Monday, June 24, 2024

What is old will be new again

 There has been a lot of focus the week on so on session-token theft and IP restrictions to help mitigate stolen session tokens.


I see that as a useful belt+suspenders approach right now - but I'm reminded that many years ago when we started making significant progress against phishing, attackers moved to malware, session theft, but then ultimately to Man-in-the-Browser (MitB) attacks. Sessions tokens like this at financial institutions that had short lifetimes weren't very useful - so attackers just got persistence on end-user devices. https://en.wikipedia.org/wiki/Zeus_(malware)

For enterprises the battle here isn't against session-theft per-se - it is against malware. Because attackers are going to - just like they did last time - migrate to more real-time exploitation/use of sessions rather than stealing cookies and reselling them in an ecosystem.

The recent session theft attacks should be a wake-up call to folks not just to look towards better session cookie protection (https://blog.chromium.org/2024/04/fighting-cookie-theft-using-device.html) but also to ensure that you're tackling your malware exposure because attackers aren't going to give up once session tokens are hard to steal - they're just going to modify the malware that is today stealing session tokens to instead do exactly what Zeus did before.