Over the years, threats to password security have increased, which is why so many organizations have adopted the use of Multi-Factor Authentication (MFA) as a way to improve account security. MFA is incredibly efficient at stopping cyber criminals. It’s also a cost efficient first line of defense to deploy across your entire organization. This is why various governmental agencies (FBI and CISA to name a few) and cyber insurers highly recommend that MFA be deployed systematically. However, when threat actors are set on targeting a specific organization, they will find ways to circumvent MFA. The most common tactic is through stealing session cookies.
What are session cookies?
Cookies are small text files that a website stores on your device (smartphone or computer) when you browse the internet so that the site can deliver an improved experience in subsequent visits. Session cookies are cookies that last for a session. A session starts when you launch a website or web app and ends when you leave the website or close the application.
As soon as cyber criminals successfully infiltrate a system, they will target the user’s cookies for later use or sale on the dark web. This is simple to execute and little is needed besides having some sort of access to the victim’s device. This loophole applies to all types of MFA (SMS- or authenticator-based like Google, Okta, Duo, Microsoft, etc). To take it a step further, thanks to malware-as-a-service, entry-level threat actors are joining in on credential theft. Various pieces of malware can be utilized to collect session tokens from the browsers:
- Emotet Malware
- Raccoon Stealer Malware
- RedLine Stealer Keylogger
While this may sound alarming, there are ways to protect yourself and your organization through additional security measures which are outlined below. Threats are constantly evolving, therefore it’s our duty to adapt and evolve as well.
Cowbell’s Risk Engineering team is here to help you stay prepared in this market. If you have any questions or need clarification on important security measures to implement, reach out to us here for tailored support to make your organization as secure as possible.
Going deeper: Ways to protect yourself from MFA bypass
Browser security
To prevent session cookie theft, make sure to keep your browser’s cookies in a secure location and disable automatic cookie saving. Additionally, use a secure MFA code generator to create one-time passwords that are difficult to guess. Avoid using the same one-time password on different sites and make sure to use different browsers to avoid cookies being shared.
Session management
Session management is the process of keeping track of user sessions on a server. In web applications, this is typically done using session cookies, which are unique tokens that are assigned to each user. When a user logs in, a session cookie is generated and stored on their computer. This cookie is then used to identify the user during subsequent interactions with the site. If an attacker is able to steal a user’s session cookie, they can impersonate that user and gain access to their account. For this reason, it is important to ensure that session cookies are well-protected. One way to do this is to use ‘secure’ cookies, which are only sent over HTTPS connections. Another way to protect session cookies is to use ‘httponly’ cookies, which are not accessible by client-side scripts (such as Javascript). Administrators should also manage the refresh rate of sessions to daily authentication for MFA. This is a good way to avoid old session tokens from being used.
Implement EDR tools on all endpoints
Endpoint detection and response (EDR) tools can detect and prevent attempts to steal session cookies from endpoints. EDR tools work by monitoring system activity and looking for suspicious behavior that could indicate an attack is underway. If a potential attack is detected, the EDR tool can take action to block it, preventing the attacker from stealing the session cookie.
Consider Implementing a zero trust solution
Zero trust is a security model that advocates for never trusting any user, even if they have been previously authenticated. The zero trust model is a security approach that assumes that all users and devices are untrusted by default. In a zero trust environment, all users and devices must be verified and authenticated before they are allowed to access any resources.
For more information on Zero Trust, please review our four part blog post on the topic.
This blog post was written by Cowbell’s Risk Manager, Jay Gohil, and Cowbell’s Risk Engineer, JaJuan Grant.