Researchers have devised a new attack strategy “Cookie-Bite” demonstrating cookie theft via malicious browser extensions. While the idea of stealing session cookies isn’t new, using a malicious browser extension as a PoC is a new idea highlighting the severity of the matter.
Cookie-Bite Attack Ensures Persistent Access By Stealing Cookies
Sharing the details in a recent post, researchers from Varonis highlighted how a malicious browser extension may sneakily allow persistent access to user accounts. Named “Cookie-Bite”, the attack demonstrates using a browser extension to steal session cookies, evading account login security checks.
Specifically, the researchers demonstrated the attack by using a specially crafted browser extension to steal cookies. The researchers used Google Chrome in their study and aimed at Azure authentication-related cookies. Nonetheless, they explained that the technique applies to other services as well, their vulnerability being dependent on the respective session handling, cookie architecture, and security.
As proof-of-concept (PoC), the researchers targeted the ‘ESTAUTH‘ and ‘ESTSAUTHPERSISTNT‘ cookies in Azure Entra ID. These cookies, allow and maintain authenticated access to Microsoft services, such as Microsoft 365 and Azure Portal. While users may apply different security measures, such as multi-factor authentication, to ensure secure login, the Cookie-Bite attack may steal these cookies to achieve persistent access to Microsoft services without requiring account credentials.
In worst exploitation scenarios, an adversary could use such session hijacking attack to move laterally across cloud environments. With unchecked persistent access to critical services, attackers could get unrestricted access to important data.
Besides Microsoft Azure Entra ID, the researchers also listed other important cloud services, such as Google Workspace, GitHub, AWS Management Console, and Okta (SSO), and their respective authentication cookies that Cookie-Bite attack can target.
Upon gaining persistent access to target accounts by stealing cookies, an adversary may perform various malicious actions. According to the researchers, these actions may include deploying PowerShell, steal other services’ cookies, perform unauthorized app registrations, and laterally move across the network.
Recommended Mitigations For This Sneaky Attack
Notably, the Cookie-Bite attack involves no sophisticated malware to steal cookies. Instead, it uses a simple script that makes it difficult to detect and block. Moreover, the attack remains successful as it happens through the browser, bypassing account login checks with each login attempt.
Nonetheless, the researchers have shared various means to prevent this attack. These include running thorough scans for detecting any unusual user behavior, using Microsoft Risk to flag unusual sign-ins, deploying Conditional Access Policies (CAP) to restrict unauthorized users’ access, and implementing Chrome ADMX policies to restrict the use of browser extensions to a specific allowlist.
Let us know your thoughts in the comments.
