![]() This can lead to exploitation of web services (such as AWS or Azure), software-as-a-service and collaboration services for further data exposure or lateral movement, such as business email compromise, access to cloud data stores, or using a hijacked Slack session to lure additional victims into downloading malware or exposing other data that can be leveraged for access. Figure 2: Legitimate web-service activity… …and how pass-the-cookie attacks subvert that. This is similar to “pass the hash” attacks, which use locally stored authentication hashes to gain access to network resources without having to crack the passwords. The reason for cookie theft is straightforward: Cookies associated with authentication to web services can be used by attackers in “pass the cookie” attacks, attempting to masquerade as the legitimate user to whom the cookie was originally issued and gain access to web services without a login challenge. Figure 1: Some of the cookies in a cookies.sqlite file ![]() One of these key-value pairs specifies the expiration of the cookie-how long it is valid for before it must be renewed. The content of each cookie in the database is a list of parameters and values-a key-value store that identifies the browser session to the remote website, including in some cases a token passed by the site to the browser after user authentication. Other applications that connect to remote services have their own cookie repositories, or in some cases access to those of web browsers. (Similar SQLite files store browser history, website logins and autofill information on these browsers). Hands in the Cookie Jarīrowsers store cookies in a file for Mozilla Firefox, Google Chrome, and Microsoft Edge, the file is a SQLite database in the user profile folder. Additionally, some legitimate applications that use cookies may leak them, exposing tokens to attackers. Occasionally, these detections spike dramatically as specific campaigns are launched. But with these benign sources screened out, we saw thousands of attempts to access browser cookies per day that fall outside the realm of benign software behavior. ![]() We found anti-malware software, auditing tools, and operating system helpers among cookie-snooping detections in Sophos telemetry: Bing’s wallpaper updater, for example, accesses cookies to retrieve new desktop backgrounds. There are also legitimate applications and processes that interact with browser cookie files. But we’ve also often seen hands-on attacks abusing legitimate offensive-security tools such as Mimikatz, Metasploit Meterpreter and Cobalt Strike to execute cookie harvesting malware or run scripts that grab cookies from browsers’ caches. In some cases, we’ve seen evidence of ransomware operators using the same info stealer malware as less sophisticated attackers. This allowed Lapsus$ to grab 780 gigabytes of data, including game and graphics engine source code, which the group then used to attempt to extort EA.Īt the higher end of the criminal sophistication spectrum, we have observed active adversaries harvest cookies in a variety of ways. Members of the Lapsus$ extortion group claimed to have purchased a stolen session cookie from the marketplace, giving them access to EA’s Slack instance that allowed them to spoof an existing login of an EA employee and deceive a member of EA’s IT team into providing them network access. One such marketplace, Genesis, was the apparent source for a cookie belonging to an employee of the game developer Electronic Arts. At the bottom end of the cybercrime range, information-stealing malware such as the Raccoon Stealer malware-as-a-service and the RedLine Stealer keylogger / information stealer-both of which can be purchased through underground forums-are often used by entry-level criminals to collect cookies and other credentials in bulk for sale to criminal marketplaces. The range of criminals targeting cookies is broad. Google’s Chrome browser uses the same encryption method to store both multi-factor authentication cookies and credit card data-both targets of Emotet. The latest version of the Emotet botnet is just one of the many malware families that target cookies and other credentials stored by browsers, such as stored logins and (in some cases) payment card data. Attackers are increasingly turning to stealing the “cookies” associated with credentials to clone active or recent web sessions-bypassing MFA in the process. While user account names and passwords are the most obvious targets of credential-stealing activities, the increased use of multi-factor authentication (MFA) to protect web-based services has reduced the effectiveness of that approach. Credential-stealing malware is an integral part of the toolkit used by a wide variety of cybercriminals and other adversaries.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |