R Since the start of the new year, the NJCCIC has observed an uptick in reported incidents of compromised accounts for New Jersey citizens and businesses, such as healthcare, education, law enforcement, contractors, real estate, and accounting firms. Threat actors gained unauthorized access, primarily through phishing links or attachments, to impersonate the victim and send emails on their behalf to change financial information for direct deposit, obtain payment from customers, elicit requests for proposals, advertise purported
employment opportunities, or conduct further malicious activity. In one example, a user received an email from a known contact containing an attached file
with an obfuscated link. When opened, threat actors were able to compromise the Microsoft account and attempted to send an email with a similar attachment with a new name to the victims’ contacts. Additionally, they created an unauthorized rule to hide the malicious activity. The user initially suspected credential theft caused the unauthorized access and disconnected all Microsoft-hosted email account sessions and reset their password. However, threat actors could still log into the account, indicating a possible exfiltrated access token. In late 2023, researchers discovered a critical exploit in which threat actors could gain unauthorized access and retain continuous access to Google services and accounts, even after a password reset. This exploit is due to a significant vulnerability in the cookie regeneration process. It involves malware rooted in an undocumented Google OAuth endpoint, dubbed MultiLogin, to regenerate expired Google Service cookies. Threat actors could generate valid cookies if there is a session disruption, allowing session persistence and unauthorized access to compromised accounts despite a password reset. Threat actor groups behind infostealers, such as Lumma, Rhadamanthys, Risepro, and Meduza, have already incorporated the exploit into their infostealing malware with advanced blackboxing techniques to evade detection and compromise Google accounts of unsuspecting victims.
This growing trend is a concern, especially since Google still needs to provide a comprehensive solution for the vulnerability.

Recommendation

We advise compromised account users to log out of all devices and browsers to invalidate current access tokens and the threat actor’s old tokens, revoke any
suspicious connections, and immediately change their password, as well as for any other account using the same password. After resetting the password, log back in to generate new authorized and uncompromised tokens. Users are encouraged to enable any form of multi-factor authentication (MFA) offered while choosing a more secure method (authentication app, biometric, or hardware token) where available. Additionally, remove any unauthorized auto-forward, auto-delete, or reply-to rules created for compromised accounts. Please review the CloudSEK blog post for more technical information and recommendations. Organizations that identify compromised accounts on their networks are encouraged to lock the users’ accounts, identify any malicious emails sent during the compromise, and notify recipients. If mailbox auditing is enabled, review the logs to identify which mailboxes were accessed or had access attempts made without authorization. Email account compromises typically precede ransomware infections. Efforts made to recover these accounts should also include analysis of any suspicious activity (such as attempts to elevate privileges, create new rules or users, or move laterally) that could indicate broader network compromise.

Reporting

The NJCCIC encourages recipients who discover signs of malicious cyber activity to contact the NJCCIC via the cyber incident report form at www.cyber.nj.gov/report.

Please do not hesitate to contact us here at Cyber Command with any questions.