image of breaking badness
Breaking Badness
Breaking Badness

176. A Tale of OAuth2 Cities

Coming up this week on Breaking Badness: Boyz OAuth2 Men, Knock Your SoCs Off, and Gold, Guidance, and Grievances.


Here are a few highlights from each article we discussed:

Boyz OAuth2 Men

  • A new method of hacking allows malicious actors to compromise Google accounts and changing your password won’t help
  • The threat actor in question here is known as PRISMA. What do we know about them?
    • This one’s going to be a little confusing and a bit shrouded. You see, there’s a perfectly legitimate cloud security offering from Palo Alto Networks called PRISMA Cloud
    • We’re pretty sure it’s not Palo Alto who is making this exploit available to various infostealer groups, so we think our threat actor here is having a little fun using this name
    • To confuse matters even more, one of the areas where the legit PRISMA can help is in detecting compromised IAM (identity and access management) credentials
    • But to be clear, this isn’t analogous to a cozy fancy snuggly APT group
    • Whoever’s calling themselves PRISMA here is clearly sophisticated and may be state-sponsored, but that’s not the name of a tracked APT group
    • Another name you’ll encounter if you read about this exploit is Lumma, which is the name of an infostealer malware that has incorporated this exploit and is running in the wild
  • Brief overview of OAuth2
    • OAuth2 makes your life easier. And a little less secure sometimes, as we’ll see
    • People tend to see the contraction “auth” and automatically think “authentication,” but the Auth in OAuth2 refers to a different member of the AAA triad: authorization, authentication, and accounting
    • Specifically, “Open Authorization 2.0”, is a standard designed to allow a website or application to access resources hosted by other web apps on behalf of a user
    • That’s the making-your-life-easier aspect—without OAuth2, you’d be logging in to things more frequently, and some functionality would probably break altogether. So it’s pretty fundamental to The Modern Browsing Experience(™)
    • The way this exploit works is that it targets Chrome’s token_service table of WebData to extract tokens and account IDs of chrome profiles logged in (if you use Chrome at all, it’s likely that you have at least one Chrome profile, and quite likely more than one
    • If you have more than one gmail or gmail-backed email account, for example, you could have multiple Chrome profiles running simultaneously, unless you rigorously run those only on separate devices
    • Anyway, this table contains two crucial columns: service (GAIA ID) and encrypted_token. (GAIA stands for Google Accounts and ID Administration.)
    • The encrypted tokens are decrypted using an encryption key stored in Chrome’s Local State within the UserData directory, similar to the encryption used for storing passwords
    • And so what happens is that the malware can continuously generate valid tokens, which keeps their access persistent, even across a password reset event, as you alluded to in the intro to this topic
  • There was an interesting line in the article that read “The developer of the exploit ‘expressed openness to cooperation,’ which accelerated the discovery of the endpoint responsible for regenerating the cookies.” But what does it mean?
    • Our interpretation here is that CloudSEK was doing a bit of HUMINT here – human intelligence – and probably not identifying themselves as a security firm
    • Most likely they were on a forum of some kind, and appeared to other members to be someone interested in crafting infostealers, so this isn’t necessarily a matter of the actor knowing full well that they’re assisting the good guys here
    • Although having said that, it’s not unheard-of for malicious actors to indeed knowingly help security folks
    • Our interpretation there is that it may be that to them, there’s a bit of an ego trip in basically sort of running a private CTF. Or it could be that they have friends on both sides of things and they assist both sides because of those friendships. Or who knows, maybe it’s how they assuage their guilt? Or it could be that this also helps them better understand the TTPs of the good guys, in hopes of becoming more hardened against them in the future
  • How does malware mask the mechanism of the exploit here?
    • By applying encryption to the token:GAIA ID pair, CloudSEK claims that Lumma effectively masks the core mechanism of their exploit
    • This layer of encryption can make it harder for other threat actors from duplicating their method. But their OPSEC, according to CloudSEK, wasn’t perfect, and a subsequent adaptation of Lumma which introduced the use of SOCKS proxies to circumvent Google’s IP-based restrictions on cookie regeneration, inadvertently exposed some details of the requests and responses, potentially compromising the exploit’s obscurity. You can bet that other actors are looking for that info
  • If changing your password doesn’t help, what else could be done for mitigation?
    • Google did make a statement about this, and their statement makes it sound a little less bad than it seems—they stated that stolen sessions can be invalidated by simply signing out of the affected browser or remotely revoked via your Devices page
    • But what isn’t really discussed in the articles Tim’s read about this is how you get yourself into the position of having this exploit available on your systems to begin with, and he’s assuming that it’s probably the usual vectors—a phishing lure that gets you to download Lumma, or a drive-by download on an unsafe site, that kind of thing
    • Google also says that you should take advantage of Google Safe Browsing, which we do know is kept quite well updated about malicious sites. So there’s another option for you

Knock Your SoCs Off

  • We’re talking about Operation Triangulation which was part of a presentation called “Operation Triangulation: What You Get When [You] Attack iPhones of Researchers”
  • Who are the researchers involved and what is the Chaos Communication Congress?
    • The researchers are from Kaspersky, a Russian infosec antivirus company
    • Been around for a long time – have a good reputation from a research perspective
    • The Congress stems from the Chaos Computer Club which started in Berlin in 1981
    • The Chaos Computer Club folks put on this Congress every year and we’re on the 37th one of those
  • The first thing the author of this article does is he lays out Operation Triangulation’s attack chain, and it is kind of lengthy – is there a way you can quickly summarize for our audience?
    • It’s lengthy, but worth talking about the different layers because the complexity makes it important 
    • The researchers discovered they were targeted by activity on their network, and it starts with domains, but they found a few domains that were reached out to by iOS devices and registered through Namecheap by CloudFlare 
    • These domains were a key part of dropping malware on the devices
    • They set up a man-in-the-middle attack to capture everything going to and from these exploited devices to get the full exploit chain 
    • They stack 4 and 10 exploits on top of each other depending on how you look at it 
    • The first one is an iMessage exploit that has to do with iMessage’s handling of Trutype – a font that’s been around forever. This bug matches some code from the 90s that allows escalation of privileges 
    • There’s a lot going on under the hood of these fonts, in this case they’re building virtual machines
      • Apple fixed this in January 2023 and then again later in the year for older iOS devices 
    • The second vulnerability used a function to exploit the pointer authentication code 
    • They used a kernel vulnerability that mapped all the physical memory on the device, and that is an interesting one
    • It turns out that there are some unpublished memory registers that were able to use to communicate directly with the hardware and read and write the kernel in action 
    • It’s the level of undocumented features stacked on top of each other – stuff from the 90s to now to drop spyware onto an iOS device
    • The entire exploit chain is truly something to behold 
  • You see a lot of updates from Apple that say “security features have been updated”
    • There’s a ton of evidence in here that it targets Mac OS devices too and has for quite a long time 
    • Can run on versions of iOS that are 10 years old 
    • There’s a lot in there to protect this exploit chain from being detected and obscure the malware 
  • The researchers involved mentioned that because the unknown hardware feature was likely intended to be used for debugging or testing and because it’s not used by firmware, they aren’t sure how attackers would know how to use it
    • It’s a great question 
    • If this has been there since forever, but no one knows it’s there, it’s possible that all the designs were looked at very closely 
    • Paying someone to tell you how it works is likely the fastest way to get that answer 
  • The authors brought up that hardware security often relies on “security through obscurity”
    • Intention could be a number of things – could be for debugging and many legitimate reasons
    • But if you’re the only one who knows how it works, you can put anything on there you want and it won’t be found
  • Notes about the malware itself
    • It does all things you might want spyware to do 
    • But it only records audio if the screen is off 
    • It also uses onboard machine learning to look at all your photos and indexing them to determine what photos are interesting to exfiltrate the mapping 
  • It’s worth checking out the whole presentation which you can find on YouTube

This Week’s Hoodie/Goodie Scale

Boyz OAuth2Men

[Tim]: 6.5/10 Hoodies
[Taylor]: 5.32/10 Hoodies

Knock Your SoCs Off

[Tim]: 7/10 Hoodies
[Taylor]: 8.5/10 Hoodies


That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!