Matic tojs Lomovek – stock.a
The exploitation of stolen session cookies by cyber criminals is once more back on the agenda, because of the growing popularity of multifactor authentication tools
- Alex Scroxton,Security Editor
Published: 18 Aug 2022 14: 23
The tried-and-true manner of using stolen session cookies to bypass multifactor authentication (MFA) protections and access key systems has increased massively lately, in accordance with intelligence published today by Sophos.
Such attacks also known as pass-the-cookie attacks are needless to say nothing new. Indeed, they will have long been a recognised tool in the cyber criminals arsenal because, ultimately, they enable attackers to assume the persona of the best user and do anything the legitimate user can.
In June 2022, Microsoft spilled the beans on a large-scale phishing campaign that hit 10,000 of its customers through the use of phishing sites to steal passwords, hijack sign-in sessions, and bypass top-of-the-line MFA features. And there were multiple warnings before that, including an alert from US cyber authority CISA in early 2021.
They work such as this. A session or authentication cookie, that is stored by way of a web browser whenever a user logs right into a web-based resource, can, if stolen, be injected right into a new web session to trick the browser into thinking the authenticated user exists and doesn’t need to prove their identity. Because this type of token can be created and stored on a browser when MFA is in play, exactly the same technique can handily be utilized to bypass it.
This issue is compounded by the truth that many web-based applications have long-lived cookies that rarely expire, or only achieve this if an individual specifically logs from the service.
In a fresh report, Cookie stealing: the brand new perimeter bypass, Sophoss newly established X-Ops unit said these attacks have become increasingly prevalent because of the growing popularity of MFA tools.
Usage of pass-the-cookie attacks is trivial for a threat actor, said X-Ops oftentimes, all they might should do is get yourself a copy of an infostealer, such as for example Raccoon Stealer, to get credential data and cookies in bulk and sell them to others even ransomware gangs on the dark web.
Attackers are embracing new and improved versions of information stealing malware to simplify the procedure of obtaining authentication cookies also referred to as access tokens, said Sean Gallagher, principal threat researcher at Sophos. If attackers have session cookies, they are able to move freely around a network, impersonating legitimate users.
Oftentimes, said X-Ops, the act of cookie theft is now a more highly targeted attack, with adversaries scraping cookie data from inside a network and using legitimate executables to cover their activity.
In a single case that Sophos taken care of immediately, an attacker used an exploit kit to determine access, and a variety of the Cobalt Strike and Meterpreter tools to abuse the best compiler tool and scrape access tokens. They spent months of their victims network gathering cookies from the Microsoft Edge browser.
The finish goal would be to access the victims web-based or cloud-hosted resources, that may then be utilized for further exploitation, such as for example business email compromise, social engineering to get usage of additional systems, as well as modification of the victims data or source code repositories.
While historically weve seen bulk cookie theft, attackers are actually going for a targeted and precise method of cookie stealing, said Gallagher. Because so a lot of the workplace is becoming web-based, there is really no end to the forms of malicious activity attackers can perform with stolen session cookies.
They are able to tamper with cloud infrastructures, compromise business email, convince other employees to download malware as well as rewrite code for products. The only real limitation is their very own creativity.
Gallagher added: Complicating matters is that there is absolutely no easy fix. For instance, services can shorten the lifespan of cookies, but which means users must re-authenticate more regularly, and, as attackers turn to legitimate applications to scrape cookies, companies have to combine malware detection with behavioural analysis.
Read more on Identity and access management products
Slippery phish wriggles around MFA protections, says Microsoft
Cisco Talos: Destructive malware, supply chain attacks rising
How Lapsus$ exploited the failings of multifactor authentication
SolarWinds hackers still active, using new techniques