Hackers are stealing browser cookies to glide past MFA
Infostealers are growing a big appetite for session cookies
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Multi-factor authentication is a great way to keep cybercriminals at bay, but some are apparently getting pretty good at bypassing this type of protection by stealing application andbrowsersession cookies.
Cybersecurity researchers from Sophos say they’re observing an increasing appetite for cookies, among malware of all sophistication levels. From infostealers such as Racoon Stealer, or RedLine Stealer, to destructive trojans such as Emotet, an increasing number of viruses andmalwareare getting cookie-stealing functionalities.
By stealing session cookies, threat actors are able to bypass multi-factor authentication because, with the cookies, the service already deems the user authenticated and just grants access immediately. That also makes them a high-value asset on the black market, with Sophos seeing cookies being sold on Genesis, where members of the Lapsus$ extortion group bought one that resulted in amajor data theft from video games giant EA.
Buying cookies
After purchasing a Slack session cookie from Genesis, the threat actor managed to spoof an existing login of an EA employee and trick the company’s IT team into providing network access. This allowed them to steal 780 GB of data, including game and graphics engine source code, which was later used in an extortion attempt.
Half of Americans accept all cookies despite the security risk>Google pushes back deadline for killing off tracking cookies in Chrome>Keep your devices safe with the best malware removal tools out there
The biggest problem with cookies is that they last relatively long, especially for applications such as Slack. A longer-lasting cookie means threat actors have more time to react and compromise anendpoint. IT teams can program their browsers and apps to shorten the allowable timeframe that cookies remain valid, but it comes with a caveat - that means users would need to re-authenticate more often which, in turn, means IT teams need to strike the perfect balance between security and convenience.
Cookie abuse can also be prevented through behavioral rules, Sophos hints, saying that it’s able to stop scripts and untrusted programs “with a number of memory and behavior detections”.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
This new phishing strategy utilizes GitHub comments to distribute malware
Should your VPN always be on?
Herman Miller Aeron gaming chair review: premium, highly customizable comfort
