By Trevor Hilligoss

Passwords have been the cornerstone of basic cybersecurity hygiene for decades.

However, as users engage with more applications across multiple devices, the digital security landscape is shifting from passwords and password managers towards including passwordless authentication, such as multi-factor authentication (MFA), biometrics, and, as of late, passkeys.

But as secure and user-friendly as these authentication methods are, cybercriminals are already busily sidestepping all forms of authentication – passwords, MFA, and passkeys – to sometimes devastating effect.

Passwordless work arounds

Without a doubt, passwordless authentication is a significant improvement over traditional passwords and effectively addresses the persistent risk of easy to guess passwords and password reuse. Most passkeys available to consumers leverage unique biometric authentication data and cryptographically secure means to authenticate users when they access websites and applications.

This new authentication technique is gaining traction, especially since the FIDO Alliance has advocated for its implementation over the last year. Moreover, leading tech companies like Google, Microsoft, and Apple have developed robust frameworks to integrate this system of authentication.

Yet history reminds us that cyber threats evolve alongside our defenses. As we move towards a passwordless world, bad actors are finding new avenues to exploit, including simply working around passwordless authentication with session hijacking attacks and other forms of next-generation account takeover – and the tradeoff is significant.

The most alarming threat to users and businesses today, bar none, is malware. Criminals increasingly use infostealer malware and other low-cost and highly effective malware-as-a-service tools to exfiltrate valid identity data needed for authentication, like session cookies.

The role of infostealers

Hilligoss

Infostealers pose a significant challenge for websites and servers that validate user identities. Armed with an anti-detect browser and a valid cookie, bad actors can mimic a trusted device or user, easily sidestep authentication methods, and seamlessly blend in without raising any red flags. Once the session is hijacked, criminals can access a user’s accounts, and masquerade as the user to perpetrate additional cyber incidents such as fraud and ransomware.

And this attack method is on the rise.  In 2023, infostealer malware use tripled, with 61% of breaches attributable to this threat. SpyCloud researchers highlighted how malware infections are a major player in identity exposures in the recent 2024 Identity Exposure Report.

While most infostealer malware are non-persistent in their infiltration, and extraction of information takes only a matter of seconds, leaving the device with nary a sign, the threat of the stolen data to a user and organization security is much more persistent. A valid session cookie will remain on a person’s browser until it expires or a proactive security team invalidates it. Some cookies can last for months or years. As long as cookie data remains valid, it can be sold and traded multiple times and used to perpetrate different attacks.

Lateral exposures

Criminals are interested in the data but even more so, the level of access the data can grant. So beyond cookies they are also accessing keychains, local files, single-sign on logins, and escalating privileges – essentially instigating a wide range of actions from a single entry point, whether it’s within a browser or on a device.

The use of single sign-on (SSO) only exacerbates the problem, as a successful breach can potentially grant unauthorized access to multiple linked accounts and services across multiple business and personal devices.

Case in point: In January 2023, the continuous integration and delivery platform CircleCI announced it had experienced a data breach caused by infostealer malware deployed to an engineer’s laptop. The malware stole a valid, two-factor-backed SSO session, executed a session cookie theft, impersonated the employee, and escalated access to a subset of the company’s production systems, potentially accessing and stealing encrypted customer data.

Security practitioners often fail to recognize the extensive scope of the session hijacking issue or take steps to mitigate it. Even when teams have visibility into stolen session cookies, our research has found that 39% fail to terminate them.

Despite having short timeouts, MFA, and passkeys in place, there will still be security gaps. This is particularly true due to the use of third parties having unmanaged or under-managed devices, which security teams may not have access to or sufficient control over.

Additional strategies

Passwordless security authentication is still an important part of any layered security strategy, but since it can still be sidestepped via stolen cookies for session hijacking, it’s not a silver bullet to combat cyber attacks.

Additional strategies, such as monitoring for compromised web sessions, invalidating stolen cookies, and promptly resetting exposed user credentials are critical. This means quickly and accurately being able to determine when any component of an employee, contractor, vendor, or customer’s identity is compromised and moving fast to remediate and negate the value of stolen identity data. This takes the steps traditionally set forth of cleaning and re-imaging a machine one step further to properly remediate the data that could still be floating on the criminal underground and nullifying it.

As criminals step up their game, failing to make this shift could leave organizations vulnerable to a wide array of next-generation attack methods. And with passkeys and other passwordless authentication methods soaring in popularity, time is of the essence.

About the essayist: Trevor Hilligoss served nine years in the U.S. Army and has an extensive background in federal law enforcement, tracking threat actors for both the DoD and FBI. He is a member of the Joint Ransomware Task Force and serves in an advisory capacity for multiple cybersecurity-focused non-profits. He currently serves as the Vice President of SpyCloud Labs at SpyCloud. 

July 11th, 2024