Illegal access to company data
Sophos Cybersecurity, Threat Research, Cookies
The Sophos X-Ops team describes in its recent report "Cookie stealing: the new perimeter bypass" that cybercriminals are increasingly using stolen session cookies to bypass multi-factor authentication (MFA) and gain access to corporate resources. In some cases, cookie theft is a targeted attack in which cookie data is read from compromised systems. In doing so, the criminals use legitimate executable files to disguise their activities.
Once they have access to web- or cloud-based or corporate resources using the cookies, they can use them for further attacks. These might include compromising emails or social engineering to scam additional system access or even to cause data or source code repositories to be altered.
"Over the past year, we have observed cybercriminals increasingly resorting to cookie theft to circumvent the growing prevalence of MFA. They are using new and improved malware - such as Raccoon Stealer - to facilitate the theft of authentication cookies, also known as access tokens," said Sean Gallagher, principal threat researcher at Sophos. "If attackers are in possession of session cookies, they can move freely around a network."
Getting past authentication: 'pass-the-cookie' attacks
Session or authentication cookies are a specific
type of cookie that are stored by a web browser when a
a user logs into web resources. Once cybercriminals get hold of them
possession of them, they can carry out a "pass-the-cookie" attack
access token into a new web session and present it to the browser.
session and trick the browser into thinking an authenticated user is logging in.
authenticated user is logging in. This means that no further authentication
is no longer required. Since when MFA is used, a token is also
is also created and stored in a web browser, the same attack can be used to
can be used to bypass this additional layer of authentication.
bypass. Complicating matters further, many legitimate web-based
applications create long-lived cookies that rarely or never expire;
Some cookies are deleted only when the user explicitly
explicitly logs out of the service.
Thanks to malware-as-a-service, it is becoming increasingly easy for even the most inexperienced cybercriminals to get into the lucrative business of stealing credentials. business of stealing access data. For example, all they have to do is a copy of a Trojan such as Raccoon Stealer to collect data such as passwords and cookies in large quantities and can then sell them on criminal offer them on criminal marketplaces like Genesis. Other criminals in in the attack chain, such as ransomware operators, can then buy this data and then purchase and sift through this data to exploit anything they deem useful for their attacks.
Cookie theft is becoming more strategic
In two of the recent incidents Sophos investigated,
the attackers took a more targeted approach. In one
In one case, they spent months on the target company's network and
collected cookies from the Microsoft Edge browser. The first
compromise was made via an exploit kit. Subsequently, they used
a combination of Cobalt Strike and Meterpreter activities to gain access
access tokens via a legitimate compiler tool. In another
In another case, the attackers used a legitimate
Microsoft Visual Studio component to deliver a malicious malware that
that intercepted cookie files for a week.
"While we have seen mass cookie theft in the past, cybercriminals are now going
cybercriminals are now taking a targeted and precise approach to stealing cookies,
to steal cookies. With much of the workplace now
web-based, there is no limit to the malicious activity,
that attackers can perform with stolen session cookies.
They can manipulate cloud infrastructures, compromise business e-mails
compromise business emails, persuade other employees to download malware or even
or even rewrite code for products. The only limit
is their own creativity," says Gallagher. "To make matters worse,
there is no easy solution. While services can, for example
shorten the lifetime of cookies, but that means users have to re-authenticate more often.
users have to re-authenticate more often. Since
attackers use legitimate applications to harvest cookies,
organisations need to combine malware detection with behavioural analysis.
behavioural analysis.