The rise of infostealer malware has become a major concern in the realm of cybersecurity. According to SpyCloud’s 2023 Identity Exposure Report, almost half of the 721.5 million credentials obtained from the criminal underground last year were exfiltrated by infostealing malware. These compromised credentials serve as a simple entry point for cyberattacks, allowing criminals to infiltrate networks undetected by posing as legitimate users.
Infostealer malware goes beyond ordinary breached credentials by targeting high-quality and large quantities of authentication data, including session cookies/tokens, credentials, and personally identifiable information (PII). Many security teams combat this threat by promoting cyber hygiene and implementing solutions like multi-factor authentication (MFA) and passkeys to protect corporate and user data. However, these solutions still have vulnerabilities that can be exploited.
Infostealer malware has gained popularity due to its high return on investment and ability to remain unnoticed even with advancements in intrusion prevention technology. Financial gain is often the main motivator for Initial Access Brokers (IABs) who package and sell stolen data on the darknet. These criminals adapt their strategies to focus on methods that offer higher rewards, and infostealer malware provides just that. It is virtually undetectable and designed to be non-persistent on victim devices, making it difficult to trace.
The data exfiltrated by malware is highly appealing to criminals because of its superior quality. In 2022, SpyCloud recovered nearly 22 billion malware-exfiltrated device and session cookie records, and this number is expected to grow. Session cookies authenticate users on a platform for a specific duration of time. If exposed, these cookies allow threat actors to bypass authentication methods like MFA and passkeys through a technique known as session hijacking.
Session hijacking occurs when cybercriminals use stolen cookies/tokens to take control of an active authenticated web session. By importing malware-exfiltrated cookies into anti-detect browsers, criminals can masquerade as legitimate users without raising alarms. This grants them access to confidential business data, the ability to change or escalate privileges, and the opportunity to launch ransomware attacks. One stolen cookie is enough to bypass the entire authentication and login process, regardless of the original method of authentication.
A recent example of session hijacking is the CircleCI breach, where cybercriminals used malware to steal an employee’s two-factor authentication (2FA)-backed single sign-on (SSO) session token. By posing as the employee from actor-controlled infrastructure, the attacker went undetected, and the company’s antivirus protection failed to identify the infection due to the elusive nature of malware.
While solutions like passkeys are not foolproof, they are effective in reducing password fatigue and friction in the login process. However, organizations should not solely rely on a single tool but instead explore processes and solutions that enhance protection against session hijacking while actively monitoring for stolen data. One such approach is post-infection remediation (PIR), which proactively addresses the threat of malware infections.
PIR is an identity-centric approach that involves a series of steps to address exposed data and mitigate risks. Since stolen cookies can remain active for months, gaining a holistic view of compromised devices is crucial. Security teams can leverage recaptured data from the darknet to gain actionable insights. By linking compromised data to the original malware-infected device, organizations can isolate and remove the malware, invalidate compromised SSO sessions, and review access logs for any unauthorized activity.
This proactive approach disrupts cybercriminals before they can harm users and businesses, providing an enhanced layer of protection for enterprises’ highest-risk users. Passkeys and MFA are significant advancements in the security industry, but cybercriminals continually innovate. By swiftly preventing unauthorized users from accessing sensitive accounts, organizations can effectively address vulnerabilities and safeguard their employees, customers, brand reputation, and overall profitability.
Trevor Hilligoss, the Director of Security Research at SpyCloud, is an experienced security researcher with a background in federal law enforcement. He has tracked cybercriminals and nation-state actors for nearly a decade and is considered an expert in threat intelligence. With a BA in Sociology and multiple federal certifications in cyber investigations, Hilligoss provides valuable insights into combatting the growing threat of infostealer malware.