Kaspersky Lab has discovered a new tool called Umbrij by the ToddyCat group. It targets corporate Gmail accounts and can request access to mail, calendar, contacts, and cloud storage via the Google API.
The scheme works in Chromium-based browsers. If an employee has not logged out of their Google account, attackers can use the saved session, connect to the browser via the debugging port, and request an OAuth token with broad permissions. No login or password is required.
The tool allows attackers to automate attempts to gain access to organizations' email, which increases the scale and frequency of attacks.
The danger is that access to correspondence can remain unnoticed for a long time. Companies are advised to check applications connected to Google accounts and pay attention to browser launches with a debugging port – this is atypical for a regular employee.
Read more on the topic:
- Russian websites block registration via Gmail after fines are introduced
- Backdoor in DAEMON Tools: Kaspersky Uncovers Attack via Official Installers
- Hackers Change Targets: After IT Contractors, Bank Branches Come Under Attack