Cookies for MFA Bypass Gain Traction Among Cyberattackers

  /     /     /  
Publicated : 23/11/2024   Category : security


Cookies for MFA Bypass Gain Traction Among Cyberattackers


Multifactor authentication has gained adoption among organizations as a way of improving security over passwords alone, but increasing theft of browser cookies undermines that security.



When the malware group Lapsus$ needed to gain access to systems compromised in recent breaches, it not only searched for passwords but also for the session tokens — that is, cookies — used to authenticate a device or browser as legitimate.
Their tactics for initial access highlights a trend among attackers, who will buy passwords and cookies on the criminals underground use them to access cloud services and on-premises applications. In addition, when they do get access to a system, attackers prioritize stealing cookies for later use or for sale. Session cookies have become the way for attackers to bypass multifactor authentication (MFA) mechanism that otherwise protect systems and cloud services from attackers, says Andy Thompson, global research evangelist at CyberArk Labs.
In
a presentation at Black Hat Middle East and Africa
next week, CyberArk researchers will demonstrate how attackers can steal session cookies and then use them to gain access to business and cloud services.
The crazy part is that this applies to all types of multifactor, because stealing these cookies bypasses both authentication and authorization, Thompson says. Once you have authenticated using multifactor, that cookie is established on the endpoint, and the attacker can then use it for later access.
Stealing session cookies has become one of the most common ways that attackers circumvent multifactor authentication. The Emotet malware, the Raccoon Stealer malware-as-a-service, and the RedLine Stealer keylogger all have functionality for stealing sessions tokens from the browsers installed on a victims system
In August, security software firm Sophos noted that the popular red-teaming and attack tools Mimikatz, Metasploit Meterpreter, and Cobalt Strike all could be used to harvest cookies from the browsers caches as well, which the firm called the new perimeter bypass.
Cookies associated with authentication to Web services can be used by attackers in pass the cookie attacks, attempting to masquerade as the legitimate user to whom the cookie was originally issued and gain access to Web services without a login challenge, Sean Gallagher, a threat researcher with Sophos,
stated in the August blog post
. This is similar to pass the hash attacks, which use locally stored authentication hashes to gain access to network resources without having to crack the passwords.
Stealing cookies is a pretty basic attack, but one that has grown in importance as more companies adopt adaptive authentication strategies, which use a cookie to allow a users on a specific browser and device to access a protected service, without having to reenter a multifactor authentication code.
For attackers, there is very little needed to make the attack successful. As long as they have some sort of access to a machine, they can grab the cookies, says CyberArks Thompson.
Most attacks require some sort of elevation of privilege to install software, he says. With this, we have everything we need, regardless of the level of privilege. Even as a non-admin, we are still vulnerable to cookie harvesting.
While stealing session cookies are a common way that attackers bypass multifactor authentication, there are a host of others as well. Keylogging can circumvent MFA by grabbing the one-time password used by many companies, while an adversary-in-the-middle attack can capture security information being sent both to and from a targeted service.
Attackers can also attempt to access an account repeatedly, with the backend system sending an authentication request to the actual user. Known as MFA bombing, the techniques goal is to overwhelm the user with requests and, from fatigue or from too little skepticism, have them click to allow the access. Attackers used stolen cookies and MFA bombing to
compromise ride-share giant Uber
and
entertainment firm Take-Two Interactive
.
Overall, the way to prevent attackers from bypassing MFA is to have additional security software on systems to detect the theft of cookies, says CyberArks Thompson. So rather than just push users to adopt password managers and MFA and call that sufficient, companies need to adopt some sort of endpoint control as well, he says.
We also need some ability to have a sort of least privilege or application control, antivirus, or EDR/XDR — any of those are really critical in solving the gap, Thompson says. We want to prevent malicious tools and actors from harvesting passwords or harvesting cookie information from memory.

Last News

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Cookies for MFA Bypass Gain Traction Among Cyberattackers