As multifactor authentication (MFA) adoption becomes more widespread, attackers are evolving their techniques to bypass these security measures. Session Hijacking 2.0 has emerged as a formidable identity-based threat, targeting session tokens and cookies to resume user sessions without re-authenticating. Here’s an in-depth look at this growing menace and how you can defend against it.
The Evolution of Session Hijacking
Session hijacking isn’t a new concept. Traditionally, it involved Man-in-the-Middle (MitM) attacks or cross-site scripting (XSS) to intercept session IDs. However, modern session hijacking leverages public internet channels and targets cloud-based apps and services, making it more reliable against traditional defensive controls like VPNs or MFA.
Attackers now aim to:
- Steal session cookies, tokens, or IDs to impersonate users.
- Bypass MFA and other authentication controls.
- Exploit sprawling identity surfaces, including Single Sign-On (SSO) integrations.
Why Steal Sessions?
Session hijacking simplifies the attack process:
- No authentication required: Hijacking live sessions bypasses MFA and password-based authentication altogether.
- Extended session validity: Many tokens remain valid for days or weeks, giving attackers a prolonged window to exploit stolen credentials.
- Access to critical apps: Attacking SSO identities (e.g., Okta or Microsoft Entra) enables attackers to access multiple downstream apps, including sensitive ones like customer databases or internal tools.
Modern Session Hijacking Methods
- Phishing Toolkits (AitM and BitM):
- AitM (Attacker-in-the-Middle): Acts as a proxy, intercepting session tokens during authentication.
- BitM (Browser-in-the-Middle): Tricks victims into using the attacker’s browser remotely, effectively capturing all session details.
- Infostealers:
- Spread through malicious websites, ads, or downloads.
- Extract session cookies, saved credentials, and browser data.
- Compromise both personal and corporate devices, exploiting synced browser profiles.
Why Traditional Defenses Fall Short
- Endpoint Detection and Response (EDR): While effective against known threats, EDR can miss custom or innovative infostealer malware.
- IP Restriction Policies: Attackers use proxy networks or residential IPs to bypass location-based controls.
- Session Token Expiry: Many session tokens remain valid far beyond their intended lifespan, especially if activity continues.
Mitigation Strategies
- Secure Browsing Practices:
- Limit browser syncing across personal and corporate devices.
- Regularly clear browser cookies and stored credentials.
- Enhanced Endpoint Security:
- Deploy advanced EDR solutions with behavioral analysis capabilities.
- Regularly update endpoint software to patch vulnerabilities.
- Identity-Based Controls:
- Use phishing-resistant MFA methods like passkeys.
- Employ browser-based markers, like the Push Security marker, to detect session token misuse.
- Monitor Session Behavior:
- Analyze logs from Identity Providers (IdPs) like Okta or Microsoft Entra.
- Flag sessions with unusual activity, such as sudden changes in device, location, or browser markers.
- Educate Users:
- Train employees to recognize phishing attempts and avoid suspicious downloads.
- Encourage the use of secure password managers and disable browser-based password saving.
Adding a New Line of Defense: Browser-Based Markers
Tools like Push Security inject unique markers into user agent strings, allowing organizations to detect and respond to hijacked sessions. By analyzing activity logs, it’s possible to identify unauthorized access and mitigate session hijacking risks effectively.
Session hijacking has evolved into a sophisticated attack vector that targets modern identity and authentication mechanisms. By understanding the methods attackers use and implementing robust defensive measures, organizations can protect their systems, users, and sensitive data from this growing threat.