Title: Malware-Enabled Session Hijacking: A Growing Threat to Enterprise Security
In the ever-evolving landscape of cybersecurity, businesses are continuously implementing various measures to protect their sensitive information and bolster their cybersecurity posture. From passkeys to multifactor authentication (MFA), these solutions are aimed at minimizing the attack surface. However, security teams should be aware that these measures may not be sufficient to fully secure user data.
While enterprises invest in new ways to safeguard their networks, cybercriminals are simultaneously developing tactics to bypass these defenses. Techniques like session hijacking and account takeover are being used by malicious actors to gain unauthorized entry into corporate systems, rendering passkeys and MFA ineffective. What’s more troublesome is that these tactics are often enabled by malware-exfiltrated data, which presents one of the most challenging security gaps to address.
Malware acts swiftly and covertly to steal large amounts of accurate authentication data, including personally identifiable information (PII) such as login credentials, financial details, and authentication cookies. There is a growing concern that some malware is even capable of exfiltrating local key vaults, such as those maintained by password managers that offer passkey solutions. Recent statistics reveal that cybercriminals attempted over 4 billion malware attacks last year, making it the most preferred method of cyberattack. Furthermore, according to SpyCloud’s “2023 Annual Identity Exposure Report,” over 22 million unique devices were infected by malware in the same year, with the stolen data making its way to criminal networks for various malicious activities, including session hijacking and ransomware attacks.
While the importance of malware-exfiltrated data continues to grow among criminals, security teams are still grappling with the lack of necessary visibility required to mitigate these exposures. Those who possess a deep understanding of how malware operates and how cybercriminals leverage stolen data for further attacks are better positioned to confront this looming threat.
The most significant threat that stems from malware-exfiltrated data is session hijacking. Infostealer malware, often distributed through phishing emails or malicious websites, extracts device and identity data from infected machines and their web browsers. While all stolen data holds some value for criminals, these malware attacks primarily target high-value information, including cookies.
When a user logs into a site or application, the server stores a temporary authentication token (cookie) in their browser, allowing seamless access for a certain period. By importing stolen cookies and additional details that mimic the user’s device and location, criminals can gain unauthorized access to an already-authenticated session. Session hijacking can circumvent even the strongest authentication methods, enabling criminals to access corporate networks undetected for extended periods. This gives them free rein to access sensitive information, steal more data, and carry out targeted attacks like ransomware.
Cybercriminals are well aware of the devastating impact of session hijacking and have developed tools like EvilProxy and Emotet to specifically target authentication cookies. The question then arises: how can corporations defend against a threat that nullifies key defenses? Although seemingly insurmountable, there exist novel approaches to break this cycle of cybercrime.
A major challenge in combating session hijacking lies in the malware’s ability to evade detection. Modern malware variants can swiftly siphon data and delete themselves within seconds, leaving security teams clueless about the occurrence of an attack. Additionally, infostealer malware can infect employees’ personal devices and contractor devices, which often fall outside the purview of the security team, making it incredibly challenging to identify all instances of business exposure.
Fortunately, increased threat awareness and visibility can address these concerns. Security teams should educate users about infostealers, how to avoid unintentionally downloading them onto any device connected to the corporate network or critical business applications, and how to regularly delete cookies stored in their browsers.
In cases where malware manages to slip through the cracks, understanding the exact information stolen can help teams identify which user credentials and authentication cookies need remediation. Simply wiping the infected device is not enough, as active stolen data can be exploited long after the initial infection has been addressed. Instead, organizations must identify compromised data and proactively invalidate sessions and enforce password resets to sever potential entry points into the organization.
Ultimately, a comprehensive malware remediation process should hinge on understanding the stolen data. IT teams should prioritize approaches and solutions that provide enhanced visibility, enabling them to address malware-enabled security gaps effectively. Armed with this insight, organizations can take necessary steps to safeguard all exposed assets, including authentication data, thereby safeguarding their reputation and protecting their bottom line.