As businesses and end users continue to adopt multi-factor authentication methods, threat actors and researchers alike have been hard at work developing new and clever techniques to bypass these security controls. Recent methods includ zero-day website vulnerabilites, reverse proxies, browser-in-the-browser attacks, and manipulating VNC to display remote browsers locally.
The most recent of these methods, an executable called “WebView2-Cookie-Stealer,” has been created by cybersecurity researcher mr.d0x and can easily steal a user’s authentication cookies and log into stolen accounts, including accounts that are secured with MFA.
Microsoft Edge WebView2 allows the user to embed a web browser with full support for HTML, CSS, and JavaScript, directly into native apps using Microsoft Edge (Chromium) as the rendering engine. Using this technology, apps can load any website into a native application and have it appear as it would if you opened it in Microsoft Edge. In the new attack, the executable will open the legitimate Microsoft login form using the embedded WebView2 control requesting direct action from the victim. Edge’s WebView2 also allows a developer to directly access cookies and inject JavaScript into the webpage that is loaded by an application, making it an excellent tool for threat actors to log keystrokes, steal authentication cookies and then send them to a remote server. These cookies can be used to refresh pages and be automatically authenticated to the site. As the cookies are stolen after the user has successfully authenticated with MFA, these stolen cookies will bypass MFA secured by one-time passwords or security keys, and will remain valid until the session expires or some other post-authentication check detects unusual behavior.
While this may all sound like doom and gloom, the attack still requires a successful social engineering attempt to fool a user into running a malicious executable. The advice for protecting yourself or your organization from this attack is the same as countless other threats:
– Do not open attachments that are not explicitly trusted (particularly if they are executables)
– Scan all files downloaded from the internet.
– Lastly, do not enter your credentials into any application or website unless you are 100% sure that the request is legitimate.
