Should I be concerned about cookie-passing attacks that bypass MFA?

A series of recent cyberattacks against cloud services by organizations that exploited poor cyber hygiene practices have put security teams on high alert and raised questions about the adequacy of multi-factor authentication (MFA).

In early January, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert following a series of attacks, advising users to strengthen the configuration of their cloud environment.

The agency said the attacks were likely due to high volumes of remote work and a combination of corporate and personal devices used to access cloud services.

The malicious actors behind the attacks are using different tactics and techniques, including phishing, brute force login attempts, but also so-called cookie-passing attacks to defeat MFA.

How does this work

In such an attack, a cybercriminal can use a stolen (or transient) session cookie to authenticate to web applications and services, bypassing MFA because the session is already clearly authenticated.

These cookies are used for convenience after a user has authenticated to the service, so that credentials are not passed and it is not necessary to re-authenticate as often; therefore, they are often valid for some time.

If obtained by a malicious actor, the cookie can be imported into a browser that it controls, which means that you can use the site or application as a user as long as the cookie remains active, potentially giving them enough time to move laterally. access confidential information, read emails or perform actions such as the victim’s account.

A widespread threat

It is important to note that cookie passing attacks are not a new threat as such. Trevor Luker, Tessian’s chief information security officer, said they are a fairly standard attack, as most cybercriminals who have gained access to session cookies will almost certainly try to use them as part of their lateral movement attempts.

Chris Espinosa, managing director of Cerberus Sentinel, described cookie-passing attacks as the result of an “inherent flaw” in the hypertext transfer protocol (HTTP) and how web applications work. “We run into this vulnerability routinely during penetration testing of web applications,” he said.

Roger Grimes, data-driven advocacy evangelist at KnowBe4, literally wrote the book on MFA hacking. Attacks that circumvent or abuse MFA probably happen thousands of times a day, and that is nothing new or surprising. Any MFA solution can be hacked in at least four ways and most in more than six, ”he said.

“MFA has always been hackable or avoidable, so we have already been living in the world of hackable MFA for decades,” added Grimes. “What has changed is more use: more people than ever use one or more forms in their daily lives.”

The problem, he said, is that most people who implement and use MFA tend to think of it as a magic talisman to prevent them from being hacked, which is simply untrue. This is not to say that it should not be used, he added, but there is a big difference in saying that MFA prevents some types of piracy, or all kinds, and everyone who uses it should understand what it does and what it does not do.

“Thinking that MFA magically makes you untouchable is even more dangerous than not using MFA. Unfortunately most MFA implementers and certainly most users do not understand this. For example, I can send anyone a phishing email and get around their MFA solution and if they don’t know, they might not pay as much attention to the URL they are clicking. “

F-Secure Senior Consultant Tom Van de Wiele said: “Cybersecurity has multiple layers and if some layers are misinterpreted, misused or neglected, a single vulnerability has the potential to cause disastrous consequences. The most common example is the use of MFA by organizations to protect against phishing, where most MFA solutions are only effective against attacks such as password guessing, brute force or credential stuffing.

Risk for users

Eyal Wachsman, co-founder and CEO of Cymulate, said that now the Covid-19 pandemic has changed the nature of the enterprise security perimeter, causing user authentication and credentials to access remote and security-based services. cloud are more important, perhaps not surprising. the attacks are proving more lucrative.

Liviu Arsene, Bitdefender Global Cybersecurity Researcher, agreed: “Most of the spyware we have investigated over the years have had cookie or session stealing capabilities. In light of the recent transition from workforce to remote work, it makes sense that cybercriminals are increasingly adopting this tactic when compromising employee devices, as it can help them gain access to corporate infrastructures with relative ease. “

“Cookie-passing attacks require a successful breach of the end-user workstation, and whether it is a personal device or an organization’s assets it has become a headache for CISOs to secure.” Wachsman said.

“They are challenged to enforce patches on these workstations and detection systems are surprised with partial visibility that leaves them extremely vulnerable. Adding to the mix are well-designed spear phishing attacks that introduce malware or steal credentials through social engineering. “

Unfortunately, therefore, due to the pervasive nature of MFA-breaking cookie attacks, the risk to users is substantial. “Cookie and session hijacking should be very concerning, especially for companies with single sign-on systems [SSO] to identify authenticated users, “said Arsene at Bitdefender. “An attacker could potentially access multiple web applications associated with the company using stolen employee sessions or cookies.”

OneSpan’s director of product safety, Frederik Mennes, agreed that the risks are significant. “If a cookie-passing attack is successful, the impact can be significant: an adversary can access a company’s resources as long as the cookie is valid, which could be a period of several minutes to several hours in a typical situation.

“On the other hand, the probability of the attack is relatively low, since other attacks are easier and the attack requires access to cookies on the user’s device.”

How to mitigate cookie passing attacks

Fortunately, mitigating the risk of falling victim to a cookie-passing attack, or dealing with the impact of one, shouldn’t be too difficult for security teams to understand.

“Knowing that IT architectures and applications consist of many moving parts and are subjective to constant change, regular testing for these types of scenarios as part of architecture and application-based security reviews and assessments is crucial to ensure that these scenarios do not play out now or in the future, “said Van de Wiele at F-Secure.

Cerberus Sentinel’s Espinosa said: “The way to mitigate the vulnerability of passing the MFA cookie is with better cookie management and better user training.

“Specifically, cookies should be set with a short lifespan and should be for a single session, so when the browser is closed, the cookie is overridden. Users must be able to log out of the web application and close their browser after they have finished using the web application. Many users never log out or close a browser; this increases the risk.

“The bottom line is that there is no one-size-fits-all way to fix the cookie passing problem, unless you force a user to re-authenticate more frequently for different web application functions. However, this diminishes the user experience, ”he said.

Luker from Tessian added: “There are a lot of easy mitigations available, which means that these attacks are not as successful as they used to be a couple of years ago.

“Such mitigations include only allowing access to the corporate cloud infrastructure from known IP addresses, ideally through a corporate VPN. [virtual private network] end point with independent strong MFA in place. It is also important to remember that session cookies tend to be time-limited, so they are only useful for a short time. “

A question of culture

As with many other security risks, effective mitigation also relies heavily on having proper internal security cultures in place, as OneLogin Global Data Protection Officer Niamh Muldoon notes.

“The culture of security and maintaining security awareness with your entire organization is critical not only to identify and respond to security threats, but also to follow security processes,” he said.

“Provisioning and de-provisioning access control processes are excellent examples that need conscious focus and attention to ensure that only those who have a business access requirement have access and their access is approved, reviewed and monitored in accordance with the principles of access control authentication, authorization and guarantee principles “.

Wachsman added: “To prevent these attacks, companies must increase security awareness of phishing attempts, employees must log out of cloud services when they are not using them, and services must be configured to automatically log out. that are inactive, even for short periods of time. time. Being aware of their security posture is critical to discovering and correcting any weaknesses they find. “

Add Comment