Session Hijacking 2.0: The New Tactics Attackers Use to Bypass MFA.

As multi-factor authentication (MFA) becomes increasingly common, attackers are adapting their tactics, with session hijacking emerging as a prevalent method to circumvent these security measures. Recent data highlights this trend:

- In 2023, Microsoft detected 147,000 token replay attacks,marking a 111% increase year-over-year.

- Attacks on session cookies are now occurring at rates comparable to password-based attacks, according to Google.

While session hijacking is not a new technique, its methods and contexts have evolved significantly.

The Evolution of Session Hijacking

Traditionally, session hijacking involved classic Man-in-the-Middle (MitM) attacks, which relied on intercepting unsecured local network traffic to capture credentials or financial information. Attackers would also use client-side methods to compromise webpages, deploying malicious JavaScript or cross-site scripting (XSS) to steal session IDs.

Today’s session hijacking is primarily identity-based, executed over the public internet and targeting cloud-based applications and services. Despite the shift in methods, the underlying goal remains the same: to steal valid session materials—such as cookies, tokens, and IDs—allowing attackers to take over the session from a different device and location.

Modern session hijacking tactics are more reliable at bypassing standard defensive controls, unlike older techniques that often failed against basic protections like encrypted traffic, VPNs, or MFA. Furthermore, the attack landscape has transformed. Previously, attackers aimed to steal domain credentials for internal systems; now, users typically have dozens of accounts across various cloud services, broadening the potential targets for attackers.

Why Attackers Target Live Sessions

The motivation behind hijacking live sessions is straightforward: it allows attackers to bypass authentication controls like MFA. By taking over an existing session, attackers eliminate the need to convert stolen usernames and passwords into an authenticated session.

While session tokens theoretically have a limited lifespan, they often remain valid for extended periods—typically around 30 days—or even indefinitely as long as there’s continuous activity. Compromising a single identity can yield significant benefits for attackers, especially if the identity has access to downstream applications through single sign-on (SSO).

Methods of Session Hijacking

To hijack a session, attackers first need to obtain the session cookies associated with an active user session. There are two primary methods currently in use:

1. Modern Phishing Toolkits (AitM and BitM): These tools allow attackers to intercept authentication materials, including session tokens, during the login process. AitM (Account in the Middle) acts as a proxy, capturing data as victims authenticate. BitM takes this a step further by tricking victims into controlling the attacker's browser, effectively allowing the attacker to retrieve the session after the victim logs in.

2. Infostealers: Unlike the more targeted AitM attacks, infostealers often employ opportunistic tactics to infect users. They can spread through various channels, including compromised websites, malvertising, and social media ads. Infostealers collect not only session cookies but also saved credentials, putting multiple sessions at risk compared to targeted approaches.

Addressing the Threat of Infostealers

Although effective endpoint detection and response (EDR) solutions can identify many commercial infostealers, attackers are continuously developing custom malware to evade detection. This creates an ongoing cat-and-mouse game, with vulnerabilities that can be exploited, such as recent flaws in Microsoft Defender SmartScreen.

Infostealer infections frequently originate from unmanaged devices, including personal devices in bring-your-own-device (BYOD) environments. Browser profiles can sync across devices, meaning that a personal device compromise can easily lead to corporate credential theft. 

For example:

1. A user logs into their personal Google account on their work device, saving their profile.

2. They enable profile syncing, storing corporate credentials in their browser’s password manager.

3. The user then logs into their personal device, syncing the profile and inadvertently carrying the infostealer infection over.

4. Consequently, all saved credentials, including corporate ones, are stolen.

EDR solutions alone cannot completely mitigate the risks posed by infostealers, especially given how personal and corporate identities converge in today’s workplace.

The Role of Passkeys

Passkeys offer a phishing-resistant authentication method, effectively preventing AitM and BitM attacks that require user interaction to hijack a session. However, infostealers bypass this protection by targeting endpoints directly. The attacker simply imports stolen session cookies into their browser to resume the existing session without needing to authenticate.

Detection and Response Strategies

There are multiple layers of defense designed to prevent session hijacking:

1. Delivering the Malware: Victims must be lured into downloading the infostealer, which can occur in many environments, including those lacking expected security controls.

2. Running the Malware: While EDR solutions provide a primary defense against running malware, they are not infallible.

3. Detecting Unauthorized Sessions: Once session cookies are stolen, detection occurs when the attacker uses them to hijack a session. The final line of defense for many organizations is in-app controls, such as access restriction policies. However, these can often be bypassed, especially if the attacker cannot access more secure accounts like M365.

Enhancing Security Against Session Hijacking

To effectively combat session hijacking, security practitioners often apply the concept of the Pyramid of Pain. When detection fails, it's typically due to focusing on easily changeable indicators.

The success of an attack hinges on the attacker resuming the victim's session in their browser—an action that can be detected. The Push Security team has developed a control that identifies this behavior by injecting a unique marker into the user agent string of sessions occurring in browsers enrolled in Push. By analyzing logs from the identity provider (IdP), organizations can detect when a session is extracted from a browser and maliciously imported into another.

This approach serves as a crucial last line of defense against account takeover attacks, allowing organizations to identify unauthorized access to applications typically accessed from browsers with the Push plugin installed.

By understanding the evolving landscape of session hijacking and employing layered security measures, organizations can better protect their identities and maintain the integrity of their systems.

Credit:TheHackerNews.