Stolen cookies used to bypass MFA: Sophos

By Dylan Bushell-Embling
Tuesday, 23 August, 2022

Attackers are increasingly exploiting stolen session cookies to bypass multi-factor authentication (MFA) security capabilities and infiltrate corporate networks, cybersecurity company Sophos has warned.

A growing number of active attackers are stealing cookies in what are often highly targeted attacks, with adversaries scraping cookie data from compromised systems and using legitimate executables to disguise the malicious activity, according to a new report from the company.

Session cookies are a particular type of cookie stored by a web browser when a user logs into web resources. They can be exploited using a ‘pass the cookie’ style attack involving injecting the compromised access token into a new web session to bypass the need for authentication.

Sophos principal threat researcher Sean Gallagher said many such attacks exploit the booming malware-as-a-service industry to allow attackers without much technical knowledge to get involved in credential theft.

“For example, all [attackers] need to do is buy a copy of an information-stealing Trojan like Raccoon Stealer to collect data like passwords and cookies in bulk and then sell them on criminal marketplaces, including Genesis,” he said.

“Other criminals on the attack chain, such as ransomware operators, can then buy this data and sift through it to leverage anything they deem useful for their attacks.”

Other attacks are much more targeted, with one case involving attackers spending months inside a target’s network gathering cookies from Microsoft Edge, he said.

“Because so much of the workplace has become web-based, there really is no end to the types of malicious activity attackers can carry out with stolen session cookies. They can tamper with cloud infrastructures, compromise business email, convince other employees to download malware or even rewrite code for products. The only limitation is their own creativity,” Gallagher said.

“Complicating matters is that there is no easy fix. For example, services can shorten the lifespan of cookies, but that means users must re-authenticate more often, and, as attackers turn to legitimate applications to scrape cookies, companies need to combine malware detection with behavioural analysis.”

Image credit: iStock.com/joruba