https://community.isc2.org/t5/Threats/Cookies-under-attack-by-hackers-especially-against-2FA/m-p/52599#M615 <P>Is this not just "session hijacking", for which the defenses have been known for years .... validate the source-IP or client-cert at the start of each connection within the session; be on the lookout for unrelated simultaneous use, limit session length, etc.</P> Sun, 21 Aug 2022 16:19:14 GMT denbesten 2022-08-21T16:19:14Z https://community.isc2.org/t5/Threats/Cookies-under-attack-by-hackers-especially-against-2FA/m-p/52576#M613 <P>Hi All</P><P>&nbsp;</P><P>It appears that hackers have found a way to get around 2FA systems, through the use of Cookies in particular environments.</P><P>&nbsp;</P><P><A href="https://www-digitaltrends-com.cdn.ampproject.org/c/s/www.digitaltrends.com/computing/hackers-are-using-cookies-to-sidestep-two-factor-authentication/?amp" target="_blank" rel="noopener">https://www-digitaltrends-com.cdn.ampproject.org/c/s/www.digitaltrends.com/computing/hackers-are-using-cookies-to-sidestep-two-factor-authentication/?amp</A></P><P>&nbsp;</P><P>Here is the Sophos reference link:&nbsp;</P><P>&nbsp;</P><P><A href="https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass/" target="_blank">https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass/</A></P><P>&nbsp;</P><P>Is it viable or true?</P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P><P>Caute_Cautim</P> Mon, 09 Oct 2023 10:17:03 GMT https://community.isc2.org/t5/Threats/Cookies-under-attack-by-hackers-especially-against-2FA/m-p/52576#M613 Caute_cautim 2023-10-09T10:17:03Z https://community.isc2.org/t5/Threats/Cookies-under-attack-by-hackers-especially-against-2FA/m-p/52597#M614 <P>As always, the answer is "it depends".</P><P>&nbsp;</P><P>Cookies could be stolen en reused, but not always.</P><P>The reuse of Cookies might side-step MFA, but not always.</P><P>&nbsp;</P><P>Framing it as all cookies can be stolen, reused, and in those cases MFA can always be side-stepped is completely wrong.</P><P>&nbsp;</P><P>I'll come back to this when and if I have time to elaborate but for well-known services like O365, Google, AWS, etc. I'd say the claim is false. Most likely the examples relate to cookies for legacy systems that don't use current ways of authenticating users and provide pathways to MFA circumvention by default.&nbsp;</P> Sun, 21 Aug 2022 12:56:53 GMT https://community.isc2.org/t5/Threats/Cookies-under-attack-by-hackers-especially-against-2FA/m-p/52597#M614 wimremes 2022-08-21T12:56:53Z https://community.isc2.org/t5/Threats/Cookies-under-attack-by-hackers-especially-against-2FA/m-p/52599#M615 <P>Is this not just "session hijacking", for which the defenses have been known for years .... validate the source-IP or client-cert at the start of each connection within the session; be on the lookout for unrelated simultaneous use, limit session length, etc.</P> Sun, 21 Aug 2022 16:19:14 GMT https://community.isc2.org/t5/Threats/Cookies-under-attack-by-hackers-especially-against-2FA/m-p/52599#M615 denbesten 2022-08-21T16:19:14Z https://community.isc2.org/t5/Threats/Cookies-under-attack-by-hackers-especially-against-2FA/m-p/52601#M616 <BLOCKQUOTE><HR /><a href="https://community.isc2.org/t5/user/viewprofilepage/user-id/311867713">@denbesten</a>&nbsp;wrote:<BR /><P>Is this not just "session hijacking", for which the defenses have been known for years .... validate the source-IP or client-cert at the start of each connection within the session; be on the lookout for unrelated simultaneous use, limit session length, etc.</P><HR /></BLOCKQUOTE><P>yes <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> but not if you're Sophos and you need to scare part time IT people at SMBs into forking over money for the illusion of protection.</P> Sun, 21 Aug 2022 20:02:58 GMT https://community.isc2.org/t5/Threats/Cookies-under-attack-by-hackers-especially-against-2FA/m-p/52601#M616 wimremes 2022-08-21T20:02:58Z