When unmanaged (personal or shared) devices are used to access corporate applications, they pose considerable risks. Users are 71% more likely to be infected on an unmanaged device, and 55% of digital employees use individually owned devices for work at least portion of the time, according to a Gartner report. Because these devices reside outside of corporate control, security personnel lack visibility into them, and without awareness of the infection, hazards cannot be appropriately mitigated and remediated.
Malware steals everything from a compromised device, including credentials and online session cookies. Using stolen cookies, hackers can impersonate a legitimate user in a session hijacking attack. Let’s take a closer look at session hijacking, how it might lead to ransomware, and how you can protect your organization from it.
What exactly is Session Hijacking?
When an attacker takes over a user’s web session, this is known as session hijacking. The server places a temporary session cookie in your browser when you log into a website or service. This informs the program that you are logged in and authenticated. Some cookies may only survive 24 to 48 hours, while others may last months.
Criminals use malware-stolen web and device session cookies to perform session hijacking, obviating the requirement for credentials and multi-factor authentication (MFA). Session hijacking is an increasingly common precursor to fraud and, even more concerning for businesses, ransomware attacks.
How do crooks get their hands on session cookies? Easily (sadly) (unfortunately).
Step Persuade the user to click on a harmful link or download a malicious attachment in order to infect their device with malware.
Step Without the user’s knowledge, the malware siphons all kinds of data from the infected device, including credentials, autofill information, and web session cookies.
Step The thief can then utilize a stolen session cookie to authenticate as the user without needing a username and password, circumventing security and fraud protections such as MFA. Criminals typically obtain access to session cookies in one of two ways: by installing malware directly on a user’s device, or by purchasing or exchanging botnet logs on the darknet. Once a thief has obtained the stolen online session cookies, it is frightening how fast and easy they can conduct account takeover attempts on both personal and work accounts, and the options for what they might do are unlimited and equally shocking. Criminals can easily move throughout the organization by impersonating employees, gaining access to secret information, and changing access privileges using cookies from corporate applications – even third-party applications like SSO and VPN. Criminals can use cookies from consumer accounts to steal loyalty points and incentives, drain funds, change shipping and billing information, apply for credit, and conduct fraudulent purchases using saved payment information.
Session Hijacking Causes Ransomware Attacks
It is vital that enterprises prevent session hijacking since it not only exposes you to account takeover, but it also allows criminals to conduct a ransomware attack from within the corporate network or a critical worker function (including SSO). Once hackers have gained access to corporate systems, they can simply travel laterally around the firm while disguised as a genuine user, attempting to raise privileges in order to access and encrypt sensitive company data.
An unintentional insider threat is an employee with poor cyber hygiene who clicks on a malicious link or downloads a suspicious document and becomes infected with an infostealer.
So, what are your options? Actively monitoring for malware-stolen device or web session cookies is an effective method of mitigating ransomware attacks if action is taken to invalidate compromised sessions before threat actors may access them via session hijacking. Otherwise, armed with this information, attackers can exploit anti-detect browsers and even newer browser fingerprinting anti-fraud technologies to circumvent MFA.
With proactive monitoring, you can identify employees whose managed and unmanaged endpoints have been infected by infostealers and take appropriate post-infection remediation steps, such as invalidating their active web sessions (and resetting stolen credentials) and preventing a malware infection from becoming a full-fledged security incident.
“With proactive monitoring, you may take appropriate post-infection remedial procedures, reducing the possibility of a malware infection becoming a full-fledged security incident.”
Preventing Session Hijacking
According to a recent poll of more than 300 security leaders, large ransomware attacks in the last two years have raised malware fears, prompting enterprises to strengthen their security infrastructure with additional layers. Previously unconsidered solutions, such as monitoring for hacked online sessions, are now among the top countermeasures planned for investment. This shows that businesses are attempting to expand protection to other areas as threat actors change their focus to other vulnerabilities that are less frequently or thoroughly protected when confronted with more traditional protections.
The best method for companies to prevent session hijacking is to understand what it is and how it is carried out, to monitor for stolen web sessions programmatically, and to build a procedure to invalidate web sessions associated with infected users. Responding immediately keeps thieves out and stops them from profiting from malicious activities.
Because online sessions might be valid for a few days or even a few months, knowing about malware-compromised sessions early on can help organizations respond fast to prevent session hijacking. The main point is to:
Identify users who have been infected with infostealers.
Any active sessions identified by a compromised cookie should be terminated.
Protect high-value accounts from attackers that use stolen cookies to impersonate trustworthy devices.
Regardless of cookie expiration period, flag user accounts with known compromised devices for enhanced inspection of future logins or site activities.
Despite the increasing layers of security that organizations put in place to protect themselves against cyberattacks, thieves continue to find inventive ways to get around them. A stream of malware-infected data from your users is now a crucial layer in a solid security strategy.
Criminals are prevented from accessing account information and committing fraud by locking bad actors out of users’ accounts. You may also prevent unauthorized access to business-critical information and accounts by discovering and acting quickly on malware-infected devices used by employees to access corporate apps, whether managed or personal.
