Researchers have devised a brand new assault technique “Cookie-Chunk” demonstrating cookie theft through malicious browser extensions. Whereas the concept of stealing session cookies isn’t new, utilizing a malicious browser extension as a PoC is a brand new thought highlighting the severity of the matter.
Cookie-Chunk Assault Ensures Persistent Entry By Stealing Cookies
Sharing the main points in a latest post, researchers from Varonis highlighted how a malicious browser extension could sneakily enable persistent entry to consumer accounts. Named “Cookie-Chunk”, the assault demonstrates utilizing a browser extension to steal session cookies, evading account login safety checks.
Particularly, the researchers demonstrated the assault by utilizing a specifically crafted browser extension to steal cookies. The researchers used Google Chrome of their examine and aimed toward Azure authentication-related cookies. Nonetheless, they defined that the method applies to different companies as properly, their vulnerability being depending on the respective session dealing with, cookie structure, and safety.
As proof-of-concept (PoC), the researchers focused the ‘ESTAUTH‘ and ‘ESTSAUTHPERSISTNT‘ cookies in Azure Entra ID. These cookies, enable and preserve authenticated entry to Microsoft companies, equivalent to Microsoft 365 and Azure Portal. Whereas customers could apply completely different safety measures, equivalent to multi-factor authentication, to make sure safe login, the Cookie-Chunk assault could steal these cookies to realize persistent entry to Microsoft companies with out requiring account credentials.
In worst exploitation situations, an adversary may use such session hijacking assault to maneuver laterally throughout cloud environments. With unchecked persistent entry to crucial companies, attackers may get unrestricted entry to necessary information.
Apart from Microsoft Azure Entra ID, the researchers additionally listed different necessary cloud companies, equivalent to Google Workspace, GitHub, AWS Administration Console, and Okta (SSO), and their respective authentication cookies that Cookie-Chunk assault can goal.
Upon gaining persistent entry to focus on accounts by stealing cookies, an adversary could carry out varied malicious actions. In line with the researchers, these actions could embody deploying PowerShell, steal different companies’ cookies, carry out unauthorized app registrations, and laterally transfer throughout the community.
Beneficial Mitigations For This Sneaky Assault
Notably, the Cookie-Chunk assault entails no refined malware to steal cookies. As a substitute, it makes use of a easy script that makes it troublesome to detect and block. Furthermore, the assault stays profitable because it occurs by means of the browser, bypassing account login checks with every login try.
Nonetheless, the researchers have shared varied means to forestall this assault. These embody operating thorough scans for detecting any uncommon consumer habits, utilizing Microsoft Danger to flag uncommon sign-ins, deploying Conditional Entry Insurance policies (CAP) to limit unauthorized customers’ entry, and implementing Chrome ADMX insurance policies to limit using browser extensions to a selected allowlist.
Tell us your ideas within the feedback.
