The tried-and-true technique of using stolen session cookies to bypass multifactor authentication (MFA) protections and gain access to key systems has increased massively in recent months, according to intelligence published today by Sophos.
Such attacks – often referred to as pass-the-cookie attacks – are of course nothing new. Indeed, they have long been an established tool in the cyber criminal’s arsenal because, ultimately, they enable attackers to assume the persona of a legitimate user and do anything the legitimate user can.
In June 2022, Microsoft spilled the beans on a large-scale phishing campaign that hit 10,000 of its customers by using phishing sites to steal passwords, hijack sign-in sessions, and bypass top-of-the-line MFA features. And there have been multiple warnings before that, including an alert from US cyber authority CISA in early 2021.
They work like this. A session or authentication cookie, which is stored by a web browser when a user logs into a web-based resource, can, if stolen, be injected into a new web session to trick the browser into thinking the authenticated user is present and does not need to prove their identity. Because such a token is also created and stored on a web browser when MFA is in play, the same technique can handily be used to bypass it.
This problem is compounded by the fact that many web-based applications have long-lived cookies that rarely expire, or only do so if the user specifically logs out of the service.
In a new report, Cookie stealing: the new perimeter bypass, Sophos’s newly established X-Ops unit said these attacks are becoming increasingly prevalent thanks to the growing popularity of MFA tools.
Access to pass-the-cookie attacks is trivial for a threat actor, said X-Ops – in many cases, all they would need to do is obtain a copy of an infostealer, such as Raccoon Stealer, to collect credential data and cookies in bulk and sell them on to others – even ransomware gangs – on the dark web.
“Attackers are turning to new and improved versions of information stealing malware to simplify the process of obtaining authentication cookies – also known as access tokens,” said Sean Gallagher, principal threat researcher at Sophos. “If attackers have session cookies, they can move freely around a network, impersonating legitimate users.”
In many cases, said X-Ops, the act of cookie theft is becoming a much more highly targeted attack, with adversaries scraping cookie data from within a network and using legitimate executables to hide their activity.
In one case that Sophos responded to, an attacker used an exploit kit to establish access, and then a combination of the Cobalt Strike and Meterpreter tools to abuse a legitimate compiler tool and scrape access tokens. They spent months inside their victim’s network gathering cookies from the Microsoft Edge browser.
The end goal is to obtain access to the victim’s web-based or cloud-hosted resources, which can then be used for further exploitation, such as business email compromise, social engineering to gain access to additional systems, or even modification of the victim’s data or source code repositories.
“While historically we’ve seen bulk cookie theft, attackers are now taking a targeted and precise approach to cookie stealing,” said Gallagher. “Because so much of the workplace has become web-based, there really is no end to the types of malicious activity attackers can carry out with stolen session cookies.
“They can tamper with cloud infrastructures, compromise business email, convince other employees to download malware or even rewrite code for products. The only limitation is their own creativity.”
Gallagher added: “Complicating matters is that there is no easy fix. For example, services can shorten the lifespan of cookies, but that means users must re-authenticate more often, and, as attackers turn to legitimate applications to scrape cookies, companies need to combine malware detection with behavioural analysis.”