Security News > 2022 > August > Exploiting stolen session cookies to bypass multi-factor authentication (MFA)

Active adversaries are increasingly exploiting stolen session cookies to bypass multi-factor authentication and gain access to corporate resources, according to Sophos.

"Over the past year, we've seen attackers increasingly turn to cookie theft to work around the growing adoption of MFA. Attackers are turning to new and improved versions of information stealing malware like Raccoon Stealer to simplify the process of obtaining authentication cookies, also known as access tokens," said Sean Gallagher, principal threat researcher, Sophos.

"If attackers have session cookies, they can move freely around a network, impersonating legitimate users."

Compounding the issue is that many legitimate web-based applications have long-lasting cookies that rarely or never expire; other cookies only expire if the user specifically logs out of the service.

In one case, the attackers spent months inside a target's network gathering cookies from the Microsoft Edge browser.

"While historically we've seen bulk cookie theft, attackers are now taking a targeted and precise approach to cookie stealing. Because so much of the workplace has become web-based, there really is no end to the types of malicious activity attackers can carry out with stolen session cookies. They can tamper with cloud infrastructures, compromise business email, convince other employees to download malware or even rewrite code for products. The only limitation is their own creativity," said Gallagher.

News URL

https://www.helpnetsecurity.com/2022/08/19/exploiting-stolen-session-cookies-bypass-mfa/