Arabic Arabic Chinese (Simplified) Chinese (Simplified) Dutch Dutch English English French French German German Italian Italian Portuguese Portuguese Russian Russian Spanish Spanish
| (844) 627-8267

Turn It Off And On Again, Google Says | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | #hacking | #aihp

Have you tried turning it off and on again? That was the go-to advice offered by the character of Roy, a long-suffering support technician, in the cult TV sitcom The IT Crowd, which ended in 2013. Now, Google is suggesting the same advice in 2024 for Gmail users following reports of a password change–resistant attack being exploited by information-stealing attackers.

Attackers Log Into Google Accounts Again And Again

In an adversary intelligence analysis published December 29, CloudSEK researcher Pavan Karthick M detailed how Google accounts could be compromised by exploiting an undocumented authentication endpoint that is used for cross-services synchronization. Attackers were found to be using this to critically exploit session cookies used to log into Google users’ accounts without needing to enter credentials. This could then enable access to the security Holy Grail that is the Gmail inbox.

The first mention of this exploit was on October 20 in a Russian-language Telegram channel. By November 14, however, it was known to have been included within malware being used by the Lumia criminal group and soon after adopted by other threat actors. As recently as December 27, threat actors have been seen on the dark web demonstrating the use of this exploit against Google account session cookies.

MORE FROM FORBESHackers Prompt Emergency Google 0-Day Attack Patch For Chrome Users

Changing Your Google Password Doesn’t Prevent Attack

So far, so “meh” from the security surprise perspective. After all, attackers have been using session cookie hijacks for the longest time. Well, not quite the longest time, as session cookies usually come complete with a timeout that prevents their continued use. This is where this particular exploit becomes interesting. According to the CloudSEK threat intelligence analysis, expired session cookies could be restored to allow continued and prolonged access by the attackers. Moreover, the research states that the exploit enables continuous access to Google services even after users reset their passwords.

MORE FROM FORBESForget Passwords, This New Tech Is Nearly Hacker-Proof, 1Password Says

Have You Tried Turning It Off And On Again?

A Google spokesperson says the company is “aware of recent reports of a malware family stealing session tokens” and acknowledges that such attacks “involving malware that steal cookies and tokens are not new.” Google says it routinely upgrades defenses against such techniques and has “taken action to secure any compromised accounts detected” in this instance. The Google statement takes issue with some reports stating it is impossible to revoke stolen tokens and cookies, however, and this is where the IT Crowd “have you tried turning it off and on again” meme becomes a reality. “Stolen sessions can be invalidated,” Google says, “by simply signing out of the affected browser, or remotely revoked via the user’s devices page.” Google also recommends enabling Enhanced Safe Browsing in Chrome to protect against phishing and malware downloads.

The CloudSEK analysis goes into further detail when it comes to turning it off and on again, stating: “If you suspect your account may have been compromised, or as a general precaution, sign out of all browser profiles to invalidate the current session tokens. Following this, reset your password and sign back in to generate new tokens. Resetting your password effectively disrupts unauthorized access by invalidating the old tokens which the infostealers rely on, thus providing a crucial barrier to the continuation of their exploit.”

Follow me on Twitter or LinkedIn. Check out my website or some of my other work here. 

Click Here For The Original Source.