The ToddyCat threat actor has released a new malware named Umbrij, which gains unauthorized access to Gmail accounts via the Google API using OAuth tokens. This technique could significantly impact corporate email security, as it leverages existing Gmail sessions for access.
The ToddyCat group has been linked to Umbrij, a malware aimed at accessing Gmail accounts through the Google API. This malware targets corporate email communications using OAuth 2.0, allowing it to authenticate and gain access to users' email resources.
Umbrij is designed to acquire an OAuth token to connect to a browser's management console in headless mode through a remote debugging port. The malware issues requests for an OAuth authorization code, which is then exchanged for an access token, enabling access to Gmail accounts. This method, known as Shadow Token via Remote Debug (STRD), emphasizes the risks posed by exploiting active sessions.
The attack leverages vulnerabilities present in Chromium-based browsers, taking advantage of already logged-in Gmail sessions. By launching the browser in headless mode and using remote debugging, attackers can seize control and bypass standard authentication mechanisms.
ToddyCat has been active since at least 2020 and has previously targeted organizations in Europe and Asia. Notably, their past tools include TCSectorCopy, which was used for compromising Microsoft Outlook data. This new incident highlights a shift towards exploiting OAuth in corporate environments, raising significant security concerns.
Kaspersky discovered Umbrij during a threat hunting operation, revealing its complex operation involving DLL side-loading using legitimate binaries. The three identified binaries exploited include components from Bitdefender, Microsoft Visual Studio, and Google Desktop. As organizations increasingly move to cloud services, the implications of such attacks could lead to widespread vulnerabilities in email security practices.
β¨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β check the original sources. How BrevFeed works β
The ToddyCat threat actor has released a new malware named Umbrij, which gains unauthorized access to Gmail accounts via the Google API using OAuth tokens. This technique could significantly impact corporate email security, as it leverages existing Gmail sessions for access.