Malware-infected devices can wreak havoc on organizations, but the threat often comes from outside the enterprise.
Unmanaged (personal or shared) devices pose significant threats when they are used to access corporate applications. Users are 71% more likely to be infected on an unmanaged device, and a Gartner survey found that 55% of digital workers are using personally owned devices for their work at least some of the time. Security teams lack visibility into these devices because they exist outside of corporate control, and without awareness of the infection, the risks can’t be properly mitigated and remediated.
Malware siphons everything from an infected device, including credentials and web session cookies. With stolen cookies, criminals can masquerade as a legitimate user using an attack called session hijacking. Let’s take a closer look at session hijacking, how it can lead to ransomware, and how you can prevent it from jeopardizing your organization.
What is Session Hijacking?
Session hijacking occurs when a user’s web session is taken over by an attacker. When you log into a site or application, the server sets a temporary session cookie in your browser. This lets the application remember that you’re logged in and authenticated. Some cookies may last only 24-48 hours, while others last for months.
Leveraging malware-siphoned web and device session cookies, bad actors can perpetrate session hijacking which bypasses the need for credentials (username + password combo), multi-factor authentication (MFA) and even passkeys altogether. Session hijacking is an increasingly prevalent precursor to fraud, and even more frightening to the enterprise, ransomware attacks.
How do criminals steal session cookies? Easily (unfortunately).
Trick user into clicking on a dangerous link or downloading a malicious attachment to infect their device with malware.
The malware siphons all manner of data from the infected device, including credentials, autofill info, and web session cookies without the user being aware of the infection.
The criminal can then use a stolen session cookie to authenticate as the user – without the need for a username and password – bypassing security and fraud controls including MFA.
Typically criminals gain access to session cookies by one of two ways: either by deploying malware directly onto a user’s device, or by buying or trading botnet logs on the darknet. Once a criminal acquires the stolen web session cookies, it is scary how quickly and easily they launch account takeover attacks on both personal and work accounts, and then the possibilities of what they can do are endless, and just as shocking.
With cookies from corporate applications – even third-party applications like SSO and VPN – criminals can impersonate the employee, gain access to private information, and change access privileges to move throughout the organization with ease. Cookies from consumer accounts allow criminals to steal loyalty points and rewards, drain funds, alter shipping and billing information, apply for credit, and make fraudulent purchases using saved payment info.
How Session Hijacking Leads to Ransomware Attacks
It is critical that organizations proactively prevent session hijacking because not only does it make you vulnerable to account takeover, it is also an easy way for criminals to launch a ransomware attack from inside the corporate network or a critical workforce service (including SSO). Once criminals have access to corporate applications, they can easily move laterally throughout the organization disguised as a legitimate user and attempt to escalate privileges in order to access and encrypt valuable company data.
An employee with poor cyber habits who clicks on a malicious link or downloads a suspicious document and gets infected with an infostealer – aka an unwitting insider threat – is one of the most exploitable entry points for ransomware.
So what can you do? Actively monitoring for malware-stolen device or web session cookies is an effective way of preventing ransomware incidents if you take action to invalidate the compromised sessions before threat actors can access them via session hijacking. Otherwise, armed with this data, attackers can use anti-detect browsers to bypass MFA and even newer browser fingerprinting anti-fraud technologies.
With proactive monitoring, you can identify employees whose managed and unmanaged endpoints have been infected by infostealers so you can take proper post-infection remediation steps – invalidating their active web sessions (and resetting stolen credentials), shutting down the chance for a malware infection to become a full-blown security incident.
“With proactive monitoring, you can take proper post-infection remediation steps, shutting down the chance for a malware infection to become a full-blown security incident.”
How to Prevent Session Hijacking
SpyCloud’s recent survey of more than 300 security leaders revealed that major ransomware attacks in the last two years have heightened malware concerns, causing organizations to further bolster their security framework with additional layers. Solutions that have not been highly considered before, such as monitoring for compromised web sessions, are now among the top countermeasures planned for investment. This suggests that organizations are looking to extend protection to other areas as threat actors, confronted with the more traditional defenses, shift their focus to other vulnerabilities that are less often or less thoroughly protected.
For enterprises, the best way to prevent session hijacking is by understanding what it is and how it’s executed, monitoring for stolen web sessions programmatically, and developing a process to invalidate web sessions related to infected users. Reacting quickly ensures criminals stay locked out and prevents them from reaping the benefits of malicious activity.
Since web sessions can be valid for a couple of days or even a couple of months, having early insights about malware-compromised sessions can help organizations act quickly to thwart session hijacking. The key is to:
- Identify users infected by infostealers
- Invalidate any active sessions identified by a compromised cookie
- Protect high-value accounts from attackers leveraging stolen cookies to mimic trusted devices
- Flag user accounts with known compromised devices for increased scrutiny of future logins or site interactions, regardless of cookie expiration time
Despite the growing layers of defenses organizations implement to protect against cyberattacks, criminals are still finding innovative ways to bust through. A feed of your users’ malware-compromised data is now an important layer in a robust security framework.
By locking bad actors out of consumers’ accounts, criminals don’t have a chance to access account information and perpetrate fraud. And by identifying and acting swiftly on employees’ malware-infected devices that are accessing corporate applications – managed or personal – you can prevent unauthorized access to business-critical information and accounts.