A surge in “Pass-the-Cookie” (PTC) attacks is undermining multi-factor authentication (MFA), enabling cybercriminals to hijack session cookies and bypass security measures to access sensitive accounts. Similarly, Google’s Threat Analysis Group observed attackers targeting YouTube creators with fake collaboration offers, leading to malware that exfiltrates cookies to hijack channels. Recent advisories from the FBI and cybersecurity firms highlight how attackers exploit stolen browser cookies small data files that authenticate users—to impersonate victims, even when MFA is enabled. Cybersecurity firm Longwall Security demonstrated this by copying a cookie from a corporate Windows device into a clean Ubuntu-Firefox setup, gaining full access without triggering MFA. These cookies, such as Microsoft’s ESTSAUTH, store authentication tokens and allow seamless access without repeated logins. Attackers exploit this by stealing cookies during active sessions or using infostealers to harvest them from infected devices. Once extracted, cookies are injected into attackers’ browsers, granting immediate access to accounts no passwords or MFA challenges required. Microsoft and Okta recommend reducing session durations and enforcing conditional access policies, such as device compliance checks. Pass-the-Cookie attacks exploit session cookies generated after users log into applications. In one case, attackers compromised a Yubikey-protected Microsoft account via a personal laptop lacking endpoint security, ultimately transferring $530,000 to fraudulent accounts. For instance, limiting sessions to 1 hour and revoking cookies during password resets can curb persistent access. Shortening Session Lifespans: Enforce session timeouts (e.g., 15 minutes for high-risk apps) and disable “persistent” cookies.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 28 Feb 2025 12:10:03 +0000