Session Hijacking Is Back: MFAs No Longer Safe

by
Krishi Chowdhary
from Techreport on (#6R7HR)
pexels-mati-5952651-1200x801.jpg
  • Session hijacking has now evolved with modern methods capable of bypassing MFA checks.
  • Aitm, BitM, and infostealers are the main tools of session hijacking.
  • Antiviruses, EDR, and in-app controls can still prove to be effective against these attacks.

pexels-mati-5952651-300x200.jpg

Session hijacking is not a new mode of cyberattack. However, a much-improved version of session hijacking has emerged since last year that is capable of bypassing security measures such as multi-factor authentication (MFA).

Microsoft detected 147,000 token replay attacks in 2023, a whopping 111% increase compared to the last year.

In fact, as per Google, session cookie attacks are now at par with password-focused cyberattacks. As the numbers show, session hijacking is rapidly re-emerging.

What Is Session Hijacking?Session hijacking is a cyberattack method where threat actors aim to take control of your active web sessions by tricking the websites into believing that it's the actual user controlling the session. This helps them avoid the whole authentication process since the session is already logged in and authenticated.

Classic session hijacking relied on a lot of MitM (Man in the Middle) attacks. In this, malicious parties looked for unsecured networks to swoop in on credentials or financial information.

However, modern session hijacking has moved away from a network-based approach to an identity-based approach.

While traditional network session hijacking could be prevented through security protocols like MFAs, VPNs, and so on, the much-evolved hijacking methods are immune to these tactics.

How Does Session Hijacking Work

Now, there are several ways session hijacking can be done. Let's talk about three modern ways threat actors are resorting to:

  • Adversary-in-the-middle (AitM) attack
  • Browser-in-the-middle (BitM) attack
  • Infostealers

AitM attack is a phishing technique that can detect any MFA checks and intercept authentication data including session tokens. Under this, malicious actors set up a proxy between the target and the legitimate application portal.

The target thinks that he is accessing the actual website, but is oblivious to the adversary sitting in the middle, who can intercept all interactions including authentications.

BitM takes this attack a step further. Instead of involving a proxy, the target is tricked into controlling the attacker's browser through remote screen-sharing applications. Here, the victim is actually controlling the attacker's browser, giving away more than just their username and password.Infostealers

Infostealers can be delivered through various mechanisms such as malvertising, malicious links, infected websites, social media advertisements, and so on. Unlike AitM and BitM attacks, infostealers can target all session cookies saved in a user's browser as well as other saved credentials.

This makes infostealers more dangerous than the previous two modes of attack. Under AitM, only a single application is compromised. However, with infostealers, malicious parties can steal your entire identity.

This also makes them very flexible. For example, if there's stringent IP locking control applied for a specific application, infostealers can use other saved cookies, and attempt to compromise other applications - unlike AitM, infostealer attacks aren't application-focused.

The bad news is that even EDRs cannot always and fully detect these infostealers. Sure, a good quality EDR will weed out most commercial infostealers. However, threat actors have gotten smarter and developed sophisticated and advanced malware that can escape EDR detection.

For example, Atomic Stealer and Meethub infostealers stole macOS passwords and crypto wallet credentials in early April this year. The infostealers were delivered through malvertising - when users searched for Arc Browser' on Google, some sponsored links redirected them to a malicious site where they could download the Arc browser. However, as it turned out, what they were actually downloading was the Atomic Stealer.

Similarly, in July this year, an unpatched vulnerability in Microsoft Defender SmartScreen allowed threat actors to deliver infostealers such as Meduza, Lumma, and ACR Stealer.

In fact, as per the 2024 Sophos Threat Report, around 43% of the malware detected in 2023 were classified as infostealers.

The main reason behind infostealer attacks is unsecured and unmanaged devices. A lot of times, companies allow employees to bring their own devices (BYOD) to their internal IT environment.

A typical user will obviously log in to their personal Google account on a work device and more often than not enable profile syncing. Now, if they pick up an infostealer on their personal device and later sync the profile on their work devices, there's a high risk of the company credentials and data being compromised.

Passkeys are also of little use in infostealer attacks. Since they rely on biometric authentication, it is possible to intercept and stop AitM and BitM attacks with them. However, in the case of infostealers, there's no authentication taking place, making passkey protection useless.

Prevention Against Modern Session Hijacking

Does this mean that there is nothing you can do to prevent session hijacking? Well, No - here are some ways you can ensure your data stays safe from hijacking attempts.

Keep Personal Info Private

Well, a good thing about infostealers is that the target must first download the malware to start the whole data-stealing process. This is where also lies an opportunity to prevent hijacking. It is always advised to keep private information away from corporate devices.

This way, even if you download an info stealer on your private device, the data will not be synced with your business device.

Antivirus and EDR

Now let's say somehow you end up downloading an infostealer on your device. This is where you should have an antivirus and EDR in place to weed them out. Most of the best antivirus solutions can actively detect and remove malware including infostealers.

It is also important to ensure that the AV is always up to date with the latest security patches so that you do not become a victim of an unpatched vulnerability.

In-app Controls

This is your last resort when it comes to dealing with infostealers. Strong in-app controls, such as location-specific IP address locking restrictions are generally difficult to bypass. This again, isn't a foolproof way of infostealer protection and more advanced stealers may make it through these app controls.

Session hijacking's return has had cyber experts worried. However, a good way of detecting foul play is to maintain robust session logs that help you tie online activity to a particular session.

With the new method capable of breaching MFAs and VPNs, it is high time for businesses and IT teams to exercise extra caution, especially when they support BYOD work structures.

The post Session Hijacking Is Back: MFAs No Longer Safe appeared first on The Tech Report.

External Content
Source RSS or Atom Feed
Feed Location https://techreport.com/feed/
Feed Title Techreport
Feed Link https://techreport.com/
Reply 0 comments