Researchers have devised a brand new assault technique “Cookie-Chew” demonstrating cookie theft by way of malicious browser extensions. Whereas the concept of stealing session cookies isn’t new, utilizing a malicious browser extension as a PoC is a brand new thought highlighting the severity of the matter.
Cookie-Chew Assault Ensures Persistent Entry By Stealing Cookies
Sharing the main points in a latest submit, researchers from Varonis highlighted how a malicious browser extension might sneakily enable persistent entry to consumer accounts. Named “Cookie-Chew”, the assault demonstrates utilizing a browser extension to steal session cookies, evading account login safety checks.
Particularly, the researchers demonstrated the assault by utilizing a specifically crafted browser extension to steal cookies. The researchers used Google Chrome of their examine and geared toward Azure authentication-related cookies. Nonetheless, they defined that the method applies to different companies as properly, their vulnerability being depending on the respective session dealing with, cookie structure, and safety.
As proof-of-concept (PoC), the researchers focused the ‘ESTAUTH‘ and ‘ESTSAUTHPERSISTNT‘ cookies in Azure Entra ID. These cookies, enable and preserve authenticated entry to Microsoft companies, reminiscent of Microsoft 365 and Azure Portal. Whereas customers might apply completely different safety measures, reminiscent of multi-factor authentication, to make sure safe login, the Cookie-Chew assault might steal these cookies to attain persistent entry to Microsoft companies with out requiring account credentials.
In worst exploitation eventualities, an adversary may use such session hijacking assault to maneuver laterally throughout cloud environments. With unchecked persistent entry to important companies, attackers may get unrestricted entry to necessary knowledge.
In addition to Microsoft Azure Entra ID, the researchers additionally listed different necessary cloud companies, reminiscent of Google Workspace, GitHub, AWS Administration Console, and Okta (SSO), and their respective authentication cookies that Cookie-Chew assault can goal.
Upon gaining persistent entry to focus on accounts by stealing cookies, an adversary might carry out numerous malicious actions. In line with the researchers, these actions might embody deploying PowerShell, steal different companies’ cookies, carry out unauthorized app registrations, and laterally transfer throughout the community.
Beneficial Mitigations For This Sneaky Assault
Notably, the Cookie-Chew assault entails no refined malware to steal cookies. As a substitute, it makes use of a easy script that makes it troublesome to detect and block. Furthermore, the assault stays profitable because it occurs by the browser, bypassing account login checks with every login try.
Nonetheless, the researchers have shared numerous means to stop this assault. These embody operating thorough scans for detecting any uncommon consumer habits, utilizing Microsoft Danger to flag uncommon sign-ins, deploying Conditional Entry Insurance policies (CAP) to limit unauthorized customers’ entry, and implementing Chrome ADMX insurance policies to limit using browser extensions to a selected allowlist.
Tell us your ideas within the feedback.
