Expert insight: CISA - Hackers bypassed MFA to access cloud service accounts
January 2021 by Cerberus Sentinel
The US Cybersecurity and Infrastructure Security Agency (CISA) said today that threat actors bypassed multi-factor authentication (MFA) authentication protocols to compromise cloud service accounts.
"CISA is aware of several recent successful cyberattacks against various organizations’ cloud services," the cybersecurity agency said on Wednesday. "The cyber threat actors involved in these attacks used a variety of tactics and techniques—including phishing, brute force login attempts, and possibly a ’pass-the-cookie’ attack—to attempt to exploit weaknesses in the victim organizations’ cloud security practices."
With this in mind I have commentary from Christian Espinosa, Managing Director at Cerberus Sentinel: "This is not a new threat. Bypassing MFA via stolen (“pass-the-cookie”) attacks is common. Cookies establish session persistence for web applications. When you are authenticated with a web application, MFA or not, the cookie is placed on your computer. The cookie contains the session ID and access tokens to the web application. This is so you don’t have to reauthenticate incessantly to the web application. This is an inherent flaw in the HTTP protocol and how web applications work. HTTP is a stateless protocol and relies on cookies to maintain state. We run into this vulnerability routinely during web application penetration tests. The way to mitigate the MFA pass-the-cookie vulnerability is with better cookie management and better user training. Specially, cookies should be set with a short lifespan and should be for a single session, so when the browser is closed, the cookie is voided. Users should be trained to logoff the web application and close their browser after they are done using the web application. Many users never logoff or close a browser – this increases risk.
The bottom line is there is no single way to fix the pass-the-cookie problem, unless you force a user to reauthenticate more frequently for different web application functionality. This diminishes the user experience though."