MFA
67 views
1 Posts
Hot
Latest
How Attackers are Bypassing MFA and Threatening Cloud Security
As organizations continue to adopt multi-factor authentication (#MFA ) to secure their systems, attackers are finding new ways to circumvent these protections. One method gaining prominence is #SessionHijacking 2.0âan evolved technique that has adapted to the widespread use of cloud applications and services. Recent data highlights the scale of this threat: in 2023 alone, Microsoft detected 147,000 token replay attacks, marking a 111% year-over-year increase. Google also reports that attacks on session cookies are now comparable to traditional password-based attacks.
But while session hijacking isn't a new technique, the methods used today have drastically changed. Here's what you need to know about modern session hijacking, why it's so effective, and how organizations can defend against it.
What is Session Hijacking?
Traditionally, session hijacking was carried out via Man-in-the-Middle (MitM) attacks, where an attacker would intercept unsecured local network traffic to capture session credentials or financial information. Alternatively, they could use cross-site scripting (XSS) to steal a session ID from a compromised webpage.
Today, session hijacking has evolved into a sophisticated identity-based attack targeting cloud-based apps and services. The goal remains the same: steal valid session material, such as cookies, tokens, or IDs, and use them to take control of a userâs session from a different device. Unlike older attacks, which could be mitigated by basic security measures like encrypted traffic or MFA, modern session hijacking bypasses many standard defenses.
Why Attackers Target Sessions
Stealing a session token allows attackers to bypass MFA and other authentication controls. Once a session is hijacked, there is no need to authenticate as the attacker simply resumes the session. In many cases, session tokens can remain valid for extended periodsâsometimes up to 30 days or longer if the session is actively maintained.
For attackers, hijacking a session can grant access to an identity provider (IdP) account, like Okta or Microsoft Entra, which in turn provides single sign-on (SSO) access to a wide array of downstream apps. This makes session hijacking particularly dangerous, as it can compromise multiple systems without triggering further authentication checks.
The Tools of Session Hijacking
There are two main approaches used to steal session tokens today: phishing toolkits like Adversary-in-the-Middle (AitM) and Browser-in-the-Middle (BitM), and browser-based data theft via infostealers.
1. AitM and BitM Phishing Toolkits: In an AitM attack, the phishing tool acts as a proxy between the user and the legitimate service, intercepting session tokens and MFA details. BitM takes this a step further, tricking the victim into remotely controlling the attacker's browser to log into services. These toolkits enable attackers to steal session cookies while bypassing MFA protections.
2. Infostealers: Less targeted but equally dangerous, infostealers are malware that collects all session cookies and credentials stored in a browser. Infostealers are often spread through malicious websites, advertising, peer-to-peer downloads, or infected plugins. Once a device is compromised, all session data becomes accessible, increasing the attack surface significantly.
Infostealers: The Rising Threat
Infostealers present a unique challenge because they are not limited to targeting specific accounts. They collect all saved session cookies, making it easier for attackers to switch between targets if one session proves difficult to exploit. For example, even if an organization has stringent IP locking controls for its primary app, attackers can use the stolen cookies to hijack sessions for less protected downstream apps.
This wide-ranging approach makes infostealers flexible and opportunistic, and even well-secured corporate environments can be vulnerable if employees sync their browser profiles between personal and corporate devices. A personal device infection can lead to corporate credential theft if session data is synced across devices.
Can EDR Stop Infostealers?
Endpoint detection and response (EDR) systems are designed to detect and block malware, but they are not foolproof. Many attackers use customized malware designed to evade detection, and even sophisticated EDR solutions can miss infostealers. In particular, unmanaged personal devices used in bring-your-own-device (BYOD) environments present a significant vulnerability, as they may not have the same security controls as corporate devices.
How to Detect Session Hijacking
Once an attacker has stolen session cookies, the final line of defense is detecting the unauthorized use of those sessions. While app-level controls like IP locking or behavioral analysis may help, these measures are often bypassed or not consistently applied across all apps.
One new method to detect session hijacking is through the use of browser-based markers. For example, Push Security has developed a system that injects a unique marker into a userâs browser. If session tokens are later used without this marker, it indicates a session has been hijacked. This additional layer of defense can help detect not only session hijacking but also other account takeover attempts.
The Path Forward: Strengthening Defenses
Session hijacking is a sophisticated attack that can bypass even robust security measures like MFA. To defend against this growing threat, organizations must adopt a multi-layered security approach that includes:
- #Phishing-resistant authentication methods, such as passkeys, which prevent AitM and BitM attacks.
- Browser-level protections, such as unique session markers, to detect unauthorized session usage.
- Stronger app-level controls that apply consistent security policies across all applications.
- Endpoint monitoring to detect and block malware like infostealers before they can steal session cookies.
By combining these measures, organizations can reduce the risk of session hijacking and protect their users from identity-based attacks.
For more insights into how identity attacks are evolving and the latest security solutions, visit our full report on the state of identity-based attacks in 2023-2024.
But while session hijacking isn't a new technique, the methods used today have drastically changed. Here's what you need to know about modern session hijacking, why it's so effective, and how organizations can defend against it.
What is Session Hijacking?
Traditionally, session hijacking was carried out via Man-in-the-Middle (MitM) attacks, where an attacker would intercept unsecured local network traffic to capture session credentials or financial information. Alternatively, they could use cross-site scripting (XSS) to steal a session ID from a compromised webpage.
Today, session hijacking has evolved into a sophisticated identity-based attack targeting cloud-based apps and services. The goal remains the same: steal valid session material, such as cookies, tokens, or IDs, and use them to take control of a userâs session from a different device. Unlike older attacks, which could be mitigated by basic security measures like encrypted traffic or MFA, modern session hijacking bypasses many standard defenses.
Why Attackers Target Sessions
Stealing a session token allows attackers to bypass MFA and other authentication controls. Once a session is hijacked, there is no need to authenticate as the attacker simply resumes the session. In many cases, session tokens can remain valid for extended periodsâsometimes up to 30 days or longer if the session is actively maintained.
For attackers, hijacking a session can grant access to an identity provider (IdP) account, like Okta or Microsoft Entra, which in turn provides single sign-on (SSO) access to a wide array of downstream apps. This makes session hijacking particularly dangerous, as it can compromise multiple systems without triggering further authentication checks.
The Tools of Session Hijacking
There are two main approaches used to steal session tokens today: phishing toolkits like Adversary-in-the-Middle (AitM) and Browser-in-the-Middle (BitM), and browser-based data theft via infostealers.
1. AitM and BitM Phishing Toolkits: In an AitM attack, the phishing tool acts as a proxy between the user and the legitimate service, intercepting session tokens and MFA details. BitM takes this a step further, tricking the victim into remotely controlling the attacker's browser to log into services. These toolkits enable attackers to steal session cookies while bypassing MFA protections.
2. Infostealers: Less targeted but equally dangerous, infostealers are malware that collects all session cookies and credentials stored in a browser. Infostealers are often spread through malicious websites, advertising, peer-to-peer downloads, or infected plugins. Once a device is compromised, all session data becomes accessible, increasing the attack surface significantly.
Infostealers: The Rising Threat
Infostealers present a unique challenge because they are not limited to targeting specific accounts. They collect all saved session cookies, making it easier for attackers to switch between targets if one session proves difficult to exploit. For example, even if an organization has stringent IP locking controls for its primary app, attackers can use the stolen cookies to hijack sessions for less protected downstream apps.
This wide-ranging approach makes infostealers flexible and opportunistic, and even well-secured corporate environments can be vulnerable if employees sync their browser profiles between personal and corporate devices. A personal device infection can lead to corporate credential theft if session data is synced across devices.
Can EDR Stop Infostealers?
Endpoint detection and response (EDR) systems are designed to detect and block malware, but they are not foolproof. Many attackers use customized malware designed to evade detection, and even sophisticated EDR solutions can miss infostealers. In particular, unmanaged personal devices used in bring-your-own-device (BYOD) environments present a significant vulnerability, as they may not have the same security controls as corporate devices.
How to Detect Session Hijacking
Once an attacker has stolen session cookies, the final line of defense is detecting the unauthorized use of those sessions. While app-level controls like IP locking or behavioral analysis may help, these measures are often bypassed or not consistently applied across all apps.
One new method to detect session hijacking is through the use of browser-based markers. For example, Push Security has developed a system that injects a unique marker into a userâs browser. If session tokens are later used without this marker, it indicates a session has been hijacked. This additional layer of defense can help detect not only session hijacking but also other account takeover attempts.
The Path Forward: Strengthening Defenses
Session hijacking is a sophisticated attack that can bypass even robust security measures like MFA. To defend against this growing threat, organizations must adopt a multi-layered security approach that includes:
- #Phishing-resistant authentication methods, such as passkeys, which prevent AitM and BitM attacks.
- Browser-level protections, such as unique session markers, to detect unauthorized session usage.
- Stronger app-level controls that apply consistent security policies across all applications.
- Endpoint monitoring to detect and block malware like infostealers before they can steal session cookies.
By combining these measures, organizations can reduce the risk of session hijacking and protect their users from identity-based attacks.
For more insights into how identity attacks are evolving and the latest security solutions, visit our full report on the state of identity-based attacks in 2023-2024.
