Session Hijacking to Hunt for Cookies

Global Attacks

October 3, 2024

As the implementation of multi-factor authentication (MFA) becomes prevalent, there is a growing surge in attempts to bypass, breach, and hijack its security measures. Threat actors have increasingly utilized session hijacking in attempts to bypass MFA checkpoints. In this attack, threat actors steal session cookies to take over a live user session. Threat actors can import these harvested session cookies into their browser to resume an active session without entering credentials or passing through MFA checkpoints.

Adversary-in-the-Middle (AitM), Browser-in-the-Middle (BitM) attacks and infostealing malware  are prevalent session hijacking methods. During AitM attacks, threat actors set up a reverse proxy that captures HTTP requests sent from the victim’s browser to a genuine website after a victim visits a malicious domain. BitM’s technique involves tricking users into remotely controlling the threat actor’s browser, which allows threat actors to steal the user’s credentials and access confidential information saved on their device. Infostealers, commonly distributed through phishing attacks, are popular for harvesting session cookies. Unlike AitM and BitM attacks that typically target one account, infostealers can gather multiple credentials and session information and are not limited to active sessions.

Session hijacking attacks have become more prevalent, especially in ransomware operations, where threat actors utilize infostealers to compromise accounts. Threat actors have also previously compromised Google’s MultiLogin, allowing them to revive expired session tokens. While some browsers, such as Google Chrome, have taken steps to protect session cookies, threat actors have already claimed to have found methods to bypass these new security features.

Recommendations

  • Implement cybersecurity best practices to reduce risk and increase resiliency to cyber threats.
  • Facilitate user awareness training to include these types of phishing-based techniques.
  • Maintain robust and up-to-date endpoint detection tools on every endpoint.
  • Consider leveraging behavior-based detection tools rather than signature-based tools.
  • Report malicious activity to the FBI’s IC3 and NJCCIC.