Multi-factor authentication (MFA) has long been a crucial element in safeguarding cybersecurity, but a new and potent threat known as “Pass-the-Cookie” attacks is now challenging its efficacy.
According to recent discoveries by Long Wall, cyber attackers are exploiting browser session cookies to completely circumvent MFA, thereby gaining full access to corporate accounts without the need for passwords or authentication tokens. This tactic poses a significant risk to organizations that heavily rely on MFA for securing platforms like Office 365, Azure, and other cloud services.
The concept of security with MFA rests on the idea of verifying user identity through multiple credentials. However, attackers are now targeting session cookies – small pieces of data stored by browsers to maintain active logins. In a typical attack scenario, cybercriminals steal cookies like Microsoft’s ESTSAUTH, which is responsible for validating sessions across Office 365 services.
Once these cookies are obtained, adversaries can impersonate users indefinitely, even if they access accounts from unknown devices or locations. The severity of this threat is illustrated by a comparison of two scenarios in Azure: one where a legitimate user accesses the system using MFA and another where an attacker uses a stolen cookie to gain unauthorized access without any authentication prompts.
The attack method begins with malware such as LummaC2, Redline, or Racoon infiltrating a device to extract cookies stored in browsers. For example, LummaC2 is capable of exfiltrating ESTSAUTH values, which attackers can then inject into their browsers using developer consoles to spoof sessions and gain unauthorized access.
Recent trends observed by Managed Security Service Providers (MSSPs) indicate a 300% surge in cookie theft attempts since 2023, particularly targeting sectors like finance and healthcare. The preference for cookies as a means of attack is due to their persistence, stealthy nature, and cross-platform usability, making them an appealing target for cybercriminals.
To combat these threats, experts emphasize the importance of monitoring session tokens, implementing conditional access policies, encrypting cookies, and deploying infostealer detection mechanisms. These strategies are crucial in countering the “Pass-the-Cookie” epidemic and reinforcing zero-trust architectures in the face of evolving cyber threats.
As the Chief Technology Officer of Rendition Infosec, Jake Williams, aptly points out, protecting session cookies requires the same level of rigor as safeguarding passwords – through encryption, rotation, and granular access controls. Organizations must go beyond relying solely on MFA and prioritize session integrity as a fundamental aspect of modern cybersecurity practices.
In conclusion, the rise of “Pass-the-Cookie” attacks underscores the ever-evolving landscape of cybersecurity threats and the pressing need for organizations to adapt their security measures to combat sophisticated cyberattacks effectively.