All Episodes

>

Episode_03

Cookie Thief

Using Reverse Tunnel to Steal Session Cookies and Expose AWS + Salesforce Data
LIVE EVENT:

March 16, 2023

12 p.m. ET

Reserve your spot
AttackSims_EmailIllustration_CookieThief-Stealing-AWS-and-SalesforceData

Watch Security Architect Ed Lin compromise just one user but gain persistent access to several SaaS apps.

Ed will show you how hackers evade common detections, using reverse HTTP tunnel to steal cookies and credentials, and make sensitive AWS, GitHub, and Salesforce data publicly accessible!

Learn how SaaS authentication works, watch the attack unfold in real time, and see how DatAdvantage Cloud spots suspicious activity.

As always, our Attack Sims session will be recorded, so even if you can't make it, go ahead and register so we can send you the replay.

A high-level overview of how this attack plays out:

  • An attacker targets a user through a phishing email to establish a C2 channel
  • They then use a homemade script to collect all credentials and cookies from the user’s browser
  • The attacker sets up a reverse tunnel to bypass geohopping and network-based alerts
  • They bypass MFA using stored cookies and a token from the user
  • Afterward, they share out SaaS repositories to be used in the future without detection
  • Finally, they set up API access in Salesforce to siphon vital company information

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Register now

Ed Lin Headshot

Ed Lin

Ed Lin is Security Architect from Varonis’ Incident Response and Security Architecture team. Since joining the IR team, Ed has been helping customers integrate Varonis into their security ecosystems so that they can effectively detect and respond to cyber threats. Ed has a cybersecurity analyst background working with both on-prem and cloud environments and a focus in incident response and data protection. Outside of cybersecurity, Ed enjoys skateboarding, playing guitar, and spending time outdoors.