Alert Status: High
Affected Solution: Any Web Application that Creates Cookies for Authentication
Browser cookies enable web applications to store user authentication information, so a user can stay signed in instead of having to supply their username and password every time they navigate to a new page on a website.
If someone were able to extract the right browser cookies, they could authenticate as another user in a separate web browser session on another system. In short, they could use the cookie to bypass authentication via MFA. (This is analogous to the Pass the Hash attack in Active Directory.)
The CISA (Cybersecurity and Infrastructure Security Agency) and New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) have released an announcement regarding this attack, providing the necessary recommendations for mitigation:
https://www.cisa.gov/news-events/analysis-reports/ar21-013a
https://www.cyber.nj.gov/garden_state_cyber_threat_highlight/pass-the-cookie-attacks-gain-traction
What should you do?
Pass-the-cookie attacks can occur at any time once a user’s machine has been compromised. User credentials are also not required as the cookies already store this information to access web applications the user regularly visits. We recommend the following to mitigate risk imposed from these attacks:
- Restrict access to the cloud to authorized devices protected by ActZero only; this will prevent risk imposed by BYOD users which do not have a corporate EDR solution implemented on their device
- Follow best practices for zero trust within Azure: Azure Zero-Trust
- Implement mandatory requirement of devices to join the AD domain to ensure protection from ActZero which can block cookie theft
- Implement conditional based policies to restrict access to resources to authorized geolocations only: Conditional Access Policy
- Configure Azure session management to disable persistence of browser cookies when browser sessions close
- Disable legacy protocols such as POP3 which allows older mail clients to send and receive email using your email server; disabling these protocols will prevent stolen credentials from being used to access mailboxes outside your corporate network
What is the risk?
Once a user’s machine has been compromised, the attacker has direct access to dump the stored browser cookies and steal the user’s credentials saved for accessing web applications. The usage of Mimikatz can easily execute this action by dumping this data. Once obtained, the attacker can then inspect the stolen session to identify the targeted web application, then it’s just a matter of inserting the browser cookies into the browser application on the attacker’s system, thereby granting access and bypassing MFA altogether.
In the event of a suspected breach, please call the ActZero 24x7 Breach number at 1-855-917-4981.