A groundbreaking new cyber attack method, dubbed "Cookie-Bite," has been uncovered, and it’s causing alarm within the cybersecurity community. This proof-of-concept (PoC) attack, developed by security researchers at Varonis, uses a malicious Chrome browser extension to steal session cookies and bypass Multi-Factor Authentication (MFA) protections. Once successful, the attackers gain persistent access to sensitive cloud services such as Microsoft 365, Outlook, and Teams, opening the door to a variety of security risks.
While stealing session cookies is not a new concept, the introduction of a stealthy Chrome extension that can infiltrate cloud environments like Azure Entra ID is a new and concerning twist in the world of cybersecurity.
The Cookie-Bite attack revolves around the exploitation of session cookies, specifically targeting the "ESTAUTH" and "ESTSAUTHPERSISTENT" cookies in Azure Entra ID, Microsoft’s cloud identity and access management service.
ESTAUTH: This is a transient session token that confirms the user has completed MFA and remains valid for up to 24 hours. It expires once the browser session ends.
ESTSAUTHPERSISTENT: This cookie remains valid for up to 90 days and is used when users opt to stay signed in or when Azure applies its Keep Me Signed In (KMSI) policy.
What makes this attack particularly concerning is that it uses a legitimate Chrome extension in combination with a malicious one, which allows the attacker to monitor login events and steal these important session tokens. Once the attacker has obtained the tokens, they can inject them back into the browser and bypass MFA protections to gain access to the victim's cloud-based services.
The process begins when the malicious Chrome extension listens for login events that match Microsoft login URLs. Upon detecting such an event, the extension reads all cookies related to 'login.microsoftonline.com,' and extracts the two crucial tokens: ESTAUTH and ESTSAUTHPERSISTENT.
The stolen cookie data is then exfiltrated to the attacker via a Google Form. Remarkably, even after uploading the extension to VirusTotal—a popular malware scanning service—Varonis found that no security vendors flagged the extension as malicious. This highlights the stealthy nature of the attack, making it even harder to detect.
Once the session cookies are stolen, the attackers inject them into their own browser session. This is done using legitimate tools like the Cookie-Editor Chrome extension, which allows the attacker to import the stolen cookies directly into their browser under the same login session used by the victim.
After refreshing the page, Azure treats the attacker’s session as fully authenticated, bypassing MFA and granting the attacker the same level of access as the legitimate user. From here, the attacker can wreak havoc on the victim’s cloud-based services:
Microsoft Teams: Access chats, send messages, and more.
Outlook Web: Read, download, or send emails.
Graph Explorer: Enumerate users, roles, and devices.
Privilege Escalation: Further attacks, such as unauthorized app registrations, can be launched using tools like TokenSmith, ROADtools, and AADInternals.
This gives the attacker a wide range of capabilities that could lead to further exploitation of the network, escalating the damage caused.
While this attack is certainly concerning, there are steps you can take to mitigate the risks and protect your cloud-based services from the Cookie-Bite attack:
Monitor Abnormal Sign-ins: Microsoft flagged certain login attempts from the researchers’ demonstration as "atRisk," due to the use of a VPN. Monitoring for suspicious or abnormal login attempts can help detect and prevent these types of attacks.
Enforce Conditional Access Policies (CAP): By setting CAP policies, you can limit login attempts to specific IP ranges or devices. This makes it harder for attackers to gain access from unauthorized sources.
Restrict Chrome Extensions: Implementing Chrome ADMX policies that only allow pre-approved extensions to run can prevent unauthorized extensions from being used in your browser. Additionally, blocking Developer Mode entirely prevents attackers from re-injecting the malicious extension via PowerShell scripts.
Limit Developer Mode Access: If your organization uses Chrome, restricting access to Developer Mode in Chrome can prevent attackers from using developer tools to load malicious extensions, like in this attack scenario.
The Cookie-Bite attack underscores the increasing sophistication of cybercriminals. Traditional methods of stealing credentials and bypassing MFA protections may not be enough in the face of such stealthy attacks. It’s important for both individuals and organizations to stay vigilant and proactive when it comes to cybersecurity practices.
Cybersecurity professionals must be particularly aware of how browser extensions can be exploited in attacks like this. The ability to use PowerShell scripts to automate the re-injection of the malicious extension and gain persistent access shows how modern attackers can operate quietly, without raising red flags. As always, keeping systems up to date and educating employees on the risks of installing unapproved software or extensions is essential.
The Cookie-Bite attack highlights the growing need for advanced protective measures and security awareness when it comes to cloud services and browser extensions. As the threat landscape continues to evolve, it’s crucial to stay informed about new attack methods and implement the necessary tools and policies to safeguard your online identity and critical data. By enforcing stricter access policies and monitoring for suspicious activity, you can better protect yourself from attacks like Cookie-Bite and reduce your risk of falling victim to sophisticated cyber threats.