A recent discovery by Varonis Threat Labs has unveiled a new cyberattack technique named “Cookie-Bite” that poses a serious threat to cloud system security by bypassing multi-factor authentication (MFA). This technique allows cybercriminals to gain unauthorized access to cloud environments by using stolen browser cookies to impersonate legitimate users without the need for credentials. Specifically targeting authentication cookies such as ESTSAUTH and ESTSAUTHPERSISTENT utilized by Azure Entra ID and other Microsoft services, attackers can exploit this vulnerability to move unchecked throughout cloud systems, rendering traditional MFA defenses ineffective.
The Cookie-Bite attack leverages various methods to steal authentication cookies, including Adversary-in-the-Middle (AiTM) attacks that intercept cookies in real-time through reverse proxy tools. Other tactics involve extracting cookies from active sessions via browser memory dumping, accessing cookies through malicious browser extensions, and decrypting locally stored cookie databases. Researchers have demonstrated how cybercriminals can create custom Chrome extensions to surreptitiously harvest cookies every time users log into Microsoft’s authentication portal, ensuring continuous access to valuable user data.
Once attackers have successfully stolen authentication cookies, they can inject them into their own browsers to gain immediate entry into the victim’s cloud session. Unlike traditional credential theft, this attack does not rely on obtaining passwords or intercepting MFA codes. The persistent nature of the attack ensures that even if passwords are changed or sessions are revoked, the attackers can maintain access, circumventing Conditional Access Policies (CAPs) typically used as an additional security measure.
To counter the Cookie-Bite attack, security experts recommend implementing several proactive measures. Organizations are advised to monitor for unusual user behavior and suspicious sign-ins, utilize Microsoft’s Risk detection capabilities, and configure Conditional Access Policies to restrict logins to compliant devices only. Furthermore, restricting browser extensions to an approved list, implementing token protection mechanisms, and adjusting security protocols to address evolving threats are crucial in preventing such attacks from compromising cloud system security.
In conclusion, the emergence of the Cookie-Bite attack highlights the evolving landscape of cyber threats faced by organizations utilizing cloud systems. With the potential for unauthorized access and data breaches, it is imperative for businesses to remain vigilant and adopt comprehensive security measures to protect their sensitive information from sophisticated cybercriminals. By staying informed and proactive, organizations can mitigate the risks associated with this and other emerging cyberattack techniques, safeguarding their valuable data and maintaining the integrity of their cloud environments.