The News: It’s not unusual for organizations to implement multi-factor authentication (MFA) protocols and think they’re safe from hackers. Today, that’s not so much the case. Hackers are using stolen app and active session cookies as a way to circumvent multi-factor identification barriers, according to British cyber security company Sophos. The sale of cookies with active sessions on encrypted networks threatens the current security standard for cloud-based services and opens up a massive amount of sensitive information to unauthorized access. This is a bad thing. Like, a “we better fix this fast” bad thing. Read more about the news on Tech Radar.
Think You’re Safe Because of MFA? Think Again — Hackers Are Now Raiding the Cookie Jar
Analyst Take: Part of the preaching the gospel about cybersecurity best practices often includes singing the praises of multi-factor authentication. Today, hackers are finding a clever away around the barriers MFA attempts to put in their way by focusing on cookies instead. And it’s smart.
When a user clicks through a cookie opt-in (which most of us do countless times a day), they’re opening a “session.” That session is essentially an amount of time each user can visit before being asked to log in again. Depending on the platform, session cookies can remain active for days or weeks. That’s the latest hacker playground. By focusing on and snatching fresh cookies for sessions that remain active, hackers can access information without being required to authenticate.
Sophos News’ Sean Gallagher laid out the breadth of apps and data being bought and sold on underground forums as the popularity of session-hijacking grows, “Information-stealing malware [which] can be purchased through underground forums” Gallagher explained based on Sophos data, “are often used by entry-level criminals to collect cookies and other credentials in bulk for sale to criminal marketplaces.”
But it only gets more advanced from there. The Lapsus$ extortion group alleged that they successfully accessed EA’s Slack channel via a purchased session cookie, allowing them to grab 780gb of data before the gaming giant could shut them down. Gallagher suggests that skilled cookie-thieves could eventually grab session data from users’ browsers in real-time.
So, How Do We Put a Lid on This Cookie Jar?
How do we adapt cybersecurity behavior across organizations to counter this threat? Knowing the risk posed by cookies is a good start. And let this be a reminder that it’s not a good idea to count on multi-factor authentication alone as the be all, end all protection. Beef up your firewall. Know what your security team is doing to reduce vulnerabilities, Session-length can be adjusted by an admin in a lot of apps, so that’s a good place to start reducing active sessions. Educate your team about the dangers posed by cookies and teach them (and remind them on the regular) to take the time to opt-out of unnecessary cookies. Also, take a good look at the settings for the apps you use internal comms, like Slack, which have notoriously long session-lengths. Hackers continue to evolve their strategies and look for vulnerabilities and stealing active session cookies is pretty smart. Learn from these mistakes regarding the vulnerability of active sessoin cookies and MFA and evolve your internal security operations accordingly.
Disclosure: Futurum Research is a research and advisory firm that engages or has engaged in research, analysis, and advisory services with many technology companies, including those mentioned in this article. The author does not hold any equity positions with any company mentioned in this article.
Analysis and opinions expressed herein are specific to the analyst individually and data and other information that might have been provided for validation, not those of Futurum Research as a whole.
Other insights from Futurum Research:
Full Impact of REvil Ransomeware Attack on Kaseya Becomes Apparent
Author Information
Shelly Kramer is a serial entrepreneur with a technology-centric focus. She has worked alongside some of the world’s largest brands to embrace disruption and spur innovation, understand and address the realities of the connected customer, and help navigate the process of digital transformation.
