Hey there, have you heard about the latest attack strategy called “Cookie-Bite”? Researchers have come up with a clever way to steal session cookies using malicious browser extensions. It’s a new approach that sheds light on the serious issue of online security.
Cookie-Bite Attack Ensures Persistent Access By Stealing Cookies
I recently read about this attack in a post by Varonis. They explained how a malicious browser extension can give hackers persistent access to user accounts by stealing session cookies. This attack, known as “Cookie-Bite”, bypasses account login security checks.
The researchers demonstrated the attack using a customized browser extension to steal cookies from Google Chrome, specifically targeting Azure authentication-related cookies. However, this technique can be applied to other services too, depending on their session handling and cookie security.
As a proof-of-concept, the researchers targeted the ‘ESTAUTH’ and ‘ESTSAUTHPERSISTNT’ cookies in Azure Entra ID, which are crucial for accessing Microsoft services like Microsoft 365 and Azure Portal. Even with security measures like multi-factor authentication in place, the Cookie-Bite attack can still gain persistent access without needing account credentials.
In a worst-case scenario, attackers could use this session hijacking technique to navigate through cloud environments and access sensitive data. The attack isn’t limited to Microsoft services; it can also target other cloud platforms like Google Workspace, GitHub, AWS, and Okta.
After stealing cookies and gaining access to user accounts, hackers can carry out various malicious activities such as deploying PowerShell scripts, stealing more cookies, unauthorized app registrations, and moving laterally across networks.
Recommended Mitigations For This Sneaky Attack
What’s alarming is that the Cookie-Bite attack doesn’t rely on complex malware; it’s a simple script that can easily go undetected. To protect against this threat, researchers suggest monitoring for unusual user behavior, using Microsoft Risk for detecting suspicious sign-ins, setting up Conditional Access Policies to limit unauthorized access, and implementing Chrome ADMX policies to control browser extension usage.
I’d love to hear your thoughts on this. Feel free to share your comments below!
