Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label token replay. Show all posts

Session Hijacking Surges: Attackers Exploit MFA Gaps with Modern Tactics

 

As multi-factor authentication (MFA) becomes more common, attackers are increasingly resorting to session hijacking. Evidence from 2023 shows this trend: Microsoft detected 147,000 token replay attacks, marking a 111% increase year-over-year. Google reports that attacks on session cookies now rival traditional password-based threats.

Session hijacking has evolved from old Man-in-the-Middle (MitM) attacks, which relied on intercepting unsecured network traffic. Today, these attacks are internet-based, focusing on cloud apps and services. Modern session hijacking involves stealing session materials like cookies and tokens, enabling attackers to bypass standard security controls like VPNs, encrypted traffic, and even MFA.

The rise of identity-based attacks is a result of the growing complexity of user accounts, with each person managing multiple cloud-based services. Once attackers gain access to an active session, they can bypass MFA, leveraging the valid session tokens, which often stay active longer than expected.

Modern phishing toolkits, like AitM and BitM, make hijacking easier by allowing attackers to intercept MFA processes or trick users into controlling their browser. Infostealers, a newer tool, capture session cookies from the victim’s browser, putting multiple applications at risk, especially when EDR systems fail to detect them.

Infostealer infections are often traced back to unmanaged personal devices, which sync browser profiles with work devices, leading to the compromise of corporate credentials. EDRs aren’t always reliable in stopping these threats, and attackers can still resume stolen sessions without re-authentication, making it difficult for organizations to detect unauthorized access.

Passkeys offer some protection by preventing phishing, but infostealers bypass authentication entirely. While app-level controls exist to detect unauthorized sessions, many are inadequate. Companies are now considering browser-based solutions that monitor user agent strings for signs of session hijacking, offering a last line of defense against these sophisticated attacks.