Hackers are stealing browser cookies to glide past MFA

cookies
(Image credit: Shutterstock / Crystal Eye Studio)

Multi-factor authentication is a great way to keep cybercriminals at bay, but some are apparently getting pretty good at bypassing this type of protection by stealing application and browser session cookies. 

Cybersecurity researchers from Sophos say they're observing an increasing appetite for cookies, among malware of all sophistication levels. From infostealers such as Racoon Stealer, or RedLine Stealer, to destructive trojans such as Emotet, an increasing number of viruses and malware are getting cookie-stealing functionalities. 

By stealing session cookies, threat actors are able to bypass multi-factor authentication because, with the cookies, the service already deems the user authenticated and just grants access immediately. That also makes them a high-value asset on the black market, with Sophos seeing cookies being sold on Genesis, where members of the Lapsus$ extortion group bought one that resulted in a major data theft from video games giant EA

Buying cookies 

After purchasing a Slack session cookie from Genesis, the threat actor managed to spoof an existing login of an EA employee and trick the company’s IT team into providing network access. This allowed them to steal 780 GB of data, including game and graphics engine source code, which was later used in an extortion attempt.

The biggest problem with cookies is that they last relatively long, especially for applications such as Slack. A longer-lasting cookie means threat actors have more time to react and compromise an endpoint. IT teams can program their browsers and apps to shorten the allowable timeframe that cookies remain valid, but it comes with a caveat - that means users would need to re-authenticate more often which, in turn, means IT teams need to strike the perfect balance between security and convenience.

Cookie abuse can also be prevented through behavioral rules, Sophos hints, saying that it’s able to stop scripts and untrusted programs “with a number of memory and behavior detections”.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.