A new attack strategy called “Cookie-Bite” has been devised by researchers, showcasing cookie theft through malicious browser extensions. While the concept of stealing session cookies is not new, using a malicious browser extension as a proof of concept emphasizes the seriousness of the issue.
Cookie-Bite Attack Ensures Persistent Access By Stealing Cookies
In a recent post by researchers from Varonis, they revealed how a malicious browser extension could surreptitiously provide persistent access to user accounts. The attack, known as “Cookie-Bite”, demonstrates how a browser extension can be used to steal session cookies, bypassing account login security measures.
The researchers showcased the attack by using a specially crafted browser extension to steal cookies, focusing on Azure authentication-related cookies in Google Chrome. They explained that this technique could be applied to other services, depending on their session handling, cookie architecture, and security.
As a proof-of-concept, the researchers targeted the ‘ESTAUTH’ and ‘ESTSAUTHPERSISTNT’ cookies in Azure Entra ID. These cookies allow and maintain authenticated access to Microsoft services like Microsoft 365 and Azure Portal. Despite users implementing security measures like multi-factor authentication, the Cookie-Bite attack can steal these cookies for persistent access without requiring account credentials.
In extreme cases, attackers could exploit this session hijacking attack to move laterally across cloud environments, gaining unrestricted access to critical services and important data.
Aside from Microsoft Azure Entra ID, the researchers also identified other important cloud services like Google Workspace, GitHub, AWS Management Console, and Okta (SSO) and their respective authentication cookies that could be targeted by the Cookie-Bite attack.
After gaining persistent access by stealing cookies, attackers could execute various malicious actions such as deploying PowerShell, stealing other services’ cookies, unauthorized app registrations, and lateral movement across the network.
Recommended Mitigations For This Sneaky Attack
The Cookie-Bite attack doesn’t require sophisticated malware to steal cookies, making it challenging to detect and block. It succeeds by bypassing account login checks through the browser.
The researchers suggested several ways to prevent this attack, including conducting thorough scans to detect unusual user behavior, using Microsoft Risk for flagging unusual sign-ins, implementing Conditional Access Policies (CAP) to restrict unauthorized access, and applying Chrome ADMX policies to limit the use of browser extensions to an approved list.
Share your thoughts in the comments.
