Microsoft has presented several measures to protect against token theft attacks that aim to circumvent the security of multi-factor authentication.
These types of attacks, so rare three years ago that they didn’t show up in statistics, are on the rise, Microsoft warns in a blog post.
I am very excited to have a blog published by @MicrosoftDART and @MsftSecIntel that I was one of the major contributors to. I would love for you to have a read! The use of cloud token theft is on the rise; learn how to prevent, detect and respond – https://t.co/hB0GdPOxBW
— Matt Zorich (@reprise_99) November 16, 2022
Bypass multi-factor authentication
The reason is simple: more and more organizations have implemented multi-factor authentication. This has prompted attackers to rely on token theft to circumvent this security.
In these attacks, the attacker compromises a token issued to someone who has already completed the two-factor authentication procedure. The hacker then replays the token to gain access from another device.
These tokens are however central to Microsoft’s identity platforms, including for example Azure Active Directory (AD). These aim to make authentication easier and faster for users, but in a way that remains resistant to password attacks. According to Microsoft, token theft is dangerous because it does not require high technical skills. The detection of these thefts is also difficult. Finally, as this technique is relatively recent, few organizations have implemented measures to counter it.
Also pay attention to “Pass-the-cookie”
The American publisher’s threat detection and response team notes that an attacker who has obtained credentials and a token can reuse them in numerous attacks. As Microsoft reminds us, intrusions into professional emails are the main cause of financial losses linked to cybercrime.
The editor also warns against “Pass-the-cookie” attacks, in which an attacker compromises a device and extracts browser cookies created after authenticating to Azure AD from a browser. The attacker then forwards the cookie to a browser on another system to bypass security checks.
Recommendations
“Users who access corporate resources on personal devices are particularly at risk,” Microsoft warns. “These personal devices often have weaker security controls than company-managed devices, and IT staff don’t have visibility into these devices to determine if they’ve been compromised. »
For the Redmond firm, it is recommended to limit the durations of sessions and tokens, even if this forces users to have to re-authenticate regularly to counter this type of attack. The publisher also suggests implementing conditional access control to applications and providing administrators with separate identities reserved for cloud computing, a way to reduce the attack surface exposed to hackers.
Source: ZDNet.com