Criminals are Bypassing Authentication with Stolen Session Cookies

By Trevor Hilligoss, Director of Security Research, SpyCloud

The last 12 months revealed a concerning trend in credential exposure. According to SpyCloud’s 2023 Identity Exposure Report, nearly half of the 721.5 million credentials recovered from the criminal underground in 2022 were exfiltrated by infostealing malware.

Compromised credentials are traditionally one of the simplest entry points in carrying out a successful cyberattack. Using freshly stolen credentials, criminals can avoid setting off alarms when infiltrating networks by posing as legitimate users, giving them free rein to carry out their objectives. One step further than your run-of-the-mill breach credentials is infostealer malware, which is designed to exfiltrate high-quality and quantity authentication data, such as session cookies/tokens, credentials, PII and more.

Security teams are addressing the threat by emphasizing cyber hygiene and implementing solutions like multi-factor authentication (MFA) and, more recently, passkeys to protect valuable corporate and user data. But while these solutions offer improved security compared to traditional methods, they are still susceptible to compromise.

To truly address the ongoing threat of identity exposure from stolen data siphoned from malware-infected devices, organizations must understand what is driving the growth in infostealer malware and adopt new security approaches that allow them to proactively protect against the threat.

The growing trend of malware 

The rise of infostealer malware directly results from the high return on investment (ROI) it provides criminals and the ability to remain undiscovered, even given today’s advancements in intrusion prevention.

Often, the primary motivator for Initial Access Brokers (IABs)—individuals and groups who package and sell malware-stolen data on the darknet—is financial gain. The rise of passwordless technology, such as passkeys, aims to provide more secure user authentication and create additional barriers for cybercriminals. However, despite these efforts by security leaders, criminals continue to adapt their strategies to focus on approaches with higher rewards, and these authentication methods are not without their own vulnerabilities.

Infostealer malware is virtually undetectable and often designed to be non-persistent on a victim device, enabling execution and exfiltration of sensitive data in seconds, leaving little to no trace. This low-risk (many infostealers are widely sold online for less than a few hundred dollars per month of use), high-reward investment for criminals has created a bustling underground market where network access is weaponized for monetary gain.

The data exfiltrated by malware is highly attractive to criminals because of its superior quality. Last year alone, SpyCloud recaptured nearly 22 billion malware-exfiltrated device and session cookie records, a number expected to continue growing.

Cookies authenticate users on a platform for a set duration of time. If exposed, they allow threat actors to bypass authentication methods such as MFA and passkeys without needing credentials in a process known as session hijacking.

Breaking passkeys and MFA with session hijacking 

Session hijacking occurs when cybercriminals use stolen cookies/tokens to take over an active authenticated web session by importing malware-exfiltrated cookies into anti-detect browsers used by the adversary. This process bypasses authentication security mechanisms and grants access to criminals, allowing them to masquerade as legitimate users and affording all the permissions a real user would have without raising alarms.

Session hijacking can enable criminals to access confidential business data, change or escalate privileges, and launch follow-on attacks like ransomware, as using a valid, already-authenticated session provides the threat actor essentially unfettered access to internal corporate systems and applications.

Because these cookies, while they remain valid, represent an already-authenticated web session, the method of original authentication—be it a passkey, MFA-validated, or logged-in using a Single Sign-On (SSO) solution—one stolen cookie is all it takes to bypass the entire authentication and login process.

The recent CircleCI breach, for example, was brought on by cybercriminals employing malware to steal an employee’s 2FA-backed SSO session token. According to CircleCI, the threat actor used that token to pose as the employee from actor-controlled infrastructure. The company’s antivirus protection failed to identify the infection due to the difficult-to-detect nature of malware, and the attacker was able to pose as the employee undetected.

The way forward: post-infection remediation

While solutions like passkeys are not a cure-all, they are not entirely ineffective. They are a strong option for reducing password fatigue and decreasing overall friction in the login process. With over 72% of consumers reusing previously exposed passwords, according to SpyCloud research, they are a beneficial tool for increasing overall security.

But as stolen cookies become a popular method of entry for criminals, its important organizations don’t put their full efforts behind one tool. Instead, they should look to processes and solutions that enhance their protection against session hijacking in addition to actively monitoring for stolen data.

The most effective way to protect against session hijacking is to leverage a post-infection remediation (PIR) approach to proactively address the threat before it can become a full-blown security incident.

PIR is an identity-centric approach to malware infections that consists of a series of steps to fully address the exposed data putting your organization at risk. Since malware-siphoned cookies can remain active for months after being stolen, gaining a holistic view of malware-compromised devices is the first step to addressing the problem.

Visibility into what criminals know about your business through recaptured data from the darknet that has been properly ingested, curated, analyzed and automated is an excellent way for security teams to stay a step ahead. With this actionable data, security teams can quickly and seamlessly view when valuable data has been compromised, align it to the user, and then link it to the original malware-infected device for proper remediation.

Next, teams can isolate the infected device and remove the malware before requiring employees to invalidate compromised SSO sessions and data. With insight into the exact devices and data criminals accessed, teams can review all activity and access logs to confirm actions are driven by an authorized user. Future access to sensitive data, regardless of whether it was expected or not, can also be monitored to ensure that it was initiated by an authorized user. These steps provide an enhanced layer of protection by giving enterprises a comprehensive understanding of their highest-risk users.

An effective PIR approach disrupts cybercriminals before they can harm users and businesses. While passkeys and MFA are great strides forward for the security industry, cybercriminals continue to innovate. By swiftly and proactively preventing unauthorized users from accessing customer and employee accounts, enterprises can effectively address vulnerabilities in their current security frameworks. This approach safeguards employees, customers, brand reputation, and overall company profit.

About the Author

Trevor Hilligoss is the Senior Investigator at SpyCloud and is an experienced security researcher with a background in federal law enforcement. Before leaving government service, Trevor spent nearly a decade tracking both cybercriminal and nation-state actors for the DoD and FBI and has presented at the US and international conventions as a threat intelligence expert. He holds a BA in Sociology, multiple federal certifications in the field of cyber investigations, and two Global Information Assurance Certifications (GIAC).

Trevor can be reached online at https://www.linkedin.com/in/thilligoss/ and at SpyCloud’s company website https://spycloud.com/.