Mexican financial institutions are under the radar of a new spear-phishing campaign that delivers a modified version of an open-source remote access trojan called AllaKore RAT.
The BlackBerry Research and Intelligence Team attributed the activity to an unknown Latin American-based financially motivated threat actor. The campaign has been active since at least 2021.
“Lures use Mexican Social Security Institute (IMSS) naming schemas and links to legitimate, benign documents during the installation process,” the Canadian company said in an analysis published earlier this week.
“The AllaKore RAT payload is heavily modified to allow the threat actors to send stolen banking credentials and unique authentication information back to a command-and-control (C2) server for the purposes of financial fraud.”
It seems that the attacks are specifically intended to target big businesses with annual sales of more than $100 million. Retail, agriculture, the public sector, manufacturing, transportation, commercial services, capital goods, and banking are among the industries targeted.
The first step in the infection chain is the distribution of a ZIP file through phishing or drive-by compromise. This file contains an MSI installer file that launches a.NET downloader, which verifies the victim’s geolocation in Mexico and retrieves the modified AllaKore RAT, a Delphi-based RAT that was first discovered in 2015.
“AllaKore RAT, although somewhat basic, has the potent capability to keylog, screen capture, upload/download files, and even take remote control of the victim’s machine,” BlackBerry stated.
The threat actor has added new features to the malware, such as support for banking fraud-related commands, targeting cryptocurrency trading platforms and banks in Mexico, initiating a reverse shell, extracting content from the clipboard, and fetching and executing additional payloads.
The campaign’s use of Mexico Starlink IPs and the addition of Spanish-language instructions to the modified RAT payload provide the threat actor with links to Latin America. Moreover, the lures used are only effective for businesses big enough to submit reports directly to the department of the Mexican Social Security Institute (IMSS).
“This threat actor has been persistently targeting Mexican entities for the purposes of financial gain,” the business stated. “This activity has continued for over two years, and shows no signs of stopping.”
The results coincide with the announcement from IOActive that it has discovered three vulnerabilities (CVE-2024-0175, CVE-2024-0176, and CVE-2024-0177) in the Lamassu Douro bitcoin ATMs that could provide physical access to an attacker the ability to take complete control of the machines and steal user data.
The ATM’s software update mechanism and its capacity to scan QR codes are exploited by the attackers to supply their own malicious file and start the execution of arbitrary code, thereby enabling the attacks. In October 2023, the Swiss company resolved the issues.
Google on Tuesday released updates to fix four security issues in its Chrome browser, including an actively exploited zero-day flaw.
The issue, tracked as CVE-2024-0519, concerns an out-of-bounds memory access in the V8 JavaScript and WebAssembly engine, which can be weaponized by threat actors to trigger a crash.
“By reading out-of-bounds memory, an attacker might be able to get secret values, such as memory addresses, which can be bypass protection mechanisms such as ASLR in order to improve the reliability and likelihood of exploiting a separate weakness to achieve code execution instead of just denial of service,” according to MITRE’s Common Weakness Enumeration (CWE).
Additional details about the nature of the attacks and the threat actors that may be exploiting it have been withheld in an attempt to prevent further exploitation. The issue was reported anonymously on January 11, 2024.
“Out-of-bounds memory access in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page,” reads a description of the flaw on the NIST’s National Vulnerability Database (NVD).
The development marks the first actively exploited zero-day to be patched by Google in Chrome in 2024. Last year, the tech giant resolved a total of 8 such actively exploited zero-days in the browser.
Users are recommended to upgrade to Chrome version 120.0.6099.224/225 for Windows, 120.0.6099.234 for macOS, and 120.0.6099.224 for Linux to mitigate potential threats.
Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.
The environmental services industry witnessed an “unprecedented surge” in HTTP-based distributed denial-of-service (DDoS) attacks, accounting for half of all its HTTP traffic.
This marks a 61,839% increase in DDoS attack traffic year-over-year, web infrastructure and security company Cloudflare said in its DDoS threat report for 2023 Q4 published last week.
“This surge in cyber attacks coincided with COP 28, which ran from November 30th to December 12th, 2023,” security researchers Omer Yoachimik and Jorge Pacheco said, describing it as a “disturbing trend in the cyber threat landscape.”
The uptick in HTTP attacks targeting environmental services websites is part of a larger trend observed annually over the past few years, specifically during COP 26 and COP 27, as well as other United Nations environment-related resolutions or announcements.
“This recurring pattern underscores the growing intersection between environmental issues and cyber security, a nexus that is increasingly becoming a focal point for attackers in the digital age,” the researchers said.
Despite the environmental services sector becoming a new target in Q4 2023, the cryptocurrency industry continues to be the primary casualty in terms of the volume of HTTP DDoS attack requests.
With more than 330 billion HTTP requests targeting it, the attack traffic represents more than 4% of all HTTP DDoS traffic for the quarter. Gaming and gambling and telecommunications emerged as the second and third most attacked industries.
On the other end of the spectrum are the U.S. and China, acting as the main sources of HTTP DDoS attack traffic. It’s worth noting that the U.S. has been the largest source of HTTP DDoS attacks for five consecutive quarters since Q4 2022.
“Together, China and the U.S. account for a little over a quarter of all HTTP DDoS attack traffic in the world,” the researchers said. “Brazil, Germany, Indonesia, and Argentina account for the next 25%.”
The development comes amid a heavy onslaught of DDoS attacks targeting Palestinian banking, information technology (IT), and internet platforms following the onset of the Israel-Hamas War and Israel’s counteroffensive codenamed Operation Iron Swords.
The percentage of DDoS attack traffic targeting Palestinian websites grew by 1,126% quarter-over-quarter, Cloudflare said, adding DDoS attack traffic targeting Taiwan registered a 3,370% growth amidst the Taiwanese presidential elections and rising tensions with China.
Akamai, which also published its own retrospective on DDoS Trends in 2023, said “DDoS attacks became more frequent, longer, highly sophisticated (with multiple vectors), and focused on horizontal targets (attacking multiple IP destinations in the same attack event).”
The findings also follow a report from Cloudflare about the increasing threat posed by unmanaged or unsecured API endpoints, which could enable threat actors to exfiltrate potentially sensitive information.
“HTTP anomalies — the most frequent threat toward APIs — are common signals of malicious API requests,” the company said. “More than half (51.6%) of traffic errors from API origins comprised ‘429’ error codes: ‘Too Many Requests.'”
A 29-year-old Ukrainian national has been arrested in connection with running a “sophisticated cryptojacking scheme,” netting them over $2 million (€1.8 million) in illicit profits.
The person was apprehended in Mykolaiv, Ukraine, on January 9 by the National Police of Ukraine with support from Europol and an unnamed cloud service provider following “months of intensive collaboration.”
“A cloud provider approached Europol back in January 2023 with information regarding compromised cloud user accounts of theirs,” Europol said, adding it shared the intelligence with the Ukrainian authorities.
As part of the probe, three properties were searched to unearth evidence against the suspect.
Cryptojacking refers to a type of cyber crime that entails the unauthorized use of a person’s or organization’s computing resources to mine cryptocurrencies.
On the cloud, such attacks are typically carried out by infiltrating the infrastructure via compromised credentials obtained through other means and installing miners that use the infected host’s processing power to mine crypto without their knowledge or consent.
“If the credentials do not have the threat actors’ desired permissions, privilege escalation techniques are used to obtain additional permissions,” Microsoft noted in July 2023. “In some cases, threat actors hijack existing subscriptions to further obfuscate their operations.”
The core idea is to avoid paying for necessary infrastructure required to mine cryptocurrencies, either by taking advantage of free trials or compromising legitimate tenants to conduct cryptojacking attacks.
In October 2023, Palo Alto Networks Unit 42 detailed a cryptojacking campaign in which threat actors were found stealing Amazon Web Services (AWS) credentials from GitHub repositories within five minutes of their public disclosure to mine Monero.
A new Mirai-based botnet called NoaBot is being used by threat actors as part of a crypto mining campaign since the beginning of 2023.
“The capabilities of the new botnet, NoaBot, include a wormable self-spreader and an SSH key backdoor to download and execute additional binaries or spread itself to new victims,” Akamai security researcher Stiv Kupchik said in a report shared with The Hacker News.
Mirai, which had its source code leaked in 2016, has been the progenitor of a number of botnets, the most recent being InfectedSlurs, which is capable of mounting distributed denial-of-service (DDoS) attacks.
There are indications that NoaBot could be linked to another botnet campaign involving a Rust-based malware family known as P2PInfect, which recently received an update to target routers and IoT devices.
This is based on the fact that threat actors have also experimented with dropping P2PInfect in place of NoaBot in recent attacks targeting SSH servers, indicating likely attempts to pivot to custom malware.
Despite NaoBot’s Mirai foundations, its spreader module leverages an SSH scanner to search for servers susceptible to dictionary attack in order to brute-force them and add an SSH public key in the .ssh/authorized_keys file for remote access. Optionally, it can also download and execute additional binaries post successful exploitation or propagate itself to new victims.
“NoaBot is compiled with uClibc, which seems to change how antivirus engines detect the malware,” Kupchik noted. “While other Mirai variants are usually detected with a Mirai signature, NoaBot’s antivirus signatures are of an SSH scanner or a generic trojan.”
Besides incorporating obfuscation tactics to render analysis challenging, the attack chain ultimately results in the deployment of a modified version of the XMRig coin miner.
What makes the new variant a cut above other similar Mirai botnet-based campaigns is that it does not contain any information about the mining pool or the wallet address, thereby making it impossible to assess the profitability of the illicit cryptocurrency mining scheme.
“The miner obfuscates its configuration and also uses a custom mining pool to avoid exposing the wallet address used by the miner,” Kupchik said, highlighting some level of preparedness of the threat actors.
Akamai said it identified 849 victim IP addresses to date that are spread geographically across the world, with high concentrations reported in China, so much so that it amounts to almost 10% of all attacks against its honeypots in 2023.
“The malware’s method of lateral movement is via plain old SSH credentials dictionary attacks,” Kupchik said. “Restricting arbitrary internet SSH access to your network greatly diminishes the risks of infection. In addition, using strong (not default or randomly generated) passwords also makes your network more secure, as the malware uses a basic list of guessable passwords.”
Poorly secured Microsoft SQL (MS SQL) servers are being targeted in the U.S., European Union, and Latin American (LATAM) regions as part of an ongoing financially motivated campaign to gain initial access.
“The analyzed threat campaign appears to end in one of two ways, either the selling of ‘access’ to the compromised host, or the ultimate delivery of ransomware payloads,” Securonix researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a technical report shared with The Hacker News.
The campaign, linked to actors of Turkish origin, has been codenamed RE#TURGENCE by the cybersecurity firm.
Initial access to the servers entails conducting brute-force attacks, followed by the use of xp_cmdshell configuration option to run shell commands on the compromised host. This activity mirrors that of a prior campaign dubbed DB#JAMMER that came to light in September 2023.
This stage paves the way for the retrieval of a PowerShell script from a remote server that’s responsible for fetching an obfuscated Cobalt Strike beacon payload.
The post-exploitation toolkit is then used to download the AnyDesk remote desktop application from a mounted network share for accessing the machine and downloading additional tools such as Mimikatz to harvest credentials and Advanced Port Scanner to carry out reconnaissance.
Lateral movement is accomplished by means of a legitimate system administration utility called PsExec, which can execute programs on remote Windows hosts.
That attack chain, ultimately, culminates with the deployment of Mimic ransomware, a variant of which was also used in the DB#JAMMER campaign.
“The indicators as well as malicious TTPs used in the two campaigns are completely different, so there is a very high chance these are two disparate campaigns,” Kolesnikov told
“More specifically, while the initial infiltration methods are similar, DB#JAMMER was slightly more sophisticated and used tunneling. RE#TURGENCE is more targeted and tends to use legitimate tools and remote monitoring and management, such as AnyDesk, in an attempt to blend in with normal activity.”
Securonix said it uncovered an operational security (OPSEC) blunder made by the threat actors that allowed it to monitor clipboard activity owing to the fact that the clipboard sharing feature of AnyDesk was enabled.
This made it possible to glean their Turkish origins and their online alias atseverse, which also corresponds to a profile on Steam and a Turkish hacking forum called SpyHack.
“Always refrain from exposing critical servers directly to the internet,” the researchers cautioned. “With the case of RE#TURGENCE attackers were directly able to brute force their way into the server from outside the main network.”
Threat actors affiliated with the Democratic People’s Republic of Korea (also known as North Korea) have plundered at least $600 million in cryptocurrency in 2023.
The DPRK “was responsible for almost a third of all funds stolen in crypto attacks last year, despite a 30% reduction from the USD 850 million haul in 2022,” blockchain analytics firm TRM Labs said last week.
“Hacks perpetrated by the DPRK were on average ten times as damaging as those not linked to North Korea.”
There are indications that additional breaches targeting the crypto sector towards the end of 2023 could push this figure higher to around $700 million.
The targeting of cryptocurrency companies is not new for North Korean state-sponsored actors, who have stolen about $3 billion since 2017.
These financially motivated attacks are seen as a crucial revenue-generation mechanism for the sanctions-hit nation, funding its weapons of mass destruction (WMD) and ballistic missile programs.
The intrusions leverage social engineering to lure targets and typically aim to compromise private keys and seed phrases – which are used to safeguard digital wallets – and then use them to gain unauthorized access to the victims’ assets and transfer them to wallets under the threat actor’s control.
“They are then swapped mostly for USDT or Tron and converted to hard currency using high-volume OTC brokers,” TRM Labs said.
The company further noted that DPRK hackers continued to explore other money laundering tools after the U.S. Treasury Department sanctioned a crypto mixer service known as Sinbad for processing a chunk of their proceeds, indicating constant evolution despite law enforcement pressure.
“With nearly USD 1.5 billion stolen in the past two years alone, North Korea’s hacking prowess demands continuous vigilance and innovation from business and governments,” TRM Labs said.
Cybersecurity researchers have discovered a new Apple macOS backdoor called SpectralBlur that overlaps with a known malware family that has been attributed to North Korean threat actors.
“SpectralBlur is a moderately capable backdoor that can upload/download files, run a shell, update its configuration, delete files, hibernate, or sleep, based on commands issued from the [command-and-control server],” security researcher Greg Lesnewich said.
The malware shares similarities with KANDYKORN (aka SockRacket), an advanced implant that functions as a remote access trojan capable of taking control of a compromised host.
It’s worth noting that the KANDYKORN activity also intersects with another campaign orchestrated by the Lazarus sub-group known as BlueNoroff (aka TA444) which culminates in the deployment of a backdoor referred to as RustBucket and a late-stage payload dubbed ObjCShellz.
The latest findings are another sign that North Korean threat actors are increasingly setting their sights on macOS to infiltrate high-value targets, particularly those within the cryptocurrency and the blockchain industries.
“TA444 keeps running fast and furious with these new macOS malware families,” Lesnewich said.
Security researcher Patrick Wardle, who shared additional insights into the inner workings of SpectralBlur, said the Mach-O binary was uploaded to the VirusTotal malware scanning service in August 2023 from Colombia.
The functional similarities between KANDYKORN and SpectralBlur have raised the possibility that they may have been built by different developers keeping the same requirements in mind.
What makes the malware stand out are its attempts to hinder analysis and evade detection while using grantpt to set up a pseudo-terminal and execute shell commands received from the C2 server.
The disclosure comes as a total of 21 new malware families designed to target macOS systems, including ransomware, information stealers, remote access trojans, and nation-state-backed malware, were discovered in 2023, up from 13 identified in 2022.
“With the continued growth and popularity of macOS (especially in the enterprise!), 2024 will surely bring a bevy of new macOS malware,” Wardle noted.
Thanks to technological advancements, we can find any information on Google. We can use Google search engine to seek any data, resources, and information. No wonder Google has made our lives so easier and hassle-free.
However, there is still a lot of data on Google that we don’t know about. Using a hacking technique called Google Dorking, we can find hidden information within minutes. Many hackers use it to hack into sensitive data and collect crucial information. Hence, it is important for ethical hackers to understand what is Google Dorking and gain a fair understanding to prevent such attacks.
In this blog post, we will learn about the Google hacker database, Google Dorking commands, and more in detail.
What is Google Dorking?
Google Dorking, or Google Hacking, means using Google search-hacking techniques to hack into sensitive information and sites that are not available in public search results.
Google Dorking involves using advanced search operators and specific keywords to narrow down search results and discover potentially vulnerable websites, exposed data, or other valuable information.
For example, users can click on various tags, such as sites or images, to extract information or images from a website. They can also use a Google Dork cheat sheet containing different commands to get specific search results.
The Google Dorking technique is often used by security professionals, hackers, and researchers to uncover sensitive or hidden information on the internet.
Examples of Google Dorking
Some common examples of Google Dorking queries include:
Finding specific file types
You can search for specific file types, such as PDFs, spreadsheets, or databases, using queries like “filetype:pdf” or “filetype:xls.”
Locating login pages
Queries like “inurl:login” or “intitle:login” can help you find websites with login pages that may be vulnerable to security exploits.
Identifying vulnerable devices
Searches like “intitle:webcamxp inurl:8080” can reveal webcams or other devices with known vulnerabilities.
Discovering exposed directories
Queries like “intitle:index.of” can help you find open directories on web servers that may contain sensitive information.
Finding specific information on a website
You can use queries to search within a specific website, like “site:example.com keyword” to find information on a particular domain.
What is Google Dorking Used For?
Google Dorking can be used for various purposes, both legitimate and potentially malicious, depending on the intent of the user.
Here are some common uses of Google Dorking:
1. Information Gathering
Security professionals and researchers use Google Dorking to gather information about websites, servers, and online assets. This can help identify vulnerabilities, assess the security of web applications, and uncover potential threats.
2. Vulnerability Assessment
Security experts may use Google Dorking to identify websites or systems that have known vulnerabilities. This information can be used to alert website owners or organizations to security issues that need to be addressed.
3. Competitive Intelligence
Companies may use Google Dorking to gain insights into the online presence and strategies of their competitors. This can involve finding hidden web pages, identifying keywords, or uncovering marketing tactics.
4. Academic Research
Researchers and academics may use Google Dorking to discover information for their studies and investigations. It can be a valuable tool for finding publicly accessible data and resources.
5. Website Administration
Website administrators and owners can use Google Dorking to check the indexability of their site’s content, monitor search engine rankings, and assess the visibility of their web pages.
6. Content Discovery
Content creators and bloggers may use Google Dorking to find specific types of content, such as PDFs, images, or research papers, that are relevant to their work.
7. Cybersecurity and Penetration Testing
Ethical hackers and penetration testers use Google Dorking to identify potential entry points and vulnerabilities in systems and websites as part of security assessments. This helps organizations strengthen their security measures.
8. Privacy Awareness
Individuals concerned about their online privacy may use Google Dorking to see what personal information or data is publicly accessible through search engines and take steps to protect their online presence.
Google Dork Cheatsheet (Commands List)
A Google Dorking cheatsheet is a quick reference guide that provides a list of commonly used Google Dorking commands and operators. Here’s a Google Dork cheat sheet for your reference:
Purpose
Google Dorking Command
Find Microsoft Word documents
filetype:doc
Find text documents
filetype:txt
Find PowerPoint presentations
filetype:ppt
Find PDF files
filetype:pdf
Find Excel spreadsheets
filetype:xls
Find open directories on web servers
intitle:”Index of /”
Find Apache default pages
intitle:”Apache2 Debian Default Page”
Find Nginx default pages
intitle:”Welcome to nginx!”
Find open IIS servers
intitle:”Welcome to IIS”
Search for login pages
intitle:”Login” or intitle:”Log In”
Search for directory listings
intitle:”Index of /” or intitle:”Browse Directory”
Find exposed configuration files
intitle:”config.json”
Identify exposed Git repositories
intitle:”index of” inurl:.git
Find vulnerable Apache Tomcat installations
intitle:”Apache Tomcat” intitle:”Administration”
Discover open Jenkins instances
intitle:”Dashboard [Jenkins]”
Search for exposed Subversion repositories
intitle:”Index of /svn”
Find open phpMyAdmin installations
intitle:”phpMyAdmin” or intext:”phpMyAdmin MySQL-Dump”
Locate exposed Microsoft SharePoint documents
intitle:”Microsoft SharePoint” intext:”Sign in to SharePoint”
intitle:”Johnson Controls – WorkPlace” intext:”User name :”
Advanced Google Dorking Commands and Operators
Along with several Google Dork commands and operators, there are some advanced combinations of operators too that you can use to filter search results to maximize efficiency.
However, you can refer to the Google Hacker database to avoid typing these operators and combinations every time to search for any information. This database contains hundreds of combinations of multiple and advanced operators.
1. Searching for Vulnerable Webcams
Find webcams with known vulnerabilities:
intitle:"D-Link" inurl:"/view.htm"
2. Finding Open Elasticsearch Instances with Specific Data
Search for Elasticsearch instances containing specific data:
intext:"kibana" intitle:"Kibana"
3. Exploring Open MongoDB Instances with Authentication Bypass
Search for MongoDB instances without authentication:
intext:"MongoDB Server Information" intitle:"MongoDB" -intext:"MongoDB Server Version"
These advanced commands for Google dorking can be useful for specific security assessments and research purposes. Always ensure you have proper authorization and follow ethical guidelines when using advanced Google Dorking commands. Unauthorized or malicious use can have serious legal and ethical consequences.
Google Dorking Tools
Google Dorking tools are software or scripts designed to automate the process of searching for specific information using Google Dorking queries. These tools can help security professionals, researchers, and ethical hackers efficiently discover vulnerabilities and sensitive information on the internet.
Here are a few Google Dorking tools and resources:
Google Hacking Database (GHDB)
The GHDB is a collection of Google Dorking queries and examples created and maintained by the security community. It serves as a reference for finding information on the internet, including vulnerabilities and exposed data. You can access it at https://www.exploit-db.com/google-hacking-database.
Google Dorks Tool
There are various open-source and commercial tools available that facilitate Google Dorking. These tools often provide a user-friendly interface for constructing and executing Dorking queries. Examples include “DorkMe” and “Google Hacking Database Scraper.”
Shodan
While not specifically a Google Dorking tool, Shodan is a search engine that focuses on finding internet-connected devices and services. It can be used to discover open ports, exposed services, and vulnerable devices. Shodan provides its own set of search operators to find specific information.
Custom Scripts and Automation
Some security professionals and researchers develop custom scripts or automation tools to conduct Google Dorking searches tailored to their specific needs. These scripts can help streamline the process of searching for vulnerabilities and exposed data.
Online Vulnerability Scanners
Some web vulnerability scanners incorporate Google Dorking functionality as part of their scanning process. These scanners can automatically use Dorking queries to identify potential security issues on websites and web applications.
Many penetration testing frameworks, such as Metasploit and Burp Suite, include modules or extensions that allow security professionals to integrate Google Dorking into their assessments.
Information stealing malware are actively taking advantage of an undocumented Google OAuth endpoint named MultiLogin to hijack user sessions and allow continuous access to Google services even after a password reset.
According to CloudSEK, the critical exploit facilitates session persistence and cookie generation, enabling threat actors to maintain access to a valid session in an unauthorized manner.
The technique was first revealed by a threat actor named PRISMA on October 20, 2023, on their Telegram channel. It has since been incorporated into various malware-as-a-service (MaaS) stealer families, such as Lumma, Rhadamanthys, Stealc, Meduza, RisePro, and WhiteSnake.
The MultiLogin authentication endpoint is primarily designed for synchronizing Google accounts across services when users sign in to their accounts in the Chrome web browser (i.e., profiles).
A reverse engineering of the Lumma Stealer code has revealed that the technique targets the “Chrome’s token_service table of WebData to extract tokens and account IDs of chrome profiles logged in,” security researcher Pavan Karthick M said. “This table contains two crucial columns: service (GAIA ID) and encrypted_token.”
This token:GAIA ID pair is then combined with the MultiLogin endpoint to regenerate Google authentication cookies.
Karthick told The Hacker News that three different token-cookie generation scenarios were tested –
When the user is logged in with the browser, in which case the token can be used any number of times.
When the user changes the password but lets Google remain signed in, in which case the token can only be used once as the token was already used once to let the user remain signed in.
If the user signs out of the browser, then the token will be revoked and deleted from the browser’s local storage, which will be regenerated upon logging in again.
When reached for comment, Google acknowledged the existence of the attack method but noted that users can revoke the stolen sessions by logging out of the impacted browser.
“Google is aware of recent reports of a malware family stealing session tokens,” the company told The Hacker News. “Attacks involving malware that steal cookies and tokens are not new; we routinely upgrade our defenses against such techniques and to secure users who fall victim to malware. In this instance, Google has taken action to secure any compromised accounts detected.”
“However, it’s important to note a misconception in reports that suggests stolen tokens and cookies cannot be revoked by the user,” it further added. “This is incorrect, as stolen sessions can be invalidated by simply signing out of the affected browser, or remotely revoked via the user’s devices page. We will continue to monitor the situation and provide updates as needed.”
The company further recommended users turn on Enhanced Safe Browsing in Chrome to protect against phishing and malware downloads.
“It’s advised to change passwords so the threat actors wouldn’t utilize password reset auth flows to restore passwords,” Karthick said. “Also, users should be advised to monitor their account activity for suspicious sessions which are from IPs and locations which they don’t recognize.”
“Google’s clarification is an important aspect of user security,” said Hudson Rock co-founder and chief technology officer, Alon Gal, who previouslydisclosed details of the exploit late last year.
“However, the incident sheds light on a sophisticated exploit that may challenge the traditional methods of securing accounts. While Google’s measures are valuable, this situation highlights the need for more advanced security solutions to counter evolving cyber threats such as in the case of infostealers which are tremendously popular among cybercriminals these days.”
