"Exploiting Stolen Session Cookies to Bypass Multi-Factor Authentication (MFA)"
According to Sophos, active adversaries are increasingly using stolen session cookies to circumvent multi-factor authentication (MFA) and gain access to corporate resources. In some cases, cookie theft is a highly targeted attack, with adversaries scraping cookie data from compromised systems within a network and disguising malicious activity with legitimate executables. Once attackers gain access to corporate web-based and cloud resources via cookies, they can use them for further exploitation, such as Business Email Compromise (BEC), social engineering to gain additional system access, and data or source code repository modification. Session cookies, also known as authentication cookies, are a type of cookie that is stored by a web browser when a user logs into web resources. If attackers obtain them, they can perform a "pass-the-cookie" attack in which they inject the access token into a new web session, fooling the browser into thinking it is the authenticated user and eliminating the need for authentication. Because a token is created and stored on a web browser when using MFA, the same attack can be used to circumvent this additional layer of authentication. Complicating matters, many legitimate web-based applications use long-lasting cookies that rarely or never expire. Other cookies expire only if the user explicitly logs out of the service. The malware-as-a-service industry has made it easier for entry-level attackers to engage in credential theft. For example, all they need to do is purchase a copy of an information-stealing Trojan such as Raccoon Stealer in order to bulk collect data such as passwords and cookies and then sell them on criminal marketplaces. Other criminals in the attack chain, such as ransomware operators, can then purchase this data and sift through it to find anything useful for their attacks. This article continues to discuss the adversaries' exploitation of session cookies to evade MFA.