By : Bakinam – Nahla Makled
Sophos, a global leader in next-generation cybersecurity, today announced in the Sophos X-Ops report, “Cookie stealing: the new perimeter bypass,” that active adversaries are increasingly exploiting stolen session cookies to bypass Multi-Factor Authentication (MFA) and gain access to corporate resources. In some cases, the cookie theft itself is a highly targeted attack, with adversaries scraping cookie data from compromised systems within a network and using legitimate executables to disguise the malicious activity.
Once the attackers obtain access to corporate web-based and cloud resources using the cookies, they can use them for further exploitation such as business email compromise, social engineering to gain additional system access, and even modification of data or source code repositories.
“Over the past year, we’ve seen attackers increasingly turn to cookie theft to work around the growing adoption of MFA. Attackers are turning to new and improved versions of information stealing malware like Raccoon Stealer to simplify the process of obtaining authentication cookies, also known as access tokens,” said Sean Gallagher, principal threat researcher, Sophos.
“If attackers have session cookies, they can move freely around a network, impersonating legitimate users.” Session, or authentication, cookies are a particular type of cookie stored by a web browser when a user logs into web resources.
If attackers obtain them, then they can conduct a “pass-the-cookie" attack whereby they inject the access token into a new web session, tricking the browser into believing it is the authenticated user and nullifying the need for authentication. Since a token is also created and stored on a web browser when using MFA, this same attack can be used to bypass this additional layer of authentication.
Compounding the issue is that many legitimate web-based applications have long-lasting cookies that rarely or never expire; other cookies only expire if the user specifically logs out of the service.