Connect with us

TechNews

Sophos Show How ​Attackers Exploit Stolen Session Cookies to Bypass Multi Factor Authentication

With Stolen Session Cookies, Attackers can Impersonate Legitimate Users and Move Freely Around the Network, says Sophos

Published

on

Sopos Cookie

Sophos, a global leader in next-generation cybersecurity, today announced in the Sophos X-Ops report, “Cookie stealing: the new perimeter bypass,” that active adversaries are increasingly exploiting stolen session cookies to bypass Multi-Factor Authentication (MFA) and gain access to corporate resources.

sophos cookie

Key points:

  • Sophos is seeing a growing number of attackers—including active adversaries—using stolen session, or authentication, cookies to bypass MFA and access corporate resources
  • These stolen cookies allow attackers to impersonate legitimate users and move freely around a network. Once inside, there is really no limit to what they can do; they can tamper with cloud infrastructures, compromise business email, or even rewrite code for products
  • While bulk credential theft (including bulk cookie theft) is still common, Sophos is witnessing a growing number of targeted attacks to steal cookies from specific types of organizations
  • One common underground marketplace for these stolen cookies is Genesis
  • This is an important table setter piece for Sophos:
    • While other companies have discussed the theoretical rise of attacks bypassing MFA or spoken about isolated incidents involving stolen session cookies, we’re talking about an overall trend and what we’ve witnessed in the field and in the data from our own telemetry
    • We will be building on the cookie theft/MFA bypass angle in the coming months

In some cases, the cookie theft itself is a highly targeted attack, with adversaries scraping cookie data from compromised systems within a network and using legitimate executable to disguise the malicious activity.

Once the attackers obtain access to corporate web-based and cloud resources using the cookies, they can use them for further exploitation such as business email compromise, social engineering to gain additional system access, and even modification of data or source code repositories.

“Over the past year, we’ve seen attackers increasingly turn to cookie theft to work around the growing adoption of MFA. Attackers are turning to new and improved versions of information stealing malware like Raccoon Stealer to simplify the process of obtaining authentication cookies, also known as access tokens,” said Sean Gallagher, principal threat researcher, Sophos. “If attackers have session cookies, they can move freely around a network, impersonating legitimate users.”

Session, or authentication, cookies are a particular type of cookie stored by a web browser when a user logs into web resources. If attackers obtain them, then they can conduct a “pass-the-cookie” attack whereby they inject the access token into a new web session, tricking the browser into believing it is the authenticated user and nullifying the need for authentication.

Since a token is also created and stored on a web browser when using MFA, this same attack can be used to bypass this additional layer of authentication.

Compounding the issue is that many legitimate web-based applications have long-lasting cookies that rarely or never expire; other cookies only expire if the user specifically logs out of the service.

Thanks to the malware-as-a-service industry, it’s getting easier for entry-level attackers to get involved in credential theft. For example, all they need to do is buy a copy of an information-stealing Trojan like Raccoon Stealer to collect data like passwords and cookies in bulk and then sell them on criminal marketplaces, including Genesis.

Other criminals on the attack chain, such as ransomware operators, can then buy this data and sift through it to leverage anything they deem useful for their attacks.

Conversely, in two of the recent incidents that Sophos investigated, attackers took a more targeted approach. In one case, the attackers spent months inside a target’s network gathering cookies from the Microsoft Edge browser.

The initial compromise occurred via an exploit kit, and then the attackers used a combination of Cobalt Strike and Meterpreter activity to abuse a legitimate compiler tool to scrape access tokens. In another case, the attackers used a legitimate Microsoft Visual Studio component to drop a malicious payload that scraped cookie files for a week.

“While historically we’ve seen bulk cookie theft, attackers are now taking a targeted and precise approach to cookie stealing. Because so much of the workplace has become web-based, there really is no end to the types of malicious activity attackers can carry out with stolen session cookies. They can tamper with cloud infrastructures, compromise business email, and convince other employees to download malware or even rewrite code for products. The only limitation is their own creativity,” said Gallagher. “Complicating matters is that there is no easy fix. For example, services can shorten the lifespan of cookies, but that means users must re-authenticate more often, and, as attackers turn to legitimate applications to scrape cookies, companies need to combine malware detection with behavioral analysis.”

To learn more about session cookie theft and how adversaries are exploiting the technique to carry out malicious activity, read the full report, “Cookie Stealing: the new perimeter bypass,” on Sophos.com.

GrassRoots.ng is on a critical mission; to objectively and honestly represent the voice of ‘grassrooters’ in International, Federal, State and Local Government fora; heralding the achievements of political and other leaders and investors alike, without discrimination. This daily, digital news publication platform serves as the leading source of up-to-date information on how people and events reflect on the global community. The pragmatic articles reflect on the life of the community people, covering news/current affairs, business, technology, culture and fashion, entertainment, sports, State, National and International issues that directly impact the locals.

TechNews

Only 26% of Surveyed Organizations Stopped Data Encryption by Cybercriminals – Sophos

Retail organizations attacked by ransomware increasingly unable to halt an attack in progress, Sophos Survey Finds, writes SANDRA ANI

Published

on

Sophos The State of Ransomware in Retail 2023
  • This Is the Lowest Rate of Disruption in 3 Years  

Sophos, a global leader in innovating and delivering cybersecurity as a service, today shared findings from its sector survey report, “The State of Ransomware in Retail 2023,” which found that only 26% of retail organizations this past year were able to disrupt a ransomware attack before their data was encrypted.

Sophos, a global leader in innovating and delivering cybersecurity as a service, today shared findings from its sector survey report, “The State of Ransomware in Retail 2023,” which found that only 26% of retail organizations this past year were able to disrupt a ransomware attack before their data was encrypted.

This is a three-year low for the sector—a decline from 34% in 2021 and 28% in 2022—suggesting the sector is increasingly unable to halt ransomware attacks already in progress.

“Retailers are losing ground in the battle against ransomware. Ransomware criminals have been encrypting increasingly greater percentages of their retail victims in the last three years, as evidenced by the steadily declining rate of retailers stopping cybercriminal attacks in progress. Retailers must up their defensive game by setting up security that detects and responds to intrusions earlier in the attack chain,” said Chester Wisniewski, director, global field CTO, Sophos.

In addition, the report found that, for those retail organizations that paid the ransom, their median recovery costs (not including the ransom payment) were four times the recovery costs of those that used backups to recover their data ($3,000,000 versus $750,000).

“Forty-three percent of retail victims paid the ransom according to our survey respondents, yet the median recovery cost to victims who paid the ransom was four times the cost to those who used backups and other recovery methods. There are no shortcuts in these situations and rebuilding systems is almost always required. It’s better to deprive the criminals of their spoils and build back better,” said Wisniewski.

Additional key findings from the report include:

  • In line with a broader, cross-sector trend, the retail sector experienced its highest rate of encryption over the past three years, with 71% of those organizations targeted by ransomware stating that attackers successfully encrypted their data
  • The percentage of retail organizations attacked by ransomware declined from 77% last year to 69% this year
  • The percentage of retail organizations that recovered in less than a day decreased from 15% to 9% this year, while the percentage of retail organizations that took more than a month to recover increased from 17% to 21%

Sophos recommends the following best practices to help defend against ransomware and other cyberattacks:

  • Strengthen defensive shields with:
    • Security tools that defend against the most common attack vectors, including endpoint protection with strong anti-ransomware and anti-exploit capabilities
    • Adaptive technologies that respond automatically to attacks, disrupting adversaries and buying defenders time to respond
  • Optimize attack preparation, including regularly backing up, practicing recovering data from backups and maintaining an up-to-date incident response plan
  • Maintain security hygiene, including timely patching and regularly reviewing security tool configurations

To learn more about the State of Ransomware in Retail 2023, download the full report from Sophos.com.

The State of Ransomware 2023 survey polled 3,000 IT/cybersecurity leaders in organizations with between 100 and 5,000 employees, including 355 from the retail sector, across 14 countries in the Americas, EMEA and Asia Pacific.

Continue Reading

TechNews

IASP Luxembourg: Chinwe Okoli Speaks on Soludo’s Innovation Agenda

By SANDRA ANI

Published

on

SID In IASP Luxembourg
Chinwe Okoli speaking at IASP in Luxembourg

“We want Anambra to be known as a destination for innovation, the next Startup State, home for digital Talents, the home of the smart digital tribe”

Ms Chinwe Okoli, the Special Adviser to the Governor of Anambra State on Innovation and Business Incubation addressed the global innovation ecosystem leaders at the 40th IASP World Conference on Science Parks and Areas of Innovation took place at the European Convention Centre, Luxembourg.

SID In IASP Luxembourg
Chinwe Okoli and other world ecosystem leaders at IASP in Luxembourg

The conference with the theme, “𝐌𝐞𝐠𝐚𝐭𝐫𝐞𝐧𝐝𝐬 𝐢𝐧 𝐈𝐧𝐧𝐨𝐯𝐚𝐭𝐢𝐨𝐧 𝐄𝐜𝐨𝐬𝐲𝐬𝐭𝐞𝐦𝐬: 𝐖𝐡𝐚𝐭 𝐚𝐫𝐞 𝐭𝐡𝐞 𝐢𝐦𝐩𝐚𝐜𝐭𝐬 𝐟𝐨𝐫 𝐒𝐓𝐏𝐬 & 𝐀𝐎𝐈𝐬?” was an exceptional gathering of global innovation stakeholders from over 55 countries. The three-day conference presented an opportunity for the best innovation districts, science parks and areas of innovation in the world to connect and exchange best practices.

Solution Innovation District, Anambra State was prominent in the conference as Ms Okoli addressed the conference on the topic: “𝐇𝐚𝐫𝐧𝐞𝐬𝐬𝐢𝐧𝐠 𝐭𝐡𝐞 𝐔𝐧𝐭𝐚𝐩𝐩𝐞𝐝 𝐏𝐨𝐭𝐞𝐧𝐭𝐢𝐚𝐥 𝐨𝐟 𝐀𝐧𝐚𝐦𝐛𝐫𝐚 𝐃𝐢𝐠𝐢𝐭𝐚𝐥 𝐓𝐫𝐢𝐛𝐞: 𝐀 𝐂𝐚𝐬𝐞 𝐟𝐨𝐫 𝐃𝐞𝐯𝐞𝐥𝐨𝐩𝐢𝐧𝐠 𝐂𝐨𝐮𝐧𝐭𝐫𝐢𝐞𝐬.”

She shared the transformative power of the Anambra State Government’s innovation program and highlighted the aspirations of Professor Charles Chukwuma Soludo, the Governor, and efforts in nurturing a robust innovation ecosystem in the State to unlock new opportunities and drive technological progress towards making Anambra the digital and creative capital of Nigeria.

Solution Innovation District (SID) is driven by the Anambra State Government, dedicated to fostering the growth of technology, innovation and entrepreneurship ecosystem.

Ms Okoli restated the commitment of the administration of Governor Soludo towards building the one -of -a kind district in Anambra State, stated the key and ambitious goals of grooming one million Anambra Digital Tribe, startups and digital entrepreneurs and in the end, she called for global partnership.

“Our Mantra in Anambra State is Everything Technology and Technology Everywhere

“At SID, we are activating and developing a dynamic and inclusive ecosystem of the future, Our focus is that in a very short time, Anambra becomes the go-to place for the supply of skills/talents on deep technology -Artificial Intelligence, cybersecurity, robotics, blockchain, Data science, Software Engineering, IoT, Cloud Computing etc.

“Let’s impact the world from the light of the nation, in the biggest country in Africa, let’s do digital magic with the Anambra Digital Tribe”.

SID In IASP Luxembourg (4)
SID In IASP Luxembourg

IASP, the International Association of Science Parks and Areas of Innovation, is the leading association of innovation ecosystems worldwide.

This organization actively unites and empowers a network of managers overseeing areas of innovation, science parks, research parks, innovation districts, knowledge cities, and various other innovation spaces. It’s the driving force behind the exchange of cutting-edge knowledge and best practices, propelling innovation on a global scale.

Continue Reading

TechNews

Sophos Launches Wi-Fi 6 Access Points

Sophos supports shift to hybrid environments with new generation of remotely managed, reports SANDRA ANI

Published

on

Sophos wireless launch -

Sophos, a global leader in innovating and delivering cybersecurity as a service, today announced the Sophos AP6 Series to support the shift to hybrid environments with a new generation of remotely managed Wi-Fi 6 access points.

The new offering adds another component to Sophos’ secure access portfolio, which includes Sophos Firewall and Sophos Switch.

“With cloud-managed Wi-Fi, Sophos is addressing the need for more scalable, remote-managed Wi-Fi solutions that support the increasing number of connected devices and the proliferation of IoT systems,” said Daniel Cole, vice president of product management at Sophos. “This combination of our Sophos AP6 Series and Sophos Switches provides channel partners with a consolidated single vendor access solution strategy, easing the burden and overhead cost of managing multiple disparate systems from different vendors. Many access layer networks are still operating at 1 Gigabit speeds. With the significant performance enhancements in Wi-Fi 6, the industry has a great opportunity to review and modernize the network ecosystem that wireless is deployed into. Sophos’ solution dissolves a common bottleneck at the physical layer and can boost the total network performance of a company’s Wi-Fi infrastructure.”

Sophos AP6 models – including 420E, AP6 840, AP6 840E and the outdoor AP6 420X – have at least one built-in 2.5 Gigabit interface for faster LAN connectivity. 

When combined with the Sophos multi-Gigabit switches, which also support 2.5 Gigabit Ethernet, companies can unlock faster speeds across the entire network. With the AP6 420E and 840E devices, which support Wi-Fi 6E, companies can additionally use the 6 GHz band, which is a newer, less congested space, offering high performance for the latest devices. 

Sophos access points can be remotely managed in the cloud-based Sophos Central platform alongside a broader range of solutions than any other vendor.

This enables partners to oversee all customer installations, respond to alerts, and track licenses and upcoming renewal dates via a single, intuitive interface. Additionally, there is an on-premises interface administrators can take advantage of for on-AP settings.

Availability

The Sophos AP6 Series is available for immediate purchase exclusively through Sophos’ global channel of partners and managed service providers (MSPs). 

Continue Reading

Trending