Vietnamese-speaking hackers are carrying out a “highly evasive, multi-stage operation” to steal information from thousands of victims in more than 62 countries, researchers said in a report published Monday.

The attackers emerged late last year but have evolved with novel techniques this year, with SentinelLABS of SentinelOne and Beazley Security ultimately identifying 4,000 victims, most commonly in South Korea, the United States, the Netherlands, Hungary and Austria.

“The evolving tradecraft in these recent campaigns demonstrates that these adversaries have meticulously refined their deployment chains, making them increasingly more challenging to detect and analyze,” reads the report.

In particular, attacks just last month demonstrated tailored capabilities to bypass antivirus products and mislead security operations center analysts, according to the companies.

The hackers’ motives, apparently, are financial in nature.

“The stolen data includes over 200,000 unique passwords, hundreds of credit card records, and more than 4 million harvested browser cookies, giving actors ample access to victims’ accounts and financial lives,” according to the two companies.

The hackers have been known to make money off the stolen data through “a subscription-based ecosystem that efficiently automates resale and reuse” through the Telegram messaging platform. It’s sold to other cybercriminals who then engage in cryptocurrency theft or purchase access to infiltrate victims, the report states.

The infostealer they use, PaxStealer, first garnered the attention of cybersecurity analysts after Cisco Talos published a report on it last November. Cisco Talos concluded that the hackers were targeting governmental and educational organizations in Europe and Asia.

Both the November report and Monday’s report identified clues in the infostealer’s coding of the hackers’ use of the Vietnamese language. Cisco Talos wasn’t sure in the fall whether the attackers were affiliated with the CoralRaider group that materialized in early 2024, or another Vietnamese-speaking group.

Jim Walter, a senior threat researcher for SentinelOne, told CyberScoop the group was “a long-standing actor” and “appears to be out of Vietnam,” but “beyond that analysis is ongoing and we’ll refrain from further [attribution] comments on the specific actor. It’s the same actor that has been highlighted by Cisco Talos and others as well.”

In the activity highlighted in Monday’s report, Walter said the targeting “seems wide and indiscriminate / opportunistic. Corporate and home users, whole spectrum of ‘user types.’”
Other Vietnamese hackers have been known to target activists inside the country with spyware, lace AI generators with malware or carry out ransomware attacks.

The post ‘Highly evasive’ Vietnamese-speaking hackers stealing data from thousands of victims in 62+ nations appeared first on CyberScoop.

Cyberattacks are becoming increasingly sophisticated, with cookie session hijacking emerging as a significant threat. This technique allows attackers to bypass even advanced security measures like multi-factor authentication (MFA), enabling unauthorized access to critical systems and user accounts. Infostealers, a category of malware designed to harvest sensitive information, have become a primary tool for conducting these attacks. This blog explores how infostealers facilitate cookie session hijacking, its implications for organizations, and how businesses can defend against this evolving threat

How Cookie Session Hijacking Works

Cookie session hijacking is a process in which attackers steal and reuse session cookies to impersonate authenticated users. Here’s how the attack typically unfolds:

1. Initial Infection:
   1. Attackers use infostealers, phishing emails, or other malicious techniques to compromise a user’s device.
   1. Infostealers like RedLine, Racoon, Vidar, Meta, and Lumma are commonly deployed to harvest session cookies from compromised devices.
2. Cookie Extraction:
   1. Once the device is infected, the infostealer accesses the browser’s database to extract session cookies.
   1. These cookies are stored locally on the system, typically in locations like %localappdata%\Google\Chrome\User Data\Default\Cookies.
   1. Advanced tools like Mimikatz can decrypt protected cookies.
3. Session Hijacking:
   1. Stolen cookies are imported into the attacker’s browser using tools like “Cookie Quick Manager” (Firefox) or “cookies.txt importer” (Chromium-based browsers).
   1. The attacker now gains access to authenticated user sessions without needing credentials or MFA tokens.

• Exploitation:
  • Attackers leverage hijacked sessions to gain unauthorized access to critical systems, such as cloud administration consoles, collaboration platforms, and web-based email services.

• This access can facilitate further attacks, including data exfiltration, lateral movement within networks, or ransomware deployment.

Real-World Vulnerabilities Exploited Through Cookie Session Hijacking

Cookie session hijacking poses significant risks across most of the platforms and industries, so it is not limited to niche applications. We have tested and discovered vulnerabilities in many commonly used services:

• Email Services (including corporate emails)
  • Web-based email services are one of the most critical assets attackers seek to compromise. By hijacking session cookies, threat actors can bypass traditional authentication, gaining access to email accounts without needing the user’s password or two-factor authentication codes. This access level allows attackers to monitor and even exfiltrate sensitive data, conduct spear-phishing campaigns, reset passwords for other linked services, or impersonate the victim in business correspondence. The repercussions are severe, ranging from data breaches to financial fraud, as attackers use compromised email accounts to pivot and gain access to more valuable assets.

• Collaboration and Productivity Tools
  • With the rise of remote work, collaboration platforms like Slack, Microsoft Teams, and Google Workspace have become indispensable. Unfortunately, these tools are also vulnerable to cookie hijacking. Attackers who gain access to these sessions can infiltrate internal company communications, steal sensitive documents, and even disrupt workflows. This not only compromises the integrity and confidentiality of internal discussions but can also provide attackers with insights into project timelines, corporate strategies, and employee details, setting the stage for further attacks, such as ransomware or insider threats.

• Cloud Administration Consoles
  • Perhaps the most concerning are attacks targeting cloud administration consoles. These consoles provide deep access to a company’s digital infrastructure. Hijacked sessions here allow attackers to potentially manipulate cloud resources, disrupt services, or even delete critical infrastructure. The potential damage ranges from service outages to complete data loss, making cloud environments a prime target for sophisticated threat actors.

• AI Tools like ChatGPT
  • AI tools, such as ChatGPT, have also become targets for cookie session hijacking. Attackers who hijack sessions of AI tools can impersonate users and access sensitive conversations, which may include proprietary or confidential information.

• Social Media and Messaging Platforms
  • Many popular social media and messaging platforms are particularly vulnerable to cookie-based session hijacking. These platforms often allow users to replicate sessions across devices without requiring additional validation. This convenient feature, intended for user experience, becomes a weak point for security. Attackers who gain access to session cookies can use them to impersonate victims, gaining full access to their accounts, including private messages and sensitive interactions. This form of unauthorized access can lead to identity theft, social engineering attacks, or even brand impersonation to deceive contacts.

Implications for Organizations

Once attackers successfully hijack a session, they often move quickly to exploit the compromised account. For individuals, this can mean loss of privacy, unauthorized purchases, or fraudulent messages sent to contacts. For companies, the impact can be far more devastating:

• Corporate Espionage: Access to internal communication tools can reveal sensitive business strategies and negotiations.
• Financial Fraud: Compromised email or cloud accounts can lead to unauthorized transactions or blackmail.
• Supply Chain Attacks: Attackers can use hijacked sessions to impersonate company employees and target partners or suppliers, leading to a broader compromise of the supply chain.
• Data Exfiltration: Threat actors can use hijacked accounts to extract sensitive information, which is then sold or used for further attacks.

Conclusion: The Role of Constella.ai in Combating Cookie Session Hijacking

Constella.ai offers an integrated cybersecurity solution that enables organizations to detect and mitigate threats posed by cookie session hijacking. By continuously monitoring for compromised credentials and session cookies, Constella.ai ensures early detection of vulnerabilities, preventing attackers from bypassing MFA or hijacking user sessions. Advanced attack surface mapping and real-time alerts empower organizations to address risks proactively, safeguarding critical systems and sensitive data.

As cyber threats evolve, the ability to detect and neutralize cookie session hijacking will be a cornerstone of organizational security. By implementing robust defenses and leveraging tools like Constella.ai, businesses can stay ahead of attackers, protecting both their operations and their reputation in an increasingly hostile digital landscape.

Infostealers are specialized malware designed to extract sensitive data from infected systems. They operate in the background, collecting login credentials, browser histories, and cookies, often without detection. Deployed through phishing emails or malicious websites, infostealers are a growing favorite among cybercriminals due to their low risk of detection and the high-value data they yield.

Unlike more overt forms of cyberattacks like ransomware, infostealers are subtle and continuous. The stolen information is often sold in bulk on dark web marketplaces or used to launch further attacks, such as gaining access to company networks or committing financial fraud. The sophistication of these tools has grown, making them one of the most effective methods for threat actors to compromise corporate environments.

Why Infostealers Are Effective Against Companies

Infostealers are attractive to threat actors for several reasons:

1. Low Detection Rates: Infostealers are designed to evade detection by traditional security measures such as antivirus software. Once deployed, they blend seamlessly into legitimate system processes, making it challenging for conventional security solutions to recognize or remove them. This stealth allows them to operate undetected for extended periods, gathering critical data.

• Targeting High-Value Data: Infostealers are capable of extracting a wide range of sensitive information, including passwords, session cookies (which can be used to bypass multi-factor authentication), financial records, and proprietary business data. This stolen data is often sold on dark web marketplaces or used for extortion, leading to significant financial and reputational damage.

• Wide Availability and Accessibility: Infostealers are readily available for purchase on dark web forums, frequently offered as part of malware-as-a-service (MaaS) platforms. This makes them accessible even to less experienced cybercriminals, lowering the barrier to entry for launching sophisticated attacks. The ease of access and customization further amplifies their appeal to threat actors across the cybercriminal ecosystem.

Top Threat Actors Leveraging Infostealers

We have seen that many cybercriminals are actively using infostealers data as a preferred method for infiltrating organizations. These groups have leveraged infostealers to breach companies, leading to extensive financial and reputational damage. Below are a number of threat actors that stand out for their sophisticated use of these tools:

• USDoD: This threat actor has carried out high-profile attacks, including the breach of Airbus by exploiting compromised credentials from a Turkish Airlines employee. This attack underscores the significant risk that infostealers pose to supply chains, allowing hackers to penetrate companies through vulnerable third-party partners​.
• Sp1d3rHunters: Known for exploiting Snowflake accounts, Sp1d3rHunters has executed breaches against major companies such as Ticketmaster and AT&T, exfiltrating sensitive data such as customer information and event tickets. Their operations demonstrate how infostealer logs can be used to gain access to cloud services and wreak havoc​.
• IntelBroker: This notorious threat actor has breached both government and private sector entities, targeting organizations such as Apple, Zscaler, and Microsoft. By using Infostealer-collected credentials, IntelBroker has facilitated attacks on critical infrastructure and sold access to compromised systems on dark web forums, further intensifying the risk to companies​.
• Andariel (North Korea): Part of the Lazarus Group, Andariel is a North Korean state-sponsored Advanced Persistent Threat (APT) actor. This group is known for using infostealers, alongside other tools like keyloggers and remote access trojans (RATs), to target sectors such as military, nuclear, and manufacturing. Andariel’s strategy of using Infostealers to gather intelligence and financial data is a key part of their cyber operations​.
• Lapsus$: Emerging in 2021, Lapsus$ has quickly gained a reputation for its high-profile breaches of companies like NVIDIA, Samsung, and Vodafone. Lapsus$ utilizes info stealers to harvest login credentials, payment information, and proprietary business data. In a notable attack, Lapsus$ breached Electronic Arts (EA), stealing source code for popular games like FIFA. The group’s aggressive tactics have caused widespread disruption in the tech and financial sectors​.

These groups’ sophisticated use of infostealers illustrates why businesses must adopt more advanced detection and monitoring systems to protect against this growing threat.

How Companies Can Defend Against Infostealers

While info stealers present a complex threat, companies can adopt several key strategies to mitigate the risks and minimize the impact of such attacks:

• Analyze Exposed Data for Risk Mitigation: After a suspected infostealer attack, companies must conduct thorough analyses of the stolen data to assess the potential risks. This includes examining session cookies that could be hijacked to bypass multi-factor authentication (MFA), as well as personal credentials that may be used to impersonate employees or escalate privileges within the organization. Proactively identifying and addressing these risks can help prevent follow-up attacks or unauthorized access.

• Strengthen Authentication Practices: While MFA is an essential safeguard, it is not foolproof, especially if session cookies are compromised. Companies should implement adaptive MFA, which monitors for anomalies in login attempts (such as unusual locations or devices) to prevent attackers from using stolen credentials. Additionally, frequent reauthentication can help disrupt the use of stolen session tokens.

• Monitor for Unusual Access Patterns: Regularly reviewing access logs and monitoring for anomalous login attempts—such as multiple failed attempts, logins from unexpected locations, or odd behavior patterns—can help detect infostealer activity early. Endpoint Detection and Response (EDR) systems can play a key role in identifying and mitigating the effects of infostealers by flagging unusual data access or exfiltration activities.

• Educate Employees on Phishing and Cyber Hygiene: Many infostealers are deployed through phishing attacks or malicious links. Regularly training employees to recognize suspicious emails, websites, and attachments can significantly reduce the likelihood of an initial infection. Implementing phishing simulations and real-time feedback can help maintain employee vigilance.