Many ZTNA, MFA Tools Offer Little Protection Against Cookie Session Hijacking Attacks

Many of the tools that organizations are deploying to isolate Internet traffic from the internal network — such as multifactor authentication, zero-trust network access, SSO, and identity provider services — do little to protect against cookie theft, reuse, and session hijacking attacks.

Attackers in fact have a way to bypass all these technologies and services relatively easily because they often lack proper cookie session validation mechanisms, researchers from Israeli startup Mesh Security said this week.

The researchers recently examined technologies from Okta, Slack, Monday, GitHub, and dozens of other companies to see what protection they offered against attackers using stolen session cookies to take over accounts, impersonate legitimate users, and move laterally in compromised environments.

The analysis showed that a threat actor who manages to steal the cookies of an authenticated user and hijack their sessions could bypass all MFA checkpoints and other access controls offered by these vendors. It found that even in environments that had deployed MFA and ZTNA approaches, an attacker with stolen session cookies could access privileged accounts, SaaS applications, and sensitive data and workloads.

With Okta, for instance, Mesh security researchers discovered that if an adversary could steal the session cookies of a user logged into their Okta account, they could use it to log into the same account from a different browser and location. Mesh found the attacker could access any of the resources that the user was authorized to access via their Okta account. "Surprisingly, although these attempts are expected to be blocked, the technique allows the attacker to bypass active MFA mechanisms since the session has already been verified," Mesh said in a report summarizing its findings.

Not Directly Responsible?

Okta described such attacks as an issue for which it was not directly responsible. "As a web application, Okta relies on the security of the browser and operating system environment to protect against endpoint attacks such as malicious browser plugins or cookie stealing," Mesh quoted Okta as saying. Most of the other vendors that Mesh contacted about the issue similarly distanced themselves from any responsibility for cookie theft, reuse, and session-hijacking attacks, says Netanel Azoulay, co-founder and CEO of Mesh Security.

"We believe that this issue is the complete responsibility of the vendors on our list — including IdP and ZTNA solutions," Azoulay insists. "Every vendor who intensively promotes the 'verify explicitly' principle should embed it in their own system. The whole idea of Zero Trust is to always verify every single digital interaction explicitly and never to trust."

Cookie theft and session hijacking are well-known issues and an attack vector that many threat actors — including advanced persistent threat actors such as APT29 — use routinely in their campaigns. Common tactics for stealing session cookies include phishing campaigns, browsing traps, and malware such as CookieMiner, Evilnum, and QakBot.

Attackers often use stolen session cookies to access Web applications and services as an authenticated user and have access until the sessions time out — something that can happen within several hours or several days.

A Growing Concern

Azoulay says the issue is important because organizations are increasingly moving from a perimeter-centric security approach to a more identity-driven model. Organizations such as Okta and other ZTNA vendors have become the hubs that connect employees and resources, including SaaS apps, IaaS workloads, and data, via customized browser-based portals. These systems serve as the core network of enterprises these days and provide a one-to-many access mechanism for attackers, he says.

"Organizations are investing massive budgets and efforts to isolate Internet traffic from their internal network by implementing security solutions such as IdP, SSO, MFA, and ZTNA," Azoulay says.

"A threat actor can potentially bypass this entire expensive mechanism and control measures to reach an organization’s crown jewels with a click of a button," he says. "The current mitigation techniques aren't designed to address it."

In its response to Mesh's analysis, Okta recommended that admins clear a user's sessions in the user interface or via its API. The company also noted that session time-out is configurable — from as little as 1 minute to 90 days. Once a session has expired, any copied sessions would also expire, the company noted. Okta also highlighted steps that organizations can take to minimize risk from stolen session cookies. For downstream applications, for instance, Okta administrators can require additional sign-on policies — including MFA. Similarly, tying a session to a registered or a managed device would minimize the risk of a rogue session being established from another devices, Okta said.