A proof-of-concept (PoC) attack vector exploits two Azure authentication tokens from within a browser, giving threat actors persistent access to key cloud services, including Microsoft 365 applications.
Attackers could exploit two key authentication cookies used by Azure Entra ID to bypass MFA and hijack legitimate user sessions — thus gaining persistent access to Entra ID-protected resources in Microsoft 365 like Outlook and Teams. From there, they could engage in a range of malicious activities, including reconnaissance and privilege escalation that can lead to cyberattacks on the system.
Researchers at Varonis Threat Labs identified the new attack vector, dubbed "Cookie Bite," which exploits ESTSAUTH and ESTSAUTHPERSISTENT, two critical authentication cookies used by Azure Entra ID for maintaining authenticated cloud sessions and allowing access to cloud resources, they revealed in a report published today.
The exploitation vector affects millions of organizations that rely on Azure Entra ID for identity access and management across their cloud infrastructure, since a successful attack basically gives threat actors a free pass into the system, according to Mark Vaitsman, security research team leader at Varonis.
"Once the attacker successfully hijacks the session using the stolen cookie, they are free to do whatever they want with the account of the hijacked session," he tells Dark Reading.
The ultimate goal of attackers that gain access this way is usually to establish persistence, then use that as a base from which to exfiltrate data, launch cryptocurrency miners, move laterally in the organization, or abuse the impersonation of the hijacked session to perform attacks from inside the organization, Vaitsman says.
The proof-of-concept (PoC) Cookie Bite attack developed by the researchers focuses on the two aforementioned Entra ID session tokens. These cookies are essentially the "keys to the kingdom" for an authenticated user session in that they carry a form of session credential that proves the user has recently authenticated and, if applicable, satisfied MFA requirements, according to the report.
ESTSAUTH is the primary Azure Entra ID session cookie that contains the user's session information to facilitate single sign-on (SSO). It is a transient session token, meaning it is valid for the length of the browser session and is destroyed if the browser is closed.
Related:US Critical Infrastructure Still Struggles With OT Security
ESTSAUTHPERSISTENT, meanwhile, is a persistent version of the Azure Entra ID session cookie that also contains session information for SSO. However, unlike ESTSSAUTH, it is stored as a persistent cookie that remains even after the browser is closed.
To exploit these cookies, Varonis researchers created a PoC for a persistent cookie-stealer that extracts them from an active browser session and exfiltrates them each time the victim logs in to Microsoft's authentication portal, they said. The attack allows a threat actor to build a persistent cookie-stealer using only a browser extension and PowerShell automation.
There are four key stages of the attack: a custom Chrome extension that monitors authentication events and captures cookies; a PowerShell script that automates the extension deployment and ensures persistence; an exfiltration mechanism to send the cookies to an external collection point; and a complementary extension to seamlessly inject the captured cookies into the attacker's browser.
According to Varonis, the technique is highly accessible to threat actors and also evasive because it requires a simple script rather than a malware infection, making it harder to detect. It also avoids system modifications by achieving persistence within the browser itself and allows for MFA bypass by stealing session cookies on each attempt to log in by the user, the researchers said.
Related:AI, Automation, and Dark Web Fuel Evolving Threat Landscape
"This attack allows for the continuous extraction of session cookies," and thus persistent access to cloud services without requiring the user's credentials, according to the report.
"We did not contact Microsoft because this is not related to a new vulnerability," Vaitsman says. "Instead, we are the first to show in full detail how to steal the cookies, remain undetected, and gain control of cloud resources in Azure, bypassing CAP. We also show defenders how to detect it, and what is the possible, major impact."
Microsoft did not immediately respond to a request for comment on Cookie Bite, or say if it was aware of the possibility for exploit.
Cookie Bite is yet another way for attackers to exploit Entra ID, which already has shown flaws in how it handles authentication that threat actors can exploit cloud environments. However, typically, attackers need to gain access to a legitimate or administrative account to do damage, which Varonis has shown is possible by extracting legitimate session cookies. Indeed, stealing session cookies to bypass MFA and appear to be a legitimate user gaining access to cloud services has become an increasingly attractive attack vector for threat actors.
All of this demands that organizations leveraging cloud services, which is almost everyone these days, need to practice better login enforcement and continuously monitor and detect any abnormal behavior from users, Vaitsman says.
One way to do this is by using Microsoft Risk during sign-in events to detect unusual sign-ins, he says. Another way is to implement in-browser security such as Chrome ADMX policies to enforce an allowlist of approved browser extensions.
This latter, little-used mitigation would avoid the deployment of Varonis' stealthy cookie-stealer and protect a user's session from theft, Vaitsman says. "Apparently, relatively very small percentage of organizations do implement this step," he adds.
Powered by
