All Episodes

>

Episode_03

Cookie Thief: Using Reverse Tunnel to Steal Session Cookies and Expose AWS + Salesforce Data

Watch the replay

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Watch now

About this session

On-demand | Replay

Watch Security Architect Ed Lin compromise just one user but gain persistent access to several SaaS apps.

Ed will show you how hackers evade common detections, using reverse HTTP tunnel to steal cookies and credentials, and make sensitive AWS, GitHub, and Salesforce data publicly accessible!

Learn how SaaS authentication works, watch the attack unfold in real time, and see how DatAdvantage Cloud spots suspicious activity.

How the attack works:

  • An attacker targets a user through a phishing email to establish a C2 channel
  • They then use a homemade script to collect all credentials and cookies from the user’s browser
  • The attacker sets up a reverse tunnel to bypass geohopping and network-based alerts
  • They bypass MFA using stored cookies and a token from the user
  • Finally, they set up API access in Salesforce to siphon vital company information
  • We pivot to on-prem and steal the CEO’s emails (because why not??)

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Register now

Ed Lin Headshot

Ed Lin

Ed Lin is a Security Architect on Varonis’ Incident Response team. Since joining the IR team, Ed has helped customers integrate Varonis into their security ecosystems so that they can effectively detect and respond to cyber threats. Ed has a cybersecurity analyst background working with both cloud and on-prem environments, with a focus in incident response and data protection. Outside of cybersecurity, Ed enjoys skateboarding, playing guitar, and spending time outdoors.