The important feature of the zero-day solution is “session persistence”, which means a hacker’s session using a target Google account will continue to remain valid in the face of a password change.
This means the true owner of the Google account won’t be able to kick them out with a password reset. But further, it also allows any threat actor exploiting it to “generate valid cookies in the event of a session disruption”, which CloudSEK says enhances the attacker’s ability to “maintain unauthorized access.”
As of January 2024, Google is yet to roll out a comprehensive solution to the flaw, CloudSEK says.
Hacking Groups Catch On to Big Discovery
Unfortunately, hackers have already incorporated the exploit into their info-stealing malware to break into the Google accounts of unsuspecting victims.
After the exploit was made public, in mid-November of 2023, “a threat actor… later reverse-engineered this script and incorporated it into Lumma Infostealer… protecting the methodology with advanced blackboxing techniques” CloudSEK notes.
After that, the team behind the Lumma info stealer updated the exploit to make it even harder for Google’s detection systems to spot.
CloudSEK says the exploit has now spread “rapidly” among various other threat groups, making the risk to account holders even higher – Rhadamanthys, Risepro, Meduza, and Stealc Stealer have reportedly all incorporated the technique already.
What to do if Your Google Account has Been Compromised
A simple password reset can’t be used to beat this attack technique alone. CloudSEK recommends that users who believe their account may have been hacked first log out of all devices and browsers.
Only after following this step can a password reset involving a sufficiently complex and unique password be used to invalidate the threat actor’s old tokens.
——————————————————–
