According to Sophos researchers, the use of cookies is intended to bypass multi-factor authentication mechanisms and gain access to networks and IT systems in organizations Stolen temporary cookies allow attackers to impersonate legitimate users and move freely in the organization's network
There has been an increase in cyber attacks that use stolen session cookies to bypass multi-factor authentication mechanisms in order to gain access to networks and information systems in the organization, according to a new study by Sophos .
The study, titled Cookie stealing: the new perimeter bypass, was carried out by the Sophos X-Ops team of cyber experts. According to the researchers, in some cases, stealing temporary cookies is itself a targeted cyber attack, which exploits insecure systems, with the aim of using them to collect temporary cookies. This, while using legitimate computer programs, to disguise the malicious activity. Once the attackers have gained access to user accounts and cloud services using stolen temporary cookies, they proceed to the next stage of the attack - which includes hacking email accounts, using social engineering to gain access to additional systems, and even making changes to databases and source code.
The temporary cookies - are used to verify identity in the browser and are saved on the computer
are stolen by hackers to bypass multi-factor authentication. Temporary cookies. Illustration. |
According to Sean Gallagher , chief threat researcher at Sophos, "In the past year we have seen an increase in the attackers' use of stolen temporary cookies. New and improved versions of data theft malware, such as Raccoon Stealer, make it easier for attackers to steal temporary cookies, also called access tokens, which are used to verify the identity of users."
According to Gallagher, "Once the attackers manage to obtain temporary cookies, they can impersonate legitimate users and thus gain free access to the organization's network and systems."
Temporary cookies are intended for the purpose of identity verification, which the browser saves on the computer as soon as a legitimate user logs into one of his accounts.
Obtaining them allows the attackers to carry out a 'cookie transfer' attack, in which they inject the stolen access token into a new work process, and thus succeed in tricking the browser and the server into 'thinking' that this is a legitimate user who has already verified his identity.
Since temporary cookies are also created and saved on the device as part of the multi-factor authentication process, stealing them allows attackers to also bypass this authentication mechanism, which is designed to improve the security of user accounts.
According to the researchers, "this threat intensifies due to the fact that many network applications and cloud services use cookies with a long expiration time, and sometimes even cookies without an expiration date."
They added that "the development of the malicious software as a service (MaaS) industry - in which malware is offered ready-to-use to anyone interested, also allows uninformed cybercriminals to join efforts to steal identification information."
Two cases where software from Microsoft was used
In two recent cyber incidents investigated by Sophos, the attackers took a more targeted approach. In one of them, they stayed on the attacked network for months, collecting cookies from Microsoft 's Edge browser .
The initial hack into the organization's network was carried out using a ready-made exploit kit, and once they penetrated the network, the attackers used hacking tools such as Cobalt Strike and Meterpreter, to disguise the activity of collecting temporary cookies.
In another case, the attackers used a legitimate component in Microsoft's Visual Studio software to inject a malware into the organization's network that collected temporary cookies for a week.
"If in the past stealing cookies was an activity without a defined goal, today the attackers take a much more precise and targeted approach," concluded Gallagher. "Since nowadays most of the work is done from the browser and in the cloud, stealing cookies opens up countless malicious possibilities for the attackers.
They may sabotage the organization's cloud infrastructure, break into the organization's email, motivate employees in the organization to download malware, and even - make malicious changes in the source code of products. The sky is the limit and the attackers limited only by their creativity."
Add Comments