Hackers have begun to tap cookies on a corporate computer to gain entry into business emails and, then, to key cloud resources. They have started stealing cookies from a compromised device to bypass multi-factor authentication (MFA) and gain access to corporate resources.
(Cookies are a piece of data from websites that are saved in a web browser, allowing the sites to tap to the data for a quick return when visitors come to them next.)
Access tokens
The hackers are using new and improved versions of information stealing malware like Raccoon Stealer to simplify the process of obtaining authentication cookies, also known as access tokens.
If attackers obtain them, then they can conduct a “pass-the-cookie” attack whereby they inject the access token into a new web session, tricking the browser into believing it is the authenticated user and nullifying the need for authentication.
In its report ‘Cookie stealing: the new perimeter bypass’, cybersecurity company Sophos said the cookies are being stolen in targeted attacks.
“Once the attackers obtain access to corporate web-based and cloud resources using the cookies, they can use them for further exploitation such as business email compromise, social engineering to gain additional system access, and even modification of data or source code repositories,” ean Gallagher, principal threat researcher, Sophos, said.
Since a token is also created and stored on a web browser when using MFA, this same attack can be used to bypass this additional layer of authentication.
“Over the past year, we’ve seen attackers increasingly turn to cookie theft to work around the growing adoption of MFA. If attackers have session cookies, they can move freely around a network, impersonating legitimate users,” he said.
Compounding the issue is that many legitimate web-based applications have long-lasting cookies that rarely or never expire. Some other cookies only expire if the user specifically logs out of the service.
With services like malware-as-a-service solutions are available in the darknet, it has become easier for the hackers to quickly launch the attacks.
“For example, all they need to do is buy a copy of an information-stealing Trojan like Raccoon Stealer to collect data like passwords and cookies in bulk and then sell them on criminal marketplaces, including Genesis,” the report said.
No easy fix
“Complicating matters is that there is no easy fix. For example, services can shorten the lifespan of cookies, but that means users must re-authenticate more often,” the report said.