San Francisco, 8/21/2022
“Cookie theft” is among the latest trends in cybercrime that hackers are using to bypass credentials and access private databases, according to Sophos.
When companies want to protect their most sensitive data, two recommendations often top the list: either move data to cloud services or use multifactor authentication (MFA). However, hackers have figured out how to sniff and duplicate cookies associated with credentials to hack the active or recent web sessions of programs that are not frequently updated.
These hackers are able to exploit several different online tools and services, including browsers, web-based applications, web services, malware-infected emails and ZIP files.
The most insidious aspect of this type of hacking is that cookies are so pervasive that they allow malicious users to access systems even when security protocols are in place. Sophos has found that the Emotet botnet is one such cookie-stealing malware that targets data in the Google Chrome browser, such as saved logins and payment card data, even though the browser supports encryption and multifactor authentication.
On a broader scale, cybercriminals can buy stolen cookie data, such as login credentials, on underground marketplaces, The login credentials for an Electronic Arts game developer ended up on a marketplace called Genesis, which was reportedly bought by the extortion group Lapsus$. The group was able to replicate the credentials of EA employees and eventually gain access to the company’s networks, stealing a volume of 780 gigabytes of data. The group collected details on the source code of games and the graphics engine, which they used to try to blackmail EA.
Similarly, Lapsus$ hacked Nvidia’s databases in March. According to reports, the breach may have exposed the credentials of more than 70,000 employees, in addition to 1TB of the company’s data, including schematics, drivers and firmware details. However, there is no information on whether the hack was due to cookie theft.
Other ways cookie theft could be easily cracked involve software – as – servis products, such as Amazon Web Services (AWS), Azure or Slack. These can start with hackers having easy access but enticing users to download malware or share sensitive information. Such services tend to stay open and run persistently, which means their cookies don’t expire often enough for their logs to be security relevant.
Sophos points out that users can delete their cookies periodically to maintain a better log; however, this means that they have to re-authenticate each time.