![[The AI Show Episode 146]: Rise of “AI-First” Companies, AI Job Disruption, GPT-4o Update Gets Rolled Back, How Big Consulting Firms Use AI, and Meta AI App](https://www.marketingaiinstitute.com/hubfs/ep%20146%20cover.png)
.jpg?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
_Alexey_Kotelnikov_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
_Brian_Jackson_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
 Stolen 884,000 Credit Card Details on 13 Million Clicks from Users Worldwide.webp?#)
![Roku clarifies how ‘Pause Ads’ work amid issues with some HDR content [U]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2025/05/roku-pause-ad-1.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![Look at this Chrome Dino figure and its adorable tiny boombox [Gallery]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2025/05/chrome-dino-youtube-boombox-1.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![Apple Seeds visionOS 2.5 RC to Developers [Download]](https://www.iclarified.com/images/news/97240/97240/97240-640.jpg)
![Apple Seeds tvOS 18.5 RC to Developers [Download]](https://www.iclarified.com/images/news/97243/97243/97243-640.jpg)
SonicBoom Attack: Hackers Bypass Authentication and Gain Control
Originally published at ssojet Image courtesy of Cybersecurity News The SonicBoom attack chain, which allows remote attackers to bypass authentication and seize administrative control over enterprise appliances, has been identified as a critical threat. This multi-stage exploit primarily targets SonicWall Secure Mobile Access (SMA) and Commvault backup solutions by leveraging vulnerabilities such as CVE-2024-38475 and CVE-2023-44221. Attack Stages Stage 1: Authentication Bypass Attackers exploit endpoints that lack authentication checks. In the Commvault on-premise edition, sensitive functions can be accessed through the authSkipRules.xml file, allowing unauthenticated users to execute backend operations. Stage 2: SSRF and Arbitrary File Write Attackers send crafted POST requests to vulnerable endpoints, manipulating parameters to download files from their servers. This is possible due to improper sanitization of input, leading to SSRF vulnerabilities. The appliance fetches a malicious .jsp web shell, which is extracted into accessible directories. Image courtesy of Cybersecurity News Stage 3: Remote Code Execution (RCE) Once the malicious file is in place, attackers can execute it via direct HTTP requests, achieving remote code execution as a privileged service account. This grants full administrative access, enabling further internal network exploits. Image courtesy of Cybersecurity News The root cause of the SonicBoom attack is insufficient input validation and improper authentication enforcement within the affected systems. Affected Systems & Remediation Commvault: Versions 11.38.0 to 11.38.19 are vulnerable; patched in 11.38.20 and above. SonicWall SMA: Multiple CVEs have been exploited in the wild, allowing pre-authentication remote code execution and admin takeover. It is critical for organizations to update all appliances to the latest versions and monitor logs for potential exploitation attempts. Cookie-Bite Attack on Multi-Factor Authentication (MFA) Image courtesy of Cybersecurity News The "Cookie-Bite" attack allows cybercriminals to bypass multi-factor authentication (MFA) by leveraging stolen browser cookies. This attack specifically targets critical authentication cookies used by Azure Entra ID, enabling attackers to impersonate legitimate users without requiring credentials. Attack Methods Attackers utilize various strategies to steal authentication cookies: Adversary-in-the-Middle (AITM) attacks to intercept cookies in real-time. Browser memory dumping to extract cookies from active sessions. Malicious browser extensions that access cookies within the browser’s security context. Decrypting locally stored cookie databases. Researchers demonstrated how custom browser extensions can silently extract authentication cookies during user login to Microsoft’s authentication portal. Persistent Threat The Cookie-Bite attack is particularly dangerous because it does not require knowledge of the victim’s password. Once deployed, the malicious extension can continuously extract fresh authentication cookies, providing long-term unauthorized access even if passwords are changed. Organizations are urged to monitor user behavior patterns and implement measures such as Conditional Access Policies to enhance security. Importance of Secure Authentication Solutions Implementing a secure Single Sign-On (SSO) solution is crucial in mitigating risks associated with vulnerabilities like SonicBoom and Cookie-Bite. SSOJet offers an API-first platform that features directory synchronization, SAML, OIDC, and magic link authentication. By using SSOJet, organizations can streamline user management and enhance security. For enterprises looking to secure their authentication processes, SSOJet’s platform provides robust solutions tailored to meet the demands of modern IAM challenges. Explore our services or contact us at SSOJet to learn more about how we can help your organization implement secure SSO and user management.
Originally published at ssojet
Image courtesy of Cybersecurity News
The SonicBoom attack chain, which allows remote attackers to bypass authentication and seize administrative control over enterprise appliances, has been identified as a critical threat. This multi-stage exploit primarily targets SonicWall Secure Mobile Access (SMA) and Commvault backup solutions by leveraging vulnerabilities such as CVE-2024-38475 and CVE-2023-44221.
Attack Stages
Stage 1: Authentication Bypass
Attackers exploit endpoints that lack authentication checks. In the Commvault on-premise edition, sensitive functions can be accessed through the authSkipRules.xml file, allowing unauthenticated users to execute backend operations.
Stage 2: SSRF and Arbitrary File Write
Attackers send crafted POST requests to vulnerable endpoints, manipulating parameters to download files from their servers. This is possible due to improper sanitization of input, leading to SSRF vulnerabilities. The appliance fetches a malicious .jsp web shell, which is extracted into accessible directories.
Image courtesy of Cybersecurity News
Stage 3: Remote Code Execution (RCE)
Once the malicious file is in place, attackers can execute it via direct HTTP requests, achieving remote code execution as a privileged service account. This grants full administrative access, enabling further internal network exploits.
Image courtesy of Cybersecurity News
The root cause of the SonicBoom attack is insufficient input validation and improper authentication enforcement within the affected systems.
Affected Systems & Remediation
Commvault: Versions 11.38.0 to 11.38.19 are vulnerable; patched in 11.38.20 and above.
SonicWall SMA: Multiple CVEs have been exploited in the wild, allowing pre-authentication remote code execution and admin takeover. It is critical for organizations to update all appliances to the latest versions and monitor logs for potential exploitation attempts.
Cookie-Bite Attack on Multi-Factor Authentication (MFA)
Image courtesy of Cybersecurity News
The "Cookie-Bite" attack allows cybercriminals to bypass multi-factor authentication (MFA) by leveraging stolen browser cookies. This attack specifically targets critical authentication cookies used by Azure Entra ID, enabling attackers to impersonate legitimate users without requiring credentials.
Attack Methods
Attackers utilize various strategies to steal authentication cookies:
- Adversary-in-the-Middle (AITM) attacks to intercept cookies in real-time.
- Browser memory dumping to extract cookies from active sessions.
- Malicious browser extensions that access cookies within the browser’s security context.
- Decrypting locally stored cookie databases.
Researchers demonstrated how custom browser extensions can silently extract authentication cookies during user login to Microsoft’s authentication portal.
Persistent Threat
The Cookie-Bite attack is particularly dangerous because it does not require knowledge of the victim’s password. Once deployed, the malicious extension can continuously extract fresh authentication cookies, providing long-term unauthorized access even if passwords are changed.
Organizations are urged to monitor user behavior patterns and implement measures such as Conditional Access Policies to enhance security.
Importance of Secure Authentication Solutions
Implementing a secure Single Sign-On (SSO) solution is crucial in mitigating risks associated with vulnerabilities like SonicBoom and Cookie-Bite. SSOJet offers an API-first platform that features directory synchronization, SAML, OIDC, and magic link authentication. By using SSOJet, organizations can streamline user management and enhance security.
For enterprises looking to secure their authentication processes, SSOJet’s platform provides robust solutions tailored to meet the demands of modern IAM challenges. Explore our services or contact us at SSOJet to learn more about how we can help your organization implement secure SSO and user management.
