Attackers can’t keep their hands off the cookies jar

• Attackers can pose as legitimate users and freely navigate the network by stealing session cookies
• Attackers have been using cookie theft more frequently over the past year to get around the growing adoption of MFA

Cookies were intended to be a reliable way for websites to save user preferences or remember information. In fact, cookies is possible to do more than just track a user’s web surfing activities. Now, it looks like hackers have discovered a method to obtain passwords as well – hence why attackers can’t keep their hands off the cookies jar.

A global leader in next-generation cybersecurity Sophos recently reported that active adversaries are increasingly using stolen session cookies to bypass Multi-Factor Authentication (MFA) and access corporate resources in the Sophos X-Ops report, “Cookie stealing: the new perimeter bypass.”

In other circumstances, cookie theft is a highly focused operation, with adversaries gathering cookie information from infected systems within a network and disguising the malicious activity with legitimate executables. Once the attackers use the cookies to acquire access to corporate web-based and cloud resources, they can use those resources for further exploitation, including business email compromise, social engineering to gain more system access, and even data or source code repository change.

According to Sean Gallagher, principal threat researcher at Sophos, attackers have been using cookie theft more frequently over the past year to get around the growing uptake of MFA. To get authentication cookies, also known as access tokens, easier, attackers are using updated and enhanced versions of information-stealing malware like Raccoon Stealer.

“If attackers have session cookies, they can move freely around a network, impersonating legitimate users,” he added.

Hands in the cookies jar

When a user connects to online services, a web browser may keep a specific kind of cookie called a session cookie, sometimes known as an authentication cookie. If they do, attackers can employ a “pass-the-cookie” exploit to bypass authentication by injecting the access token into a new web session, tricking the browser into thinking it is the authenticated user.

When employing MFA, a token is also generated and saved on a web browser, so the same technique can be used to get through this extra layer of security. Many reputable web-based applications contain persistent cookies that rarely or never expire, which makes the problem worse; other cookies only expire if the user actively signs out of the service.

Entry-level attackers are now more likely to engage in credential theft thanks to the malware-as-a-service sector. For instance, all they have to do to sell passwords and cookies in bulk on dark markets like Genesis is purchase a copy of an information-stealing Trojan like Raccoon Stealer.

Then, other criminals in the attack chain, like ransomware developers, can purchase this data and search through it for anything they think would help them in their attacks.

On the other hand, in two of the most recent events that Sophos investigated, the attackers adopted a more focused strategy. In one instance, the attackers infiltrated a target’s network for months in order to collect cookies from the Microsoft Edge browser. The attackers employed Cobalt Strike and Meterpreter activity to take advantage of a legal compiler tool in order to scrape access tokens after the initial penetration occurred via an exploit kit.

In a different instance, the attackers dropped a malicious payload that scraped cookie files for a week using a legal Microsoft Visual Studio component.

While historically Sophos has observed bulk cookie theft, Gallagher continued, attackers are increasingly adopting a targeted and exact approach to cookie stealing. There is really no limit to the types of nefarious activities attackers might engage in with stolen session cookies now that so much of the workplace is web-based. They have the ability to alter cloud infrastructures, corrupt corporate email, persuade other staff members to download malware, and even modify product code. Their own ingenuity is the only restriction.

“Complicating matters is that there is no easy fix. For example, services can shorten the lifespan of cookies, but that means users must re-authenticate more often, and, as attackers turn to legitimate applications to scrape cookies, companies need to combine malware detection with behavioral analysis,” he added.

---

---

---

---