A series of recent cyberattacks against organizations’ cloud services that exploited poor cyber hygiene practices have put security teams on high alert and raised questions over the adequacy of(MFA).
In January, the US Cybersecurity and Infrastructure Security Agency (CISA)following attacks, advising users to strengthen their cloud environment configuration.
The agency said the attacks were likely due to high volumes ofand a mixture of corporate and personal devices being used to access cloud services.
Thebehind the attacks use tactics and techniques, including phishing, brute-force login attempts, and so-called pass-the-cookie attacks to defeat MFA.
How this works
, a cyber criminal can use a stolen to authenticate web applications and services, bypassing MFA because the session is already established.
Such cookies are convenient after a user has authenticated to the service so that credentials are not passed.to reauthenticate so often – hence they are usually valid for some time.
If obtained by a malicious actor, the cookie can then be imported into a browser that they control, meaning they can use the site or app as the user for as long as the cookie remains active, potentially giving them amplearound laterally, accessing sensitive information, reading emails, or performing actions as the victim account.
A widespread threat
It is important to note that pass-the-cookie attacks are not a new threat. Trevor Luker,head of information security, said they are a reasonably standard attack, in as much as most cyber criminals who have gained access to session cookies will almost certainly try to use them as part of their lateral movement attempts.
Chris Espinosa, managing director of, described pass-the-cookie attacks as the result of an “inherent flaw” in hypertext transfer protocol (HTTP) and how web apps work. “We run into this vulnerability routinely during a penetration tests,” he said.
Roger Grimes,data-driven defense evangelist, . “Attacks that bypass or abuse MFA likely happen thousands of , and that’s nothing new or surprising. Any MFA solution can be hacked at least four ways, and most more than six ways,” he said.
“MFA has always been hackable or bypassable, so we’ve already beenof hackable MFA for decades,” added Grimes. “What has changed is increased use – more people than ever are using one or more forms of it daily.”
The problem, he said, is that most people deploying and using MFA are inclined to think of it as a magical talisman to stop them from being hacked, which is simply untrue. He added that this is not to say it shouldn’t be used, but there is adifference in saying MFA prevents some kinds of hacking or all kinds, and everybody who uses it should understand what it does and doesn’t stop.
“Thinking that MFA magically makes you unhackable is even more dangerous than not using MFA. Unfortunately, most MFA implementers and certainly most users don’t understand this. For example, I can send anyone a phishing email and get around their MFA solution, and if you don’t know that, you might notto what URL you’re clicking on.”
principal consultant Tom Van de Wiele said: “Cyber security is multi-layered, and if some layers are misunderstood, misused, or neglected, one single vulnerability has the potential to cause disastrous consequences. The most common example is the use of MFA by organizations to protect against phishing, where most MFA solutions are only effective against attacks such as password guessing, brute-forcing, or credential stuffing.”
Risk to users
Eyal Wachsman, co-founder, and CEO of, said that now the Covid-19 pandemic has changed the nature of the enterprise security perimeter, making to access remote and cloud-based services more critical, perhaps unsurprising these attacks are proving more lucrative.