Malware-infected devices can wreak havoc on organizations, but the threat often comes from outside the enterprise.
Unmanaged (personal or shared) devices pose significant threats when they are used to access corporate applications. Users are 71% more likely to be infected on an unmanaged device, and a Gartner survey found that 55% of digital workers are using personally owned devices for their work at least some of the time. Security teams lack visibility into these devices because they exist outside of corporate control, and without awareness of the infection, the risks can’t be properly mitigated and remediated.
Malware siphons everything from an infected device, including credentials and web session cookies. With stolen cookies, criminals can masquerade as a legitimate user using an attack called session hijacking. Let’s take a closer look at session hijacking, how it can lead to ransomware, and how you can prevent it from jeopardizing your organization.
What is Session Hijacking?
Session hijacking occurs when a user’s web session is taken over by an attacker. When you log into a site or application, the server sets a temporary session cookie in your browser. This lets the application remember that you’re logged in and authenticated. Some cookies may last only 24-48 hours, while others last for months.
Leveraging malware-siphoned web and device session cookies, bad actors can perpetrate session hijacking which bypasses the need for credentials (username + password combo), multi-factor authentication (MFA) and even passkeys altogether. Session hijacking is an increasingly prevalent precursor to fraud, and even more frightening to the enterprise, ransomware attacks.
How do criminals steal session cookies? Easily (unfortunately).
Step
Trick user into clicking on a dangerous link or downloading a malicious attachment to infect their device with malware.
Step
The malware siphons all manner of data from the infected device, including credentials, autofill info, and web session cookies without the user being aware of the infection.
Step
The criminal can then use a stolen session cookie to authenticate as the user – without the need for a username and password – bypassing security and fraud controls including MFA.
Typically criminals gain access to session cookies by one of two ways: either by deploying malware directly onto a user’s device, or by buying or trading botnet logs on the darknet. Once a criminal acquires the stolen web session cookies, it is scary how quickly and easily they launch account takeover attacks on both personal and work accounts, and then the possibilities of what they can do are endless, and just as shocking.
With cookies from corporate applications – even third-party applications like SSO and VPN – criminals can impersonate the employee, gain access to private information, and change access privileges to move throughout the organization with ease. Cookies from consumer accounts allow criminals to steal loyalty points and rewards, drain funds, alter shipping and billing information, apply for credit, and make fraudulent purchases using saved payment info.
How Session Hijacking Leads to Ransomware Attacks
It is critical that organizations proactively prevent session hijacking because not only does it make you vulnerable to account takeover, it is also an easy way for criminals to launch a ransomware attack from inside the corporate network or a critical workforce service (including SSO). Once criminals have access to corporate applications, they can easily move laterally throughout the organization disguised as a legitimate user and attempt to escalate privileges in order to access and encrypt valuable company data.
An employee with poor cyber habits who clicks on a malicious link or downloads a suspicious document and gets infected with an infostealer – aka an unwitting insider threat – is one of the most exploitable entry points for ransomware.
So what can you do? Actively monitoring for malware-stolen device or web session cookies is an effective way of preventing ransomware incidents if you take action to invalidate the compromised sessions before threat actors can access them via session hijacking. Otherwise, armed with this data, attackers can use anti-detect browsers to bypass MFA and even newer browser fingerprinting anti-fraud technologies.
With proactive monitoring, you can identify employees whose managed and unmanaged endpoints have been infected by infostealers so you can take proper post-infection remediation steps – invalidating their active web sessions (and resetting stolen credentials), shutting down the chance for a malware infection to become a full-blown security incident.
How do I know if our session cookies have already been stolen?
Session hijacking happens after a successful login, so it leaves no failed-authentication signal to catch it. The cookies are usually exfiltrated by infostealer malware, often from unmanaged personal devices your security team has no visibility into, and a single stolen cookie can stay valid for days or months. Run Check Your Exposure to see whether session cookies tied to your domain have already been stolen and could be replayed to hijack an active session.
Check your exposure for free →
How to Prevent Session Hijacking
SpyCloud’s recent survey of more than 300 security leaders revealed that major ransomware attacks in the last two years have heightened malware concerns, causing organizations to further bolster their security framework with additional layers. Solutions that have not been highly considered before, such as monitoring for compromised web sessions, are now among the top countermeasures planned for investment. This suggests that organizations are looking to extend protection to other areas as threat actors, confronted with the more traditional defenses, shift their focus to other vulnerabilities that are less often or less thoroughly protected.
For enterprises, the best way to prevent session hijacking is by understanding what it is and how it’s executed, monitoring for stolen web sessions programmatically, and developing a process to invalidate web sessions related to infected users. Reacting quickly ensures criminals stay locked out and prevents them from reaping the benefits of malicious activity.
Since web sessions can be valid for a couple of days or even a couple of months, having early insights about malware-compromised sessions can help organizations act quickly to thwart session hijacking. The key is to:
- Identify users infected by infostealers
- Invalidate any active sessions identified by a compromised cookie
- Protect high-value accounts from attackers leveraging stolen cookies to mimic trusted devices
- Flag user accounts with known compromised devices for increased scrutiny of future logins or site interactions, regardless of cookie expiration time
Despite the growing layers of defenses organizations implement to protect against cyberattacks, criminals are still finding innovative ways to bust through. A feed of your users’ malware-compromised data is now an important layer in a robust security framework.
By locking bad actors out of consumers’ accounts, criminals don’t have a chance to access account information and perpetrate fraud. And by identifying and acting swiftly on employees’ malware-infected devices that are accessing corporate applications – managed or personal – you can prevent unauthorized access to business-critical information and accounts.
Session hijacking looks like legitimate access, which is exactly why it slips past MFA and login controls.
See how SpyCloud detects malware-stolen session cookies tied to your users and supports invalidation before attackers can replay them.
FAQs
Session hijacking is an attack where someone takes over a user’s active, authenticated session by stealing the session cookie the application uses to remember that the user is logged in. Because the cookie proves the user already passed authentication, an attacker who replays it is treated as that user without needing the password or a second factor. Session cookies can stay valid for anywhere from a day or two to several months, which gives a stolen one a long useful life.
Most often through infostealer malware that copies the browser’s cookie store off an infected device, and through adversary-in-the-middle phishing kits that intercept the cookie in transit after login. Unmanaged personal devices are a common source, since users are far more likely to be infected on a device the security team cannot see or control. Once the cookie is exfiltrated, it is traded in the criminal underground alongside other stolen identity data.
Because both act on the login, and session hijacking happens after the login is already done. A stolen session cookie represents an identity that has already passed authentication, so replaying it never triggers an MFA prompt, and resetting the password does not invalidate the cookie an attacker already holds. The session itself has to be invalidated, which is why seeing which sessions are exposed matters more than tightening the login.
Infostealer infections on unmanaged and under-managed devices often sit outside your endpoint visibility, so the stolen session cookies they exfiltrate never show up in your own logs. Run Check Your Exposure to see whether devices and session cookies tied to your domain have been compromised, so you can flag the affected users and invalidate the exposed sessions before they are replayed.
Monitor for Chrome processes spawned with “–remote-debugging-port=” switches, unexpected traffic to port 9222, and continuously scan recaptured darknet data for employee and customer authentication artifacts.
Immediately isolate affected devices, reset all passwords for accounts accessed from the infected device, invalidate active web sessions and tokens, review access logs for unauthorized activity, and implement continuous monitoring for malware-exfiltrated data in criminal underground sources.