Alert Status: High
Affected Solution: Any Web Application that Creates Cookies for Authentication
Browser cookies enable web applications to store user authentication information, so a user can stay signed in instead of having to supply their username and password every time they navigate to a new page on a website.
If someone were able to extract the right browser cookies, they could authenticate as another user in a separate web browser session on another system. In short, they could use the cookie to bypass authentication via MFA. (This is analogous to the Pass the Hash attack in Active Directory.)
The CISA (Cybersecurity and Infrastructure Security Agency) and New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) have released an announcement regarding this attack, providing the necessary recommendations for mitigation:
https://www.cisa.gov/news-events/analysis-reports/ar21-013a
https://www.cyber.nj.gov/garden_state_cyber_threat_highlight/pass-the-cookie-attacks-gain-traction
What should you do?
Pass-the-cookie attacks can occur at any time once a user’s machine has been compromised. User credentials are also not required as the cookies already store this information to access web applications the user regularly visits. We recommend the following to mitigate risk imposed from these attacks:
What is the risk?
Once a user’s machine has been compromised, the attacker has direct access to dump the stored browser cookies and steal the user’s credentials saved for accessing web applications. The usage of Mimikatz can easily execute this action by dumping this data. Once obtained, the attacker can then inspect the stolen session to identify the targeted web application, then it’s just a matter of inserting the browser cookies into the browser application on the attacker’s system, thereby granting access and bypassing MFA altogether.
In the event of a suspected breach, please call the ActZero 24x7 Breach number at 1-855-917-4981.