CISA issued an alert which warned about new phishing attacks accessing companies’ cloud services via employees’ corporate laptops and personal devices. Especially over the past year, the risk posed by people sending emails to their personal accounts has heightened, and attackers recognize this as a quick and easy entry point to corporate environments. In fact, a recent Tessian report found that 82% of US employees have sent company data to their personal email accounts.
According to Tessian CTO and Co-Founder Ed Bishop,
“This is a rude awakening that attackers are seeing personal email accounts as the soft underbelly to corporate environments and are starting to use “pass-the-cookie” techniques to successfully bypass multi-factor authentication. While phishing is a persistent threat to company security, the risk posed by people sending emails to personal accounts is often overlooked, and it’s a risk that’s been heightened as people work remotely.
With ‘pass-the-cookie’ attacks, bad actors gain credentials to move laterally within an organization, injecting a cookie into HTML requests and ultimately assuming the same privileges as their victims. Once an attacker is in the network, even if someone clicks on a benign link, it could expose the remote worker’s home IP address. This would be followed up with ‘fingerprinting’ the home router, leading to an attack if there are known vulnerabilities.
Personal accounts are easier to compromise because they are typically only protected by routers provided by their MSP, which have a history of weaknesses. These home routers often have remote management APIs that could allow a malicious user at the ISP to gain access. People also typically lower their guards when logging into personal accounts and attackers are taking advantage of this soft entry point to launch full corporate account takeover. As a result, companies should only allow access to corporate cloud infrastructure from known IP addresses, ideally via a corporate VPN endpoint with separate strong authentication or MFA in place.
In addition, businesses must treat remote home networks as untrusted, in the same way they do for airports or coffee shops, and require remote workers use a VPN for any work-related task. Lastly, it’s important that companies monitor when new forwarding rules are created, and in some cases even disable auto-forwarding rules all together.”
According to Paul Bischoff, privacy advocate, Comparitech
“The alert states, in at least one case, a “pass-the-cookie” attack was used to bypass multi-factor authentication. Multi-factor authentication is great at preventing an attacker from logging into an unauthorized account, but that does little good if the attacker appears to be already logged in from the start. That’s how a pass-the-cookie attack bypasses MFA altogether.
After a successful, legitimate login on a typical web app, a cookie is created and placed on the user’s device. When the user visits the site again in the future, they can bypass the login process because the user has this cookie. If an attacker manages to steal the cookie, they can place it in their own browser, bypass the MFA login process, and masquerade as a legitimate user.
You might suggest that organizations simply do away with cookies and require users enter their credentials upon every login, but that could prove very inconvenient in some situations, while introducing other security risks. Still, organizations need to do what they can to mitigate pass-the-cookie attacks. Set strict policies dictating when session cookies are cleared. Authentication monitoring and behavior-based threat detection can help as well.”
According to Chris Hauk, consumer privacy champion, Pixel Privacy:
“In this case, hackers were able to bypass the multi-factor authentication (MFA) protocols that at least one organization had in place by using a ‘pass-the-cookie’ attack that hijacks an already authenticated session using stolen session cookies. While doing away with cookies and requiring a user to login for each session may not be convenient or feasible, cookies should have a preset expiration time, and organizations need to step up their session monitoring and authentication methods.”