Multi-Factor Authentication (MFA or 2FA) has become a recognised standard for cyber security now and rightly so. Most of us have become accustomed to it, we log into our bank and it sends us a text message to check it's us. Or if we try to login to our Microsoft 365 account on an unrecognised network or location it'll ask us to authenticate via the authenticator app. We've all got used to how it works.
It's been a great addition to the world of IT and Cyber Security. Now days if your username and password is compromised, then MFA is there to protect you and your data.
Of old, if your credentials were compromised then typically a cyber security breach would ensue. But MFA has put or stop to that…or has it?!
Unfortunately, cybercriminals are evolving the approaches that they use to exploit people and organisations. One of those newly used attacks is known as Session Token Theft.
Session Token Theft - What is it?
In such an attack, a cybercriminal is attempting to steal a session token of a person to gain unauthorised access to their account. Typically, that token is the users MFA, as that is unique to their login attempt. Unlike the username and password that might be static for some time, MFA is continually changing. You'll notice this when you enter a MFA code in that it is only valid for a short period of time before it refreshes to a different code.
That code is what cybercriminals are trying to coerce from you, it's the final piece of the puzzle that they need to gain access to your account.
How Does A Cybercriminal Do It?
Unfortunately there are numerous methods that a cybercriminal will use. Commonly techniques include:
Cross-Site Scripting (XSS)
In an XSS attack, the cybercriminal injects malicious code into a website or application, which is then executed by the persons internet browser. This code can steal the session token stored in the user's browser and send it to the attacker.
Cross-Site Request Forgery (CSRF)
Slightly more tricky to understand, but the cybercriminal attempts to trick a person into unknowingly sending a request to a website or application that they are already authenticated with.
Session Hijacking
Where a cybercriminal intercepts the session token as it is being transmitted to the user's device. This can happen through various means such as sniffing the network traffic, using man-in-the-middle attacks, or exploiting vulnerabilities in the communication channels.
A Typical Attack
So let's talk about a typical attack they'll mount, it will happen just like this:
A phishing email which a person mistakenly deems as legitimate and clicks a link to log in
This then takes them to a landing page to enter their username and password
Which then tiggers them to enter a MFA key
Cyber breach complete
It's as simple as that. Then a cybercriminal would have access to the persons account, they could tweak the security settings to turn off MFA, or add their own means of authentication source. Then they'd have free reign over that persons account, they could remain dormant for weeks or months, gathering intelligence before mounting a more comprehensive attack on the organisation.
What Can Protect Us Against This Risk?
Well there are many things you can do to protect your organisation, but what you have to do is something. MFA in isolation, is no longer fit for purpose. It's a great protection step, but it too can be compromised as we've outlined.
What every organisation should do is monitor for suspicious activity. Take Microsoft 365, you should be monitoring for
High-threat IPs and locations
New logins from proxy services
Forwarding to external domains, deleting items, RSS feeds or other locations
Suspicious naming conventions
Tenant permission modifications
New user promoted to global admin
Imagine This?
Imagine if one of the above things happened, say an account login happened from a high threat location?
What if you had a cyber security provision in place, that when such an occurrence happened, it would proactively cease access. If it provided identity isolation, that as soon as a trigger happened, it would disable the compromised Microsoft 365 user account, revoke the session and/or disable inbox rules during the active incident?
Well that is now a reality, and we'll be showcasing the platform that we use ourselves, that offers such protection against this risk of Session Token Theft.
If you'd like to see this in the flesh, attend our remote event:
Registration link - EquiTech - Detect & Protect Event
Date - Tuesday the 23rd of July
Time - 0930 - 1030
Format - Free to attend online webinar
Call to Action
If you'd like to know more about this risk, preventative measures or our event then speak to one of our consultants at EquiTech Group:
Phone - 01604 346 444
Email - info@etg365.co.uk
Comments