Matic Štojs Lomovšek - stock.a

Should I be worried about MFA-bypassing pass-the-cookie attacks?

Malicious actors bypassed multi-factor authentication using so-called pass-the-cookie attacks, but how worrying is this and what is the risk to organisations?

A series of recent cyber attacks against organisations’ cloud services that exploited poor cyber hygiene practice have put security teams on high alert and raised questions over the adequacy of multi-factor authentication (MFA).

Earlier in January, the US’ Cybersecurity and Infrastructure Security Agency (CISA) issued an alert following a spate of attacks, advising users to strengthen their cloud environment configuration.

The agency said the attacks were likely occurring due to high volumes of remote working and a mixture of corporate and personal devices being used to access cloud services.

The malicious actors behind the attacks are using various different tactics and techniques, including phishing, brute force login attempts, but also so-called pass-the-cookie attacks to defeat MFA.

How this works

In such an attack, a cyber criminal can use a stolen session (or transient) cookie to authenticate to web applications and services, bypassing MFA because the session is clearly already authenticated.

Such cookies are used for convenience after a user has authenticated to the service, so that credentials are not passed and they don’t need to reauthenticate so often – hence they are often valid for some time.

If obtained by a malicious actor, the cookie can then be imported into a browser that they control, meaning they can use the site or app as the user for as long as the cookie remains active, potentially giving them ample time to move around laterally, accessing sensitive information, reading emails, or performing actions as the victim account.

A widespread threat

It is important to note that pass-the-cookie attacks are not a new threat as such. Trevor Luker, Tessian’s head of information security, said they are a fairly standard attack, in as much as most cyber criminals who have gained access to session cookies will almost certainly try to use them as part of their lateral movement attempts.

Chris Espinosa, managing director of Cerberus Sentinel, described pass-the-cookie attacks as the result of an “inherent flaw” in hypertext transfer protocol (HTTP) and how web apps work. “We run into this vulnerability routinely during web application penetration tests,” he said.

Roger Grimes, KnowBe4 data driven defence evangelist, literally wrote the book on MFA hacking. “Attacks that bypass or abuse MFA likely happen thousands of times a day, and that’s nothing new or surprising. Any MFA solution can be hacked at least four ways, and most more than six ways,” he said.

“MFA has always been hackable or bypassable, so we’ve already been living in the world of hackable MFA for decades,” added Grimes. “What has changed is increased use – more people than ever are using one or more forms of it in their daily lives.”

The problem, he said, is that most people deploying and using MFA are inclined to think of it as like a magical talisman to stop them being hacked, which is simply untrue. This is not to say it shouldn’t be used, he added, but there is a big difference in saying MFA prevents some kinds of hacking, or all kinds, and everybody who uses it should understand what it does and doesn’t stop.

“Thinking that MFA magically makes you unhackable is even more dangerous than not using MFA. Unfortunately, most MFA implementers and certainly most users don’t understand this. For example, I can send anyone a phishing email and get around their MFA solution and if you don’t know that, you might not pay as much attention to what URL you’re clicking on.”

F-Secure principal consultant Tom Van de Wiele, said: “Cyber security is multi-layered and if some layers are misunderstood, misused or neglected, one single vulnerability has the potential to cause disastrous consequences. The most common example is the use of MFA by organisations to protect against phishing, where most MFA solutions are only effective against attacks such as password guessing, brute-forcing or credential stuffing.”

Risk to users

Eyal Wachsman, co-founder and CEO of Cymulate, said that now the Covid-19 pandemic has changed the nature of the enterprise security perimeter, making user authentication and credentials to access remote and cloud-based services more important, it is perhaps unsurprising these attacks are proving more lucrative.

Liviu Arsene, global cyber security researcher at Bitdefender, agreed: “Most spyware that we’ve investigated throughout the years have had cookie or session-stealing capabilities. In light of the recent workforce transition to remote work, it makes sense for cyber criminals to increasingly adopt this tactic when compromising employee devices, as it can help them gain access to corporate infrastructures with relative ease.”

“Pass-the-cookie attacks require a successful breach of the end user’s workstation, and whether they are a personal device or an organisation’s assets have become a headache to secure for CISOs,” said Wachsman.

“They are challenged to enforce patching on these workstations and detection systems are blindsided with partial visibility leaving them extremely vulnerable. Adding to the mix are well-crafted spear phishing attacks that introduce malware or steal credentials through social engineering.”

So unfortunately, due to the widespread nature of MFA-busting cookie attacks, the risk to users is indeed a substantial one. “Cookie and session hijacking should be very concerning, especially for companies with single sign-on systems [SSO] to identify authenticated users,” said Arsene at Bitdefender. “An attacker could potentially access multiple web applications associated across the company using the employees’ stolen cookies or sessions.”

OneSpan product security director Frederik Mennes agreed that the risks are noteworthy. “If a pass-the-cookie attack is performed successfully, the impact can be significant: an adversary can access a company’s resources as long as the cookie is valid, which could be a period of several minutes up to several hours in a typical situation.

“On the other hand, the likelihood of the attack is relatively low, as other attacks are easier, and as the attack requires access to cookies on the user’s device.”

How to mitigate pass-the-cookie attacks

Thankfully, mitigating the risk of falling victim to a pass-the-cookie attack, or dealing with the impact of one, should not be too hard for security teams to get their heads around.

“Knowing that applications and IT architectures consist of a lot of moving parts and are subjective to constant change, regular testing for these kinds of scenarios as part of application and architecture-based security reviews and assessments are crucial to ensure that these scenarios cannot play out now or in the future,” said Van de Wiele at F-Secure.

Cerberus Sentinel’s Espinosa said: “The way to mitigate the MFA pass-the-cookie vulnerability is with better cookie management and better user training.

“Specifically, cookies should be set with a short lifespan and should be for a single session, so when the browser is closed, the cookie is voided. Users should be trained to log off the web application and close their browser after they are done using the web application. Many users never logoff or close a browser – this increases risk.

“The bottom line is there is no single way to fix the pass-the-cookie problem, unless you force a user to reauthenticate more frequently for different web application functionality. This diminishes the user experience though,” he said.

Tessian’s Luker added: “There are plenty of easy mitigations available, which means these attacks aren’t nearly as successful as they used to be a couple of years ago.

“Such mitigations include only allowing access to corporate cloud infrastructure from known IP addresses, ideally via a corporate VPN [virtual private network] endpoint with separate strong MFA in place. It’s also important to remember that session cookies tend to be time-limited, so they are only useful for a short period.”

A matter of culture

As with many other security risks, effective mitigation also depends to a large extent on having appropriate internal security cultures in place, as OneLogin’s global data protection officer, Niamh Muldoon, points out.

“Security culture and maintaining security consciousness with your entire organisation is critical not just for identifying and responding to security threats but following security processes,” she said.

“Access control processes of provisioning and de-provisioning are great examples that need conscious focus and attention to ensure only those that have a business requirement for access have access and their access is approved, reviewed and monitored per the access control principles of authentication, authorisation and assurance principles.”

Wachsman added: “To prevent these attacks companies need to increase security awareness to phishing attempts, employees should log out from cloud services when they are not using them and the services should be set to automatically kill sessions that are inactive, even for short periods of time. Becoming aware of your security posture is critical to discover and fix the weaknesses they find.”

Read more about MFA

Read more on Identity and access management products