The Golden Hour: Why Session Cookie Hijacking is the New MFA Bypass

The Golden Hour: Why Session Cookie Hijacking is the New MFA Bypass
Cybersecurity industry professionals have emphasized this single focus of protecting you with Multi-Factor Authentication (MFA) being the best way to keep your login credentials safe from being compromised for ten years. The theory was that no matter what the attacker was able to do to obtain your username and password, they would still be stopped because of the necessity of validating the second level of authentication that may have been something like a push notification, text message or biometric.
Based on the previous look at Infostealer Malware and the threat intelligence we gathered, it has been proven that attackers are easily bypassing MFA in mass numbers, and they are accomplishing this by taking advantage of the invisible, quiet anchor of every web application — session cookies (which represent a significant vulnerability). This vulnerability has created a new category for the attackers known as "The Golden Hour," and this will be the primary location of digital malware attacks moving forward.
This is why session cookie hijacking is now the greatest risk to your business and enterprise security.

1. The Invisible Authentication Anchor In order to comprehend the threat associated with session cookies we first need to learn about them. When you log into a site like Gmail or Slack or your bank, the service authenticates you through MFA, and when you have been successfully authenticated, creates a unique and encrypted token (Session Cookie) which it stores in your web browser as long-lived data. The Session Cookie acts as a temporary credential to the application, essentially telling the application for the next hour or even days that "this user has already been authenticated—don't ask them for their credentials or MFA again." The Session Cookie is a necessary mechanism to provide an optimal user experience. If you did not have the Session Cookie you would have to re-enter the MFA code for every new email or page refresh. The vulnerability is that the Cookie is the credentialing authority. If an attacker has possession of a valid Session Cookie, then to the application they are deemed to be the user.
2. 'Pass-the-Cookie': Stealing the Master Key Last but not least, this is where the infostealer malware discussed before becomes critical. The image generated earlier illustrates that once the infostealer infects a user's device, the goal of the malware is not necessarily to steal passwords (which can be easily reset), but rather to obtain the active session cookies from the browser's memory.

Once the attacker's infostealer exfiltrates the active session cookies, they will often sell those session cookies (referred to as Golden Cookies) on various underground markets. The attacker will then Pass the Cookie to their own browser, and when the attacker loads the stolen cookie onto their browser, they create a seamless access event.
Because the attacker is now accessing the session as an active user on the target’s device, they are not required to enter any username information, nor are they required to enter any password information. Furthermore, since they are using an active session cookie that is valid and has passed both the username and password requirements as well as the multifactor authentication requirements, the attacker is provided with seamless access to the target system.

1. The Countdown: Why Time is the Defensive Critical Factor This leads us to "Golden Hour". Remember that session cookies do not last forever. Session cookies have different expiration dates specified in response to security policies. The expiration period can be as short as an hour for sensitive financial applications or for several weeks social media applications. The countdown in the image where it shows "58:32 Left" is not just a representative image, it is also the tactical reality of this situation. Attackers know that they must use a hijacked session cookie in a timely manner before the expiration date of the cookie runs out or before the legitimate user logs out of that session—which will force an invalidation of the session cookie. Because of this limited amount of time available to the attacker to use a hijacked session cookie after obtaining it, the infostealer supply chains (such as Telegram) are moving quickly to sell or utilize the "fresh" log files because the value of the log file is lost after the expiration of each minute. For businesses to detect a hijacked session cookie, they need real time intelligence. If an attacker has hijacked a session cookie and tries to access a company’s single sign-on (SSO) application from an unexpected IP address, there is a good chance that the business's conventional security tools will not detect this incident until after "Golden Hour" by which time the damage—data exfiltration, privilege escalation or lateral movement—has probably already occurred. The Reactive Defense fails. Proactive is the only path. The traditional reactive defense model of session cookie hijacking (waiting until after an intrusion has occurred in order to receive an alert about the intrusion) has now been destroyed. The exploitation of a session cookie happens prior to classic detection layers (like EDRs) to see it happening - by using a valid post-authentication token to exploit the session cookie. To defend against this, organizations need to create new proactive exposure intelligence. This means that they must actively monitor dark web markets and infostealer logs to locate their exposed cookies before an attacker takes advantage of "The Golden Hour" window. Organizations cannot protect what they cannot see and cannot stop an attacker who has already knocked on their door and has possession of their cookie.

DarkX - DarkX is about providing organisations with AI-based capabilities that not only enable monitoring of the most active areas of dark web activity but also generate real time notifications of breaches along with actionable threat intelligence that can be used to thwart potential cybercriminal activity from happening.

For more research on cybersecurity, privacy, and emerging digital risks, visit:
IntelligenceX — IntelligenceX enables users to discover digital evidence in a privacy-friendly way.