Malware hackers claim to have cracked Chrome encryption.
Google utilizes a variety of methods to guard against cookie-stealing hackers from compromising user data and accounts. On July 30, it announced an upgrade with Chrome 127 for Windows, incorporating application-bound encryption, similar to macOS and Keychain. This security measure encrypts data linked to an application’s identity, thereby significantly thwarting hackers’ efforts to steal sensitive data and circumvent two-factor authentication using infostealer malware. A developer of this type of malware has asserted that they bypassed the encryption in just 10 minutes. Here’s the important information you should know.
The theft of browser cookies, specifically session-cookies, is a common strategy employed by criminal hackers to bypass 2FA and gain complete access to user accounts and their data.
Will Harris, a member of the Chrome security team, elaborated in a blog post how Google is enhancing the security of Chrome cookies on the Windows platform. This update adds to the existing measures like device-bound sessions for all Chrome users. However, it appears that developers of widespread infostealer malware have updated their harmful tools, claiming these can now overcome the new security features, including the app-bound encryption designed for Windows users.
Bleeping Computer and Risky Business have both reported on the swift reaction by developers of malware like Lumar, Lumma, Meduza, Rhadamanthys, StealC, Vidar, and Whitesnake, who have updated their software on dark web criminal forums to bypass new security measures.
For Google and users of the Chrome browser, this rapid circumvention of security enhancements is alarming. Infostealer malware, which can steal browser secrets critical for maintaining the confidentiality of sensitive data, poses a significant threat. These secrets are typically secured through measures like session cookies, which validate user sessions following two-factor authentication. If stolen, the effectiveness of 2FA is compromised as the malicious party gains authorized access. Confirmations from Bleeping Computer reveal that the latest versions of both Lumma Stealer and Vidar can now bypass the cookie encryption feature introduced in Chrome 129. Further claims from the developers of Rhadamanthys infostealer suggest they decrypted the cookie encryption process in less than ten minutes.
Google commented on the situation:
“We are aware of the disruption that this new defense has caused to the infostealer landscape and, as we stated in the blog, we expect this protection to cause a shift in attacker behavior to more observables technique such as injection or memory scraping. This matches the new behavior we have seen. We continue to work with OS and AV vendors to try and more reliably detect these new types of attacks, as well as continuing to iterate on hardening defenses to improve protection against infostealers for our users.”
—