Cookie thieves breach systems by impersonating legitimate users


Threat actors increasingly steal session cookies to bypass multi-factor authentication, allowing crooks to move freely around a target’s network.

Cookies are a highly valued asset for cybercriminals. Abusing them, threat actors obtain corporate resources and further exploit them in attacks, cybersecurity company Sophos claims.

ADVERTISEMENT

Session (or authentication) cookies are stored by a web browser when a user logs in. An attacker could use these stolen cookies to trick the browser into believing it is the authenticated user and nullifying the need for authentication.

Information-stealing malware, such as the latest version of Emotet, increasingly targets cookies. At the same time, marketplaces like Genesis making cookie sales a viable business indicate that cookie theft is indeed on the rise.

“While historically we’ve seen bulk cookie theft, attackers are now taking a targeted and precise approach to cookie stealing. Because so much of the workplace has become web-based, there really is no end to the types of malicious activity attackers can carry out with stolen session cookies,” said Sean Gallagher, principal threat researcher, Sophos.

Threat actors can tamper with cloud infrastructures, compromise a business email, convince other employees to download malware, or even rewrite code for products.

“The only limitation is their own creativity. Complicating matters is that there is no easy fix,” Gallagher added.

Cookie theft is a threat because of long-lived access cookies used by so many applications.

“Slack, for example, uses a combination of persistent and session-specific cookies to check for users’ identity and authentication. While session cookies are cleared when a browser is closed, some of these applications (such as Slack) remain open indefinitely in some environments. These cookies may not expire fast enough to prevent someone from exploiting them if they’re stolen,” Sophos said.

In one of the cases, the Lapsus$ extortion group claimed to have purchased a stolen session cookie belonging to an employee of the game developer Electronic Arts from the Genesis Marketplace. The stolen cookies allowed cybercriminals to access EA’s Slack instance, eventually leading to Lapsus$ grabbing 780 gigabytes of data, including game and graphics engine source code, which the group then used to attempt to extort EA.

ADVERTISEMENT

It’s good practice, both in terms of privacy and performance, to periodically clear cookies and cache. Cybernews prepared an easy-to-use guide on how to clear cookies and cache on all browsers and devices.