnerability, brought to light by an attacker with the handle PRISMA, was first revealed in a late October post on a Telegram channel. PRISMA’s zero-day exploit allows for “session persistence,” enabling attackers to maintain unauthorized access even if a user changes their password. The exploit can generate valid authentication cookies, ensuring the attacker’s ability to sustain access. CloudSEK, the cybersecurity firm reporting the findings, emphasizes the severity of the impact, stating that compromised Google accounts could be exploited to access services like Drive and email login, posing a significant risk to affected users and organizations.
Pavan Karthick M, a threat researcher at CloudSEK, underscores the potential consequences of the exploit, noting that if a Google account is infected, threat actors can abuse it to become part of a malicious infrastructure. The exploit allows attackers to post malicious content online, abuse streaming services, and access anything connected to Google, highlighting the broad range of potential abuses. The report emphasizes the sophistication of the exploit and the rapid adoption by various malware groups, signaling a concerning trend in cyber threats that poses severe risks to user privacy and organizational security.
