Ethical Hacking News
Session hijacking has evolved into an identity-based attack that targets cloud-based apps and services. With 147,000 token replay attacks detected by Microsoft in 2023 alone, this new approach to session hijacking poses a significant threat to MFA adoption. Learn more about how Session Hijacking 2.0 is bypassing traditional security controls and what organizations can do to stay ahead of the evolving threat landscape.
Session hijacking has evolved into an identity-based attack targeting cloud-based apps and services. The number of token replay attacks detected by Microsoft in 2023 increased by 111% year-over-year, reaching 147,000. Modern session hijacking can be performed over the public internet without network-based exploits, using phishing toolkits like AitM and BitM to steal valid session material. This new approach bypasses standard defensive measures like encrypted traffic or MFA, targeting cloud apps with complex identity surfaces. The reasons behind the rise of session hijacking are the ability to bypass authentication controls like MFA and the long-term validity of session tokens. The implications are far-reaching, allowing attackers to bypass authentication controls and gain access to sensitive data in cloud-based apps and services. Organizations must implement robust security controls, including advanced phishing detection tools, software updates, and user education on safe browsing practices.
Session hijacking, a technique once confined to the realm of traditional Man-in-the-Middle (MitM) attacks, has evolved into an identity-based attack that targets cloud-based apps and services. According to recent data, attackers are increasingly turning to session hijacking as a means to bypass widespread MFA adoption, with 147,000 token replay attacks detected by Microsoft in 2023 alone - a staggering 111% increase year-over-year.
This new approach to session hijacking has significant implications for the security community, as it can be performed over the public internet without the need for network-based exploits. In traditional sessions hijacking, the attacker would typically need to intercept or manipulate local network traffic to capture credentials or access financial information. However, with modern session hijacking, attackers are using phishing toolkits such as AitM and BitM to steal valid session material - cookies, tokens, IDs - in order to resume the session from their own device.
Unlike legacy session hijacking, which often fails when faced with basic controls like encrypted traffic or MFA, modern session hijacking is much more reliable in bypassing standard defensive measures. This is largely due to the context of these attacks, which have changed significantly over time. In traditional sessions hijacking, attackers were often targeting internal Active Directory credentials as well as email and core business apps. However, today's identity surface looks very different - with tens or hundreds of separate accounts per user across a sprawling suite of cloud apps.
The reasons behind the rise of session hijacking are twofold. Firstly, stealing live sessions enables attackers to bypass authentication controls like MFA. If an attacker can hijack an existing session, they have fewer steps to worry about - no need to mess about with converting stolen usernames and passwords into an authenticated session. Secondly, session tokens can remain valid for longer periods of time - often up to 30 days or even indefinitely as long as activity is maintained.
The implications of this new approach to session hijacking are far-reaching. If an attacker gains access to a valid session token, they can bypass authentication controls and gain access to sensitive data. This is particularly concerning in the context of cloud-based apps and services, where the identity surface is often more complex and less secure than traditional on-premises environments.
In order to combat this threat, security practitioners are using a layered defense approach that includes detecting and blocking user behavior such as entering passwords into unauthorized sites or accessing cloned login pages. Additionally, tools like Push Security's browser agent can be used to detect stolen sessions and prevent identity attacks.
To stay ahead of the evolving threat landscape, organizations must consider implementing robust security controls that address both traditional and modern session hijacking techniques. This includes using advanced phishing detection tools, keeping software up-to-date, and educating users on safe browsing practices.
In conclusion, Session Hijacking 2.0 is a significant threat to MFA adoption, and one that requires immediate attention from the security community. By understanding the context of these attacks and implementing robust security controls, organizations can reduce their risk of falling victim to this evolving threat.
Related Information:
https://thehackernews.com/2024/09/session-hijacking-20-latest-way-that.html
https://owasp.or.id/2024/09/30/session-hijacking-2-0-the-latest-way-that-attackers-are-bypassing-mfa/
Published: Mon Sep 30 11:06:53 2024 by llama3.2 3B Q4_K_M
