Should I be worried about MFA-bypassing pass-the-cookie attacks?

by Joseph K. Clark

A series of recent cyberattacks against organizations’ cloud services that exploited poor cyber hygiene practices have put security teams on high alert and raised questions over the adequacy of multi-factor authentication (MFA).

In January, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert following attacks, advising users to strengthen their cloud environment configuration.

The agency said the attacks were likely due to high volumes of remote working and a mixture of corporate and personal devices being used to access cloud services.

The malicious actors behind the attacks use tactics and techniques, including phishing, brute-force login attempts, and so-called pass-the-cookie attacks to defeat MFA.

How this works

In such an attack, a cyber criminal can use a stolen session (or transient) cookie to authenticate web applications and services, bypassing MFA because the session is already established.

Such cookies are convenient after a user has authenticated to the service so that credentials are not passed. They don’t need to reauthenticate so often – hence they are usually valid for some time.

If obtained by a malicious actor, the cookie can then be imported into a browser that they control, meaning they can use the site or app as the user for as long as the cookie remains active, potentially giving them ample time to move around laterally, accessing sensitive information, reading emails, or performing actions as the victim account.


A widespread threat

It is important to note that pass-the-cookie attacks are not a new threat. Trevor Luker, Tessian’s head of information security, said they are a reasonably standard attack, in as much as most cyber criminals who have gained access to session cookies will almost certainly try to use them as part of their lateral movement attempts.

Chris Espinosa, managing director of Cerberus Sentinel, described pass-the-cookie attacks as the result of an “inherent flaw” in hypertext transfer protocol (HTTP) and how web apps work. “We run into this vulnerability routinely during a web application penetration tests,” he said.

Roger Grimes, KnowBe4 data-driven defense evangelist, literally wrote the book on MFA hacking. “Attacks that bypass or abuse MFA likely happen thousands of times a day, and that’s nothing new or surprising. Any MFA solution can be hacked at least four ways, and most more than six ways,” he said.

“MFA has always been hackable or bypassable, so we’ve already been living in a world of hackable MFA for decades,” added Grimes. “What has changed is increased use – more people than ever are using one or more forms of it daily.”

The problem, he said, is that most people deploying and using MFA are inclined to think of it as a magical talisman to stop them from being hacked, which is simply untrue. He added that this is not to say it shouldn’t be used, but there is a big difference in saying MFA prevents some kinds of hacking or all kinds, and everybody who uses it should understand what it does and doesn’t stop.

“Thinking that MFA magically makes you unhackable is even more dangerous than not using MFA. Unfortunately, most MFA implementers and certainly most users don’t understand this. For example, I can send anyone a phishing email and get around their MFA solution, and if you don’t know that, you might not pay as much attention to what URL you’re clicking on.”

F-Secure principal consultant Tom Van de Wiele said: “Cyber security is multi-layered, and if some layers are misunderstood, misused, or neglected, one single vulnerability has the potential to cause disastrous consequences. The most common example is the use of MFA by organizations to protect against phishing, where most MFA solutions are only effective against attacks such as password guessing, brute-forcing, or credential stuffing.”

Risk to users

Eyal Wachsman, co-founder, and CEO of Cymulate, said that now the Covid-19 pandemic has changed the nature of the enterprise security perimeter, making user authentication and credentials to access remote and cloud-based services more critical, perhaps unsurprising these attacks are proving more lucrative.

Related Posts