Passkeys and multifactor authentication aren't enough for combating infostealer malware, which can exfiltrate corporate data before anyone knows an attack happened.

Trevor Hilligoss, Senior Director of Security Research, SpyCloud

September 11, 2023

4 Min Read
The words "SESSION HIJACKING" on a digital background
Source: MauriceNorbert via Alamy Stock Photo

From passkeys to multifactor authentication (MFA), most businesses are embracing solutions that protect sensitive information to minimize their attack surface and enhance cybersecurity posture. While these approaches are a step in the right direction, security teams should recognize they may not be enough to fully secure user data.

As enterprises deploy new ways to protect their networks, cybercriminals are simultaneously evolving tactics to bypass these defenses. Bad actors are already using techniques like session hijacking and account takeover to bypass passkeys and MFA to gain entry into corporate systems. What's worse, these tactics are primarily enabled by malware-exfiltrated data, one of the most challenging security gaps to address.

Malware quickly and stealthily steals large amounts of accurate authentication data, including personally identifiable information (PII) such as login credentials, financial information, and authentication cookies — and some malware is already beginning to exfiltrate local key vaults like those maintained by password managers, many of which have started offering passkey solutions. Last year, threat actors conducted over 4 billion malware attempts, making it the most preferred cyberattack method. Moreover, according to SpyCloud's "2023 Annual Identity Exposure Report," over 22 million unique devices were infected by malware last year, with the stolen data making its way to criminal networks to use in attacks ranging from session hijacking to ransomware.

While malware-exfiltrated data — including business application logins and cookies for code repositories, customer databases, and financial systems — grows in importance to criminals, security teams still lack the necessary visibility to contend with those exposures. Those who understand how malware functions and how cybercriminals use malware-siphoned data to carry out follow-on attacks are better equipped to address the threat.

Malware-Enabled Session Hijacking Is the Big Threat

Session hijacking begins when infostealer malware (often deployed through phishing emails or malicious websites) exfiltrates device and identity data from the infected machine and its Web browsers. While all stolen data has some value to criminals, infostealer malware increasingly targets high-value data, including cookies.

When a user signs into a site or application, the server stores a temporary authentication token (or cookie) in that browser, allowing the server to remember the user for a certain length of time. So long as the cookie remains valid, a bad actor can import it, along with additional details that mimic the user's device and location, into an anti-detect browser — giving them access to an already-authenticated session.

Session hijacking is extremely effective against even the strongest methods of authentication. Simply using valid stolen cookies allows criminals to skip the authentication process entirely without setting off red flags. This enables criminals to remain undetected on corporate networks for long periods, granting them a free pass to sensitive information and the ability to steal additional data or escalate privileges on their way to carrying out targeted attacks like ransomware. 

Criminals understand the devastating potential of session hijacking and have already created tools like EvilProxy and Emotet to target authentication cookies. So, what can corporations do against a threat that negates key defenses? While it may seem impossible, there are novel approaches to help end the cycle of cybercrime.

You Can't Fix What You Can't See

Overcoming the rising challenge of session hijacking is a daunting task, but not impossible. One of the biggest issues when defending against attacks fueled by infostealer malware is the malware's ability to evade detection. Newer forms of malware can siphon data and delete themselves in seconds, making it difficult for security teams to know an attack even occurred. 

Additionally, infostealer malware can infect employees' personal devices and contractor devices outside the typical purview of the security team, making it extremely difficult to identify all instances of business exposure. 

Fortunately, these concerns can both be solved with increased threat awareness and visibility. After all, organizations can't defend against the unknown.

Security teams should educate users on infostealers, how to avoid errantly downloading one onto any device accessing the corporate network or critical business applications, and how to routinely delete cookies stored in their browser.

For malware that does slip through the cracks, understanding exactly what information was stolen can help teams identify which user credentials and authentication cookies need to be remediated. Wiping the infected device isn't enough, as active stolen data can be used long after the initial infection is addressed. Instead, organizations need to identify compromised data and proactively force session invalidation and password resets to cut off potential entry points into the organization. 

Ultimately, a complete malware remediation process should hinge on knowing what data was siphoned by infostealer malware. IT teams should prioritize approaches and solutions that provide the enhanced visibility necessary to address malware-enabled security gaps. Once teams have this insight, they can take steps to address all exposed assets, including authentication data, to protect company reputation and the bottom line.

About the Author(s)

Trevor Hilligoss

Senior Director of Security Research, SpyCloud

Trevor Hilligoss is the Senior Investigator of Security Research at SpyCloud and an experienced researcher with a background in federal law enforcement. Before leaving government service, Trevor spent nearly a decade tracking both cybercriminal and nation-state actors for the DoD and FBI and has presented at the US and international conventions as a threat intelligence expert. He holds a BA in Sociology, multiple federal certifications in the field of cyber investigations, and two Global Information Assurance Certifications (GIAC).

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights