A new proof-of-concept attacks has been disclosed to the public. This time, it relies on a Chrome extension to steal browser session cookies and bypass multi-factor authentication.
The Cookie-Bite attack consists of a malicious Chrome extension that acts as an infostealer, targeting the ‘ESTAUTH’ and ‘ESTSAUTHPERSISTNT’ cookies in Azure Entra ID, Microsoft’s cloud-based identity and access management (IAM) service.
ESTAUTH is a transient session token that indicates that the user is authenticated and has completed MFA. It remains valid for the browser session for up to 24 hours and expires when the app is closed.
ESTSAUTHPERSISTENT is the persistent version of the session cookie created when users opt to “Stay signed in” or when Azure applies the KMSI policy, keeping it valid for up to 90 days.
It should be noted that while this extension was created to target Microsoft session cookies, it can be modified to target other services, including Google, Okta, and AWS cookies.
Varonis’ malicious Chrome extension contains logic to monitor the victim’s login events, listening for tab updates that match Microsoft login URLs.
When a login occurs, it reads all cookies scoped to ‘login.microsoftonline.com,’ applies filtering to extract the two mentioned tokens, and exfiltrates the cookie JSON data to the attacker via a Google Form.
“After packing the extension into a CRX file and uploading it to VirusTotal, the result shows that no security vendors currently detect it as malicious,” warned Varonis.
Once a cookie is stolen, the attackers inject it into the browser like any other stolen cookie. This can be done through tools like the legitimate Cookie-Editor Chrome extension, which allows the threat actor to import the stolen cookies into their browser under ‘login.microsoftonline.com.’After refreshing the page, Azure treats the attacker’s session as fully authenticated, bypassing MFA and giving the attacker the same level of access as the victim.