Cookie Thief
Using Reverse Tunnel to Steal Session Cookies and Expose AWS + Salesforce Data
22 February 2023
11 a.m. GMT
Watch Security Architect Thomas Cock compromise just one user but gain persistent access to several SaaS apps.
Thomas will show you how hackers evade common detections, using reverse HTTP tunnel to steal cookies and credentials, and make sensitive AWS, GitHub, and Salesforce data publicly accessible!
Learn how SaaS authentication works, watch the attack unfold in real time, and see how DatAdvantage Cloud spots suspicious activity.
As always, our Attack Sims session will be recorded, so even if you can't make it, go ahead and register so we can send you the replay.
A high-level overview of how this attack plays out:
- An attacker targets a user through a phishing email to establish a C2 channel
- They then use a homemade script to collect all credentials and cookies from the user’s browser
- The attacker sets up a reverse tunnel to bypass geohopping and network-based alerts
- They bypass MFA using stored cookies and a token from the user
- Afterward, they share out SaaS repositories to be used in the future without detection
- Finally, they set up API access in Salesforce to siphon vital company information
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Register now
