Tackling the Emerging Threat of Session Hijacking and MFA Bypass

When it comes to enterprise cyber-threats, credentials are rightly viewed as the keys to the kingdom. Why use a piece of malicious code on a vulnerable system or human when a valid credential opens the front door?

Current best practices usually maintain that multi-factor authentication (MFA) and password managers are enough to mitigate the risk of account hijacking. Unfortunately, the cybercrime underground doesn’t take long to adapt. Session hijacking via infostealer malware and cookie theft is an increasingly popular way to bypass MFA. Recorded Future saw thousands of references to such techniques on underground sites in the past 12 months.

The good news is that organizations can hit back by following best practices, reconfiguring their intrusion detection tools and enhancing threat intelligence.

Why Cookies are so Popular

We observed 14,905 references to cybercrime underground posts in 2021, including the keywords “cookies,” “session cookies” and “session hijacking.” Why so popular? Because HTTP cookies are used to manage user sessions, store user personalization preferences and track user behavior. If a threat actor is able to steal the “magic cookie” used to authenticate a user to an internal or third-party application, they can hijack user sessions with complete anonymity, appearing identical to the legitimate user.

Infostealer malware is designed to do exactly this, among other things. Once they have the stolen cookies in hand, a relatively straightforward “pass the cookie” post-exploitation technique enables the threat actor to hijack the user’s session. The benefit of this, rather than stealing passwords, is that it will allow them to bypass MFA checkpoints. Sessions often timeout after seven days or more, providing more than enough opportunity to access sensit ..

Support the originator by clicking the read the rest link below.