Hackers are reported to be stealing browser cookies to sneak past MFA. That being said, it now seems that infostealers are getting a big appetite for session cookies.
Hackers Are Reported To Be Stealing Browser Cookies to Sneak Past MFA
Multi-factor authentication (MFA) is an effective way of keeping cyber criminals at arm’s length. But some of them however are getting really good at bypassing this very type of protection by stealing both application and browser session cookies.
Cybersecurity researchers from Sophos claim that they’re observing an increasing appetite for cookies, among malware of all levels of sophistication. From infostealers such as Racoon Stealer, or RedLine Stealer, to other destructive trojans such as Emotet, an increasing number of various viruses and malware are getting cookie-stealing functionalities at the moment and it is worrying.
By stealing session cookies, threat actors are now able to bypass multi-factor authentication due to the fact that, with the cookies, the service already deems the user authenticated and just easily grants access immediately.
That being said, also makes them a high-value asset on the black market right now, with Sophos seeing cookies that are being sold on Genesis, a place where members of the Lapsus$ extortion group bought one that then resulted in a major data theft from video games giant EA.
The Threat Actor Is Reportedly Buying Cookies from Genesis
After buying a Slack session cookie from genesis, the threat actor however managed to spoof an existing login of an employee of EA and then tricked the IT team of the company into providing network access. Then they allowed the threat actors to steal 780 GB worth of data and this is including gaming and graphics engine source code which was then later used in an extortion attempt.
The Problems Users Are Having With Cookies
That being said, the biggest problem people are having with cookies at the moment is that they last longer and in most cases for applications like Slack. A longer-lasting cookie simply means that threat actors have more time on their hands to not only react but also compromise an endpoint.
IT teams can help to program their browsers and apps to help shorten the timeframe allowed for cookies to remain valid. But this however comes with a caveat meaning that users would need to re-authenticate more often than normal which would then in turn means IT teams need to strike the perfect balance between convenience and security.
Abuse of cookies can be prevented via behavioral rules, Sophos says, claiming that it is able to stop scripts and untrusted programs with a host of both memory and behavior detections.
