Cookie theft threat: When multi-factor authentication is not enough

A lot of companies have deployed multi-factor authentication, yet attackers have some ways to bypass it—the most used one being cookie theft.

Green padlock icon on a smartphone screen, web and network protection, security and anonymity symbol

Multi-factor authentication (MFA) is a good security measure, most of the time. It enables a company to add a layer of security to its corporate VPN, for example. The user, in addition to a (hopefully) strong password, needs to enter another code, which can be accessed from another device. It might be a smartphone via SMS or authentication applications such as Duo or Google Authenticator, or even hardware 

A lot of online services on the web also use this technology nowadays, and more and more will adopt MFA, which is good of course.

Yet what happens once a user has authenticated his/her access to such a website? How is the session handled from the servers point of view? The answer is a unique simple word: cookies.

Session cookies
The way most websites handle authentication is via cookies, those tiny files stored by the browser. Once authenticated, a session cookie maintains the session state and the user’s browsing session stays authenticated (Figure A).
Figure A
Normal web service session initiates the session cookie and maintains it.

Normal web service session initiates the session cookie and maintains it. Image: Sophos
Each cookie stored in the browser’s database contains a list of parameters and values, including in some cases a unique token provided by the web service once authentication is validated.

Session cookies, as their name implies, do last as long as the session is opened.

The threat
The threat, as exposed in a recent publication from Sophos, is pretty straightforward: “Cookies associated with authentication to web services can be used by attackers in ‘pass the cookie’ attacks, attempting to masquerade as the legitimate user to whom the cookie was originally issued and gain access to web services without a login challenge” (Figure B).
Figure B
Pass the Cookie attack allows an attacker to usurp an authenticated session.

Pass the Cookie attack allows an attacker to usurp an authenticated session. Image: Sophos
The most common way for stealing such cookies is via malware, which will send exact copies of the session cookies to the attacker. Several credential stealing malware now also provides cookie theft functionalities, and we should expect this functionality to pop in almost every of these kinds of malware in the future, as MFA is more and more deployed and used.

Cookies can also be sold, in the same way as credentials are sold. One might think that session cookies would not last long enough to be sold, but it is not the case, depending on the configuration of the client and the server, session cookies might last for days, weeks or even months. Users tend to avoid authenticating multiple times if they can avoid it, and so they often click on options provided by the websites to extend their session and not have it closed before a long time, even if the browser is closed and reopened.

A cybercriminal marketplace dubbed Genesis, famous for selling credentials, also sells cookies. Members of the Lapsus$ extension group claimed they purchased a stolen cookie, which provided access to Electronic Arts. This allowed the threat actor to steal about 780 gigabytes of data used to attempt to extort Electronic Arts.

Cookie stealers infections
Users’ computers can be infected by cookie stealing malware just the same way as any other kind of malware.
Sophos reports that malware operators often use paid download services and other non targeted approaches to gather as many victims’ cookies as possible.

One efficient approach is to store the malware in large ISOs or ZIP archives which are then advertised through malicious websites as installers for pirated/cracked commercial software.

They might also be available via peer-to-peer networks.

Cookie stealers might also arrive via email, often as archive files containing a malicious downloader or dropper for the malware.

Finally, cookies are also a powerful resource for targeted attacks. Once attackers have successfully compromised a computer, they might actively look for cookies, in addition to valid credentials. Once found and stolen, they might be used to increase the attacker’s list of methods to stay inside the network. Attackers might also abuse legitimate security tools such as Metasploit or Cobalt Strike to leverage session cookies.

How can websites provide better protection for their users?
Many web-based applications implement additional checks against cookie session hijacking. In particular, checking the IP address of the request against the IP address used in the initiation of the session can be efficient. Yet it seems difficult for applications built for a combination of desktop and mobile use. Also, an attacker already inside the internal network might still be able to hijack a cookie from a user.

Shortening the lives of cookies might also be a security measure to take, but it means the users will need to authenticate more often, which might be unwanted.

On the network, cookies should never be transmitted in clear text. It should always be transmitted using SSL (Secure Sockets Layer). This is in line with the security recommendations of having websites run fully on the HTTPS protocol instead of HTTP. Cookies could also be encrypted using a two-way algorithm.

How can end users protect themselves from cookie theft?
A cookie can only be stolen via two ways: via the end user’s computer, or via the network communications with the web-based application.

Users should enforce encryption when possible, and favor HTTPS instead of HTTP. Users should also regularly delete their session cookies, but it means they will also have to re-authenticate.

Yet the main risk still lies in their computer being infected by a cookie stealing malware. This can be prevented with general computer security hygiene. The operating system and software always need to be up to date and patched, in order to avoid being compromised by a common vulnerability.

Security solutions should also be deployed in order to detect any malware that would be downloaded or received via email.

Source - Cedric Pernet in Security - August 22, 2022