Google MultiLogin exploit enables persistent unauthorized access

Over the past week, diverse threats have emerged in the cybersecurity landscape, posing significant risks to global entities and users worldwide. These include state-linked groups deploying sophisticated malware, a surge in detections of a malware loader, cybercriminals exploiting vulnerable Linux SSH servers for cryptocurrency mining, zero-day vulnerability in Barracuda’s ESG appliances, and exploitation of a hidden Google OAuth feature, “MultiLogin”. These threats emphasize the significance of strong security protocols, ongoing awareness, and preemptive measures to counter the ever-changing landscape of cyber dangers. 

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats. 

1. Kimsuky hackers deploying AppleSeed, Meterpreter, and TinyNuke in latest attacks

North Korea’s state-linked operatives, particularly the Kimsuky APT group, have been identified employing sophisticated spear-phishing tactics to deploy various backdoors and tools like AppleSeed, Meterpreter, and TinyNuke. Analysis highlights their prolonged use of consistent attack methods, notably AppleSeed, in espionage campaigns targeting global entities.

Kimsuky’s evolution, expanding from South Korean targets to international objectives since 2017, has resulted in U.S. government sanctions. The group utilizes intricate spear-phishing attacks with malicious documents triggering diverse malware families, including AlphaSeed, an updated variant of AppleSeed written in Golang and employing chromedp for server communication. The group also uses other tools like Meterpreter and VNC malware, aiming to compromise systems. Regular security audits, threat intelligence sharing, and compliance with industry standards are crucial to fortify defenses against evolving threats. 

2. Malware using Google MultiLogin exploit to maintain access despite password reset 

Cybercriminals exploit a hidden Google OAuth feature called “MultiLogin” to maintain persistent unauthorized access to user accounts even after password changes. This vulnerability, disclosed by the hacker group PRISMA, allows them to regenerate expired authentication cookies, integrated into various malware platforms like Lumma and Rhadamanthys.  

By decrypting tokens obtained from Chrome profiles linked to a Google account, attackers leverage the undocumented Google OAuth endpoint to restore expired cookies, ensuring prolonged unauthorized access. Google has urged users to change passwords, activate Enhanced Safe Browsing in Chrome, monitor account activities, log out from affected browsers, and remotely revoke access via the user’s device management page as countermeasures against this exploit.

3. Rugmi malware loader: Alarming surge with hundreds of daily detections

Threat actors are distributing various information stealers like Vidar, Lumma Stealer, RecordBreaker, and Rescoms through a new malware loader, Win/TrojanDownloader.Rugmi. The malware consists of different loaders, facilitating payload loading from internal or external sources and encrypted downloads. The detection of Rugmi loader increased significantly between October and November 2023, expanding its detections from a few daily to hundreds. 

This malware-as-a-service (MaaS) model offers stealth malware subscriptions, such as Lumma Stealer, for $250 a month, allowing buyers of a $20,000 package to access and sell the source code. The off-the-shelf utility spreads via malvertising, bogus software updates, and cracked installations, constantly adapting to evade detection. Mitigation steps involve deploying robust endpoint protection, software patching for updates, enhancing email filtering, and employing malvertising protection to curb potential threats. 

4. Poorly secured Linux SSH servers under attack for cryptocurrency mining

Malicious actors are targeting vulnerable Linux SSH servers, aiming to deploy port scanners and execute dictionary attacks to compromise other susceptible servers. The attackers use dictionary attacks to crack SSH credentials, then introduce scanners to identify more vulnerable systems with active port 22 for SSH services. Once identified, they reinitiate the dictionary attack to expand their compromised network.  

Interestingly, these attacks also include specific commands like “grep -c ^processor /proc/cpuinfo,” often customized by each actor before deployment, with traces of this malicious software dating back to 2021. To fortify defenses, users and organizations should prioritize robust password practices, regularly update systems with the latest security patches, and consider implementing firewalls for external server access. 

5. CVE-2023-7102: Zero-day exploited by Chinese hackers in Barracuda’s ESG appliances

Chinese threat actors leveraged a zero-day vulnerability (CVE-2023-7102) in Barracuda’s Email Security Gateway appliances, installing backdoors on a limited number of devices. This exploitation allowed UNC4841 to target high-tech, IT providers, and government entities primarily in the U.S. and Asia-Pacific regions. The flaw exists in the Barracuda ESG’s Amavis scanner’s Spreadsheet::ParseExcel library, enabling attackers to execute arbitrary code via specially crafted Microsoft Excel email attachments. 

This attack deploys SEASPY and SALTWATER implants, granting persistence and command execution capabilities. While the original flaw (CVE-2023-7101) remains unpatched, organizations are advised to monitor for indicators of compromise, maintain vigilance, and prioritize email security best practices, including user training and regular security assessments.