Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Steal Web Session Cookie

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website. Cookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.(Citation: Pass The Cookie) There are several examples of malware targeting cookies from web browsers on the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 Mac Crypto Cookies January 2019) Adversaries may also steal cookies by injecting malicious JavaScript content into websites or relying on User Execution by tricking victims into running malicious JavaScript in their browser.(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023) There are also open source frameworks such as `Evilginx2` and `Muraena` that can gather session cookies through a malicious proxy (e.g., Adversary-in-the-Middle) that can be set up by an adversary and used in phishing campaigns.(Citation: Github evilginx2)(Citation: GitHub Mauraena) After an adversary acquires a valid cookie, they can then perform a Web Session Cookie technique to login to the corresponding web application.

ID: T1539
Tactic(s): Credential Access
Platforms: Linux, macOS, Office Suite, SaaS, Windows
Data Sources: File: File Access, Process: Process Access
Version: 1.4
Created: 08 Oct 2019
Last Modified: 14 Oct 2024

Procedure Examples

Name Description
LuminousMoth

LuminousMoth has used an unnamed post-exploitation tool to steal cookies from the Chrome browser.(Citation: Kaspersky LuminousMoth July 2021)

Sandworm Team

Sandworm Team used information stealer malware to collect browser session cookies.(Citation: Leonard TAG 2023)

Grandoreiro

Grandoreiro can steal the victim's cookies to use for duplicating the active session from another device.(Citation: IBM Grandoreiro April 2020)

Scattered Spider

Scattered Spider retrieves browser cookies via Raccoon Stealer.(Citation: CISA Scattered Spider Advisory November 2023)

Evilnum

Evilnum can steal cookies and session information from browsers.(Citation: ESET EvilNum July 2020)

CookieMiner

CookieMiner can steal Google Chrome and Apple Safari browser cookies from the victim’s machine. (Citation: Unit42 CookieMiner Jan 2019)

Star Blizzard

Star Blizzard has used EvilGinx to steal the session cookies of victims directed to phishing domains.(Citation: CISA Star Blizzard Advisory December 2023)

Spica

Spica has the ability to steal cookies from Chrome, Firefox, Opera, and Edge browsers.(Citation: Google TAG COLDRIVER January 2024)

QakBot

QakBot has the ability to capture web session cookies.(Citation: Kroll Qakbot June 2020)(Citation: Kaspersky QakBot September 2021)

EVILNUM

EVILNUM can harvest cookies and upload them to the C2 server.(Citation: Prevailion EvilNum May 2020)

Chaes

Chaes has used a script that extracts the web session cookie and sends it to the C2 server.(Citation: Cybereason Chaes Nov 2020)

BLUELIGHT

BLUELIGHT can harvest cookies from Internet Explorer, Edge, Chrome, and Naver Whale browsers.(Citation: Volexity InkySquid BLUELIGHT August 2021)

During the SolarWinds Compromise, APT29 stole Chrome browser cookies by copying the Chrome profile directories of targeted users.(Citation: CrowdStrike StellarParticle January 2022)

MgBot

MgBot includes modules that can steal cookies from Firefox, Chrome, and Edge web browsers.(Citation: ESET EvasivePanda 2023)

XCSSET

XCSSET uses scp to access the ~/Library/Cookies/Cookies.binarycookies file.(Citation: trendmicro xcsset xcode project 2020)

TajMahal

TajMahal has the ability to steal web session cookies from Internet Explorer, Netscape Navigator, FireFox and RealNetworks applications.(Citation: Kaspersky TajMahal April 2019)

APT29

APT29 has stolen Chrome browser cookies by copying the Chrome profile directories of targeted users.(Citation: CrowdStrike StellarParticle January 2022)

Raccoon Stealer

Raccoon Stealer attempts to steal cookies and related information in browser history.(Citation: Sekoia Raccoon2 2022)

Mitigations

Mitigation Description
Audit

Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.

Software Configuration

Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.

Restrict Web-Based Content

Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.

Multi-factor Authentication

Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.

Update Software

Perform regular software updates to mitigate exploitation risk.

User Training

Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.

Detection

Monitor for attempts to access files and repositories on a local system that are used to store browser session cookies. Monitor for attempts by programs to inject into or dump browser process memory.

References

  1. CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.
  2. Tiago Pereira. (2023, November 2). Attackers use JavaScript URLs, API forms and more to scam users in popular online game “Roblox”. Retrieved January 2, 2024.
  3. Rehberger, J. (2018, December). Pivot to the Cloud using Pass the Cookie. Retrieved April 5, 2019.
  4. Orrù, M., Trotta, G.. (2019, September 11). Muraena. Retrieved October 14, 2019.
  5. Gretzky, Kuba. (2019, April 10). Retrieved October 8, 2019.
  6. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
  7. Chen, Y., Hu, W., Xu, Z., et. al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved October 14, 2019.
  8. Brian Krebs. (2023, May 30). Discord Admins Hacked by Malicious Bookmarks. Retrieved January 2, 2024.
  9. Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022.
  10. Billy Leonard. (2023, April 19). Ukraine remains Russia’s biggest cyber focus in 2023. Retrieved March 1, 2024.
  11. Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020.
  12. OWASP CheatSheets Series Team. (n.d.). Session Management Cheat Sheet. Retrieved December 26, 2023.
  13. Microsoft Incident Response. (2022, November 16). Token tactics: How to prevent, detect, and respond to cloud token theft. Retrieved December 26, 2023.
  14. CISA. (2023, November 16). Cybersecurity Advisory: Scattered Spider (AA23-320A). Retrieved March 18, 2024.
  15. Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021.
  16. Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020.
  17. CISA, et al. (2023, December 7). Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns. Retrieved June 13, 2024.
  18. Shields, W. (2024, January 18). Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware. Retrieved June 13, 2024.
  19. Gretzky, K.. (2018, July 26). Evilginx 2 - Next Generation of Phishing 2FA Tokens. Retrieved October 14, 2019.
  20. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
  21. Sette, N. et al. (2020, June 4). Qakbot Malware Now Exfiltrating Emails for Sophisticated Thread Hijacking Attacks. Retrieved September 27, 2021.
  22. Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved December 22, 2021.
  23. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.
  24. Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021.
  25. Facundo Muñoz. (2023, April 26). Evasive Panda APT group delivers malware via updates for popular Chinese software. Retrieved July 25, 2024.
  26. Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021.
  27. Pierre Le Bourhis, Quentin Bourgue, & Sekoia TDR. (2022, June 29). Raccoon Stealer v2 - Part 2: In-depth analysis. Retrieved August 1, 2024.

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.