>
Episode_03
Cookie Thief: Using Reverse Tunnel to Steal Session Cookies and Expose AWS + Salesforce Data
Watch the replay
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Watch now
About this session
On-demand | Replay
Watch Security Architect Ed Lin compromise just one user but gain persistent access to several SaaS apps.
Ed will show you how hackers evade common detections, using reverse HTTP tunnel to steal cookies and credentials, and make sensitive AWS, GitHub, and Salesforce data publicly accessible!
Learn how SaaS authentication works, watch the attack unfold in real time, and see how DatAdvantage Cloud spots suspicious activity.
How the attack works:
- An attacker targets a user through a phishing email to establish a C2 channel
- They then use a homemade script to collect all credentials and cookies from the user’s browser
- The attacker sets up a reverse tunnel to bypass geohopping and network-based alerts
- They bypass MFA using stored cookies and a token from the user
- Finally, they set up API access in Salesforce to siphon vital company information
- We pivot to on-prem and steal the CEO’s emails (because why not??)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Register now
Ed Lin
Ed Lin is a Security Architect on Varonis’ Incident Response team. Since joining the IR team, Ed has helped customers integrate Varonis into their security ecosystems so that they can effectively detect and respond to cyber threats. Ed has a cybersecurity analyst background working with both cloud and on-prem environments, with a focus in incident response and data protection. Outside of cybersecurity, Ed enjoys skateboarding, playing guitar, and spending time outdoors.