When it comes to enterprise cyber-threats, credentials are rightly viewed as the keys to the kingdom. Why use a piece of malicious code on a vulnerable system or human when a valid credential opens the front door?
Current best practices usually maintain that multi-factor authentication (MFA) and password managers are enough to mitigate the risk of account hijacking. Unfortunately, the cybercrime underground doesn’t take long to adapt. Session hijacking via infostealer malware and cookie theft is an increasingly popular way to bypass MFA. Recorded Future saw thousands of references to such techniques on underground sites in the past 12 months.
The good news is that organizations can hit back by following best practices, reconfiguring their intrusion detection tools and enhancing threat intelligence.
Why Cookies are so Popular
We observed 14,905 references to cybercrime underground posts in 2021, including the keywords “cookies,” “session cookies” and “session hijacking.” Why so popular? Because HTTP cookies are used to manage user sessions, store user personalization preferences and track user behavior. If a threat actor is able to steal the “magic cookie” used to authenticate a user to an internal or third-party application, they can hijack user sessions with complete anonymity, appearing identical to the legitimate user.
Infostealer malware is designed to do exactly this, among other things. Once they have the stolen cookies in hand, a relatively straightforward “pass the cookie” post-exploitation technique enables the threat actor to hijack the user’s session. The benefit of this, rather than stealing passwords, is that it will allow them to bypass MFA checkpoints. Sessions often timeout after seven days or more, providing more than enough opportunity to access sensitive web applications and services, steal data, deploy ransomware and more.
Making Things Easier
Commercially minded cyber-criminals know how to spot a business opportunity. That’s why cookies are often included in easy-to-use packages, such as the “bots” or “logs” advertised on the English and Russian-language cybercrime shop Genesis Store. As well as session cookies, these packages include account credentials, IP addresses and browser fingerprints. This data can be imported into a browser plugin called Genesis Security, enabling threat actors to masquerade as the victim in account takeover and session hijacking attacks.
Initial access brokers also sell cookies alongside stolen credentials if network access requires MFA. Compromising identities with infostealer malware and session hijacking is a key tactic of the notorious Lapsus group, which claims to have stolen data from numerous big tech firms, including Samsung, Microsoft and Nvidia. We’ve also seen malware-as-a-service variants, including RedLine and Vidar, capable of stealing credential pairs with associated session tokens.
Moving On
It’s not that the technique is particularly new. The US Cybersecurity and Infrastructure Security Agency (CISA) warned of cookie theft in January 2021. But as MFA becomes more popular, so will efforts to circumvent it.
That’s why organizations have to update their own policy and security strategy to mitigate the evolving threat of account and session hijacking.
MFA and password managers must still be the de facto. But security teams could also explore the possibility of solutions that enforce MFA on a more frequent basis. How often this should be is up to you; is daily enough, every login too much? How much friction do you want to create for your users? Which applications do you have to enforce this much heat on? These questions are for you to consider. Consider monitoring your organization's compromised identities – this will reduce the window for an attacker to steal identity-related information and resell it for use by another attacker. You can take this one step further. At Recorded Future, we are connecting up this identity intelligence directly into our IAM provider to automate identities by having an automated password reset and review to accelerate the triage of this threat. With APIs for this information, automated playbooks become viable and scalable in your SOC.
Unfortunately, security is not a destination but a continuous journey. To avoid more bumps in this road, it would be wise to tackle the threat from infostealers and session hijacking.