Latest report from Sophos, a global leader in next-generation cybersecurity, has revealed that cybercriminals are increasingly exploiting stolen session cookies to bypass Multi-Factor Authentication (MFA) and gain access to corporate resources.
According to the report titled “Cookie Stealing: the new perimeter bypass”, in some cases, the cookie theft itself is a highly targeted attack, with adversaries scraping cookie data from compromised systems within a network and using legitimate executable to disguise the malicious activity.
Cookie theft occurs when third-party copies unencrypted session data from a website and uses it to impersonate the real user. Cookie theft most often occurs when a user accesses trusted sites over an unprotected or public Wi-Fi network.
Sophos said once the attackers obtain access to corporate web-based and cloud resources using the cookies, they can use them for further exploitation such as business email compromise, social engineering to gain additional system access, and even modification of data or source code repositories.
What they are saying
Commenting on the report, Principal Threat Researcher at Sophos, Sean Gallagher, said: “Over the past year, we’ve seen attackers increasingly turn to cookie theft to work around the growing adoption of MFA. Attackers are turning to new and improved versions of information stealing malware like Raccoon Stealer to simplify the process of obtaining authentication cookies, also known as access tokens. If attackers have session cookies, they can move freely around a network, impersonating legitimate users.”
“While historically we’ve seen bulk cookie theft, attackers are now taking a targeted and precise approach to cookie stealing. Because so much of the workplace has become web-based, there really is no end to the types of malicious activity attackers can carry out with stolen session cookies.
“They can tamper with cloud infrastructures, compromise business email, and convince other employees to download malware or even rewrite code for products. The only limitation is their own creativity. Complicating matters is that there is no easy fix. For example, services can shorten the lifespan of cookies, but that means users must re-authenticate more often, and, as attackers turn to legitimate applications to scrape cookies, companies need to combine malware detection with behavioural analysis,” Gallagher added.
Measures to prevent cookie theft
- According to cybersecurity experts, one of the most basic ways you can prevent cookie theft and session hijacking is by checking URLs. More sure websites are using HTTPS to ensure that all of your session traffic is encrypted with SSL/TLS. Most websites these days use HTTPS encryption, but it’s best always to check. This is especially true when entering personal data.
- You can check if a website uses HTTPS by looking at the URL at the top of your browser. Chrome, for example, displays a lock to the left of the URL when a website is using HTTPS.
- Another privacy measure is to avoid logging onto free public Wi-Fi connections, especially those without password protection. Whenever you do log onto public Wi-Fi, always use these tips to keep your information safe on public WiFi.
