Sophos, a global provider of next-generation cybersecurity, reported in the Sophos X-Ops report “Cookie stealing: the new perimeter bypass” that active adversaries are increasingly using stolen session cookies to circumvent Multi-Factor Authentication (MFA) and gain access to corporate resources. In some cases, cookie theft is a highly targeted attack, with adversaries scraping cookie data from compromised systems within a network and disguising malicious activity with legitimate executables. Once attackers gain access to corporate web-based and cloud resources via cookies, they can use them for further exploitation such as business email compromise, social engineering to gain additional system access, and even data or source code repository modification.
“Over the past year, we’ve seen attackers increasingly turn to cookie theft to work around the growing adoption of MFA. Attackers are turning to new and improved versions of information stealing malware like Raccoon Stealer to simplify the process of obtaining authentication cookies, also known as access tokens,” said Sean Gallagher, principal threat researcher, Sophos. “If attackers have session cookies, they can move freely around a network, impersonating legitimate users.”
Session cookies, also known as authentication cookies, are a type of cookie that is stored by a web browser when a user logs into web resources. If attackers obtain them, they can perform a “pass-the-cookie” attack in which they inject the access token into a new web session, fooling the browser into thinking it is the authenticated user and eliminating the need for authentication. Because a token is created and stored on a web browser when using MFA, the same attack can be used to circumvent this additional layer of authentication. Complicating matters, many legitimate web-based applications use long-lasting cookies that rarely or never expire; other cookies expire only if the user explicitly logs out of the service.
The malware-as-a-service industry has made it easier for entry-level attackers to engage in credential theft. For example, all they need to do is purchase a copy of an information-stealing Trojan such as Raccoon Stealer in order to bulk collect data such as passwords and cookies and then sell them on criminal marketplaces such as Genesis. Other criminals in the attack chain, such as ransomware operators, can then purchase this data and sift through it to find anything useful for their attacks.
In contrast, attackers used a more targeted approach in two recent incidents investigated by Sophos. In one case, the attackers spent months inside a target’s network collecting cookies from Microsoft Edge. The attackers gained access to the system via an exploit kit, and then used a combination of Cobalt Strike and Meterpreter activity to exploit a legitimate compiler tool to scrape access tokens. In another case, the attackers dropped a malicious payload that scraped cookie files for a week using a legitimate Microsoft Visual Studio component.
“While historically we’ve seen bulk cookie theft, attackers are now taking a targeted and precise approach to cookie stealing. Because so much of the workplace has become web-based, there really is no end to the types of malicious activity attackers can carry out with stolen session cookies. They can tamper with cloud infrastructures, compromise business email, convince other employees to download malware or even rewrite code for products. The only limitation is their own creativity,” said Gallagher. “Complicating matters is that there is no easy fix. For example, services can shorten the lifespan of cookies, but that means users must re-authenticate more often, and, as attackers turn to legitimate applications to scrape cookies, companies need to combine malware detection with behavioral analysis.”
Read the full report, “Cookie Stealing: the New Perimeter Bypass,” on Sophos.com to learn more about session cookie theft and how adversaries are exploiting the technique to carry out malicious activity.
