When the malware group Lapsus$ needed to gain access to systems compromised in recent breaches, it not only searched for passwords but also for the session tokens - that is, cookies - used to authenticate a device or browser as legitimate.
Their tactics for initial access highlights a trend among attackers, who will buy passwords and cookies on the criminals underground use them to access cloud services and on-premises applications. In addition, when they do get access to a system, attackers prioritize stealing cookies for later use or for sale. Session cookies have become the way for attackers to bypass multifactor authentication (MFA) mechanism that otherwise protect systems and cloud services from attackers, says Andy Thompson, global research evangelist at CyberArk Labs. In
a presentation at Black Hat Middle East and Africa next week, CyberArk researchers will demonstrate how attackers can steal session cookies and then use them to gain access to business and cloud services.
"The crazy part is that this applies to all types of multifactor, because stealing these cookies bypasses both authentication and authorization," Thompson says. "Once you have authenticated using multifactor, that cookie is established on the endpoint, and the attacker can then use it for later access." Stealing session cookies has become one of the most common ways that attackers circumvent multifactor authentication. The Emotet malware, the Raccoon Stealer malware-as-a-service, and the RedLine Stealer keylogger all have functionality for stealing sessions tokens from the browsers installed on a victim's system.
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}