Phishers now have multiple options to bypass multifactor authentication
As multifactor authentication (MFA) adoption grows, so threat actors adapt by implementing phishing techniques that bypass MFA.
Recently, Sohpos researchers have offered insights on how attackers can steal session cookies to bypass MFA. Once adversaries are in the organization's network, they can scrape cookie data from compromised systems and use legitimate executables to disguise the malicious activity. This pass-the-cookie attack can yield vital information which can be used to programmatically access the compromised user's account and applications.
Once the attackers obtain access to corporate web-based and cloud resources using the cookies, they can use them for further exploitation such as business email compromise, social engineering to gain additional system access, and even modification of data or source code repositories.
In practice, ransomware operators will use a typical info stealer malware component to harvest cookies from a user's machine. More sophisticated actors will abuse legitimate offensive-security tools such as Mimikatz, Metasploit Meterpreter and Cobalt Strike to execute cookie harvesting malware or run scripts that grab cookies from browsers’ caches.
Besides stealing cookies from a compromised system, there are ways to steal cookies even if the threat actor has no prior access to the machine, This technique is usually called adversary-in-the-middle (AiTM) phishing. As already reported by Microsoft, the approach is to not only to mimic the original site or application, but to proxy requests in order to obtain session cookies. Crucially, the user is presented with the original MFA challenge form, proxied directly from the phishing website.
Ways to defend
We will surely see further innovations in phishing, but it's important to note there are ways to defend.
First, Security awareness training - employees are in fact the new perimeter for an organization and so it makes sense to invest in training. Education is usually associated with time consuming effort that few organizations can afford. But there are ways to make education less intrusive and more automated by using SAT software.
Second, intelligent Identity verification - use a modern identity as a service solution that is able to offer granular login policies, especially around unfamiliar sign-in events from unusual countries, times of day, etc. The ability to cover most modern SaaS solutions used in an organization under the same intelligent "identity" verification umbrella is very important. Too many organization still depend on obsolete LDAP or out-of-date identity management solutions that do not cover both internal and external SaaS apps.
And finally, focus on each and every endpoint is crucial: EDR/XDR-like solutions that offer operational awareness around endpoints are the only ones that can leverage behavioral rules to prevent abuse of cookies by scripts and untrusted programs and detect information-stealing malware.
