Active adversaries are increasingly exploiting stolen session cookies to bypass MFA
Active adversaries are more and more exploiting stolen session cookies to bypass multi-factor authentication (MFA) and get access to corporate resources, according to Sophos.
In a few cases, the cookie theft itself is a highly targeted attack, with adversaries scraping cookie data from compromised systems within a network and using legitimate executables to disguise the malicious activity, Help Net Security reports.
Once the hacker has obtained access to corporate web-based and cloud resources using the cookies, they can be using them for further exploitation such as business email compromise, social engineering to gain additional system access, and even modification of data or source code repositories.
Sophos principal threat researcher, Sean Gallagher said that over the past year, they have seen hackers increasingly turn to cookie theft to work around the growing adoption of MFA.
Sean believes that the attackers are shifting to new and improved versions of information stealing malware like Raccoon Stealer for simplifying the process of obtaining authentication cookies, also known as access tokens.
He further says that if attackers have session cookies, they can move freely around a network, impersonating legitimate users.