.svg)
Multi-Factor Authentication (MFA) strengthens email account security by requiring users to provide additional verification beyond a password. MFA significantly reduces the risk of unauthorised access, making it a critical measure for safeguarding sensitive information within email accounts. However, threat actors are increasingly circumventing MFA by stealing session cookies.
When users log into a website, the server generates a unique session ID, which is stored as a cookie in the browser. This cookie, often valid for up to 30 days, acts as a persistent login, allowing users to bypass repeated logins during the session. If a threat actor manages to steal this specific session cookie, they can access the account as if they had logged in with MFA, bypassing the need for further authentication, according to recent security reports.
This vulnerability has led to growing security concerns, with the FBI recently warning of significant threats posed by attackers exploiting this technique. When attackers gain unauthorised access to an email account, they can access sensitive data such as credit card numbers, billing addresses, and personal information, which could be used for identity theft or “person-in-the-middle” attacks. Additionally, compromised email accounts may be used to send spam or phishing messages to contacts stored within the account.
The technique of session cookie theft enables attackers to maintain a user's login state across multiple sessions or pages. Cybercriminals can obtain session cookies through various methods, including "man-in-the-middle" (MitM) attacks on weak networks, or by using malware that targets the victim’s device to steal session data. Information-stealing malware is especially adept at penetrating and extracting session cookies and other sensitive data directly from infected devices.
Once in possession of valid session cookies, attackers can operate within the victim’s email account without needing the login credentials, effectively impersonating the user.
To protect against session cookie theft and mitigate associated risks, the following security practices are recommended:
By implementing these measures, users can enhance the security of their email accounts and reduce the risk of unauthorised access due to session cookie theft.
Hackers linked to Chinese intelligence agencies have reportedly breached multiple U.S. and international telecommunications companies, including T-Mobile, as part of a prolonged cyber-espionage operation targeting high-value intelligence assets. Sources familiar with the situation indicate that this breach enabled the attackers to monitor cellular communications of key individuals, raising significant national security concerns. While it remains uncertain if sensitive customer data or communication records were directly compromised, T-Mobile has stated that it is actively monitoring the situation.
A T-Mobile spokesperson addressed the incident, saying, “T-Mobile is closely monitoring this industry-wide attack, and at this time, T-Mobile systems and data have not been impacted in any significant way, and we have no evidence of impacts to customer information. We will continue to monitor this closely, working with industry peers and the relevant authorities.”
U.S. officials have described the cyber-espionage campaign, attributed to a Chinese hacking group known as Salt Typhoon, as “historic” and “catastrophic” in scale and impact. Earlier reports noted that other major U.S. telecom providers, including AT&T, Verizon, and Lumen Technologies, were also affected.
According to a Wall Street Journal report, the hackers exploited vulnerabilities in telecommunications infrastructure, such as Cisco Systems routers, and are believed to have used advanced artificial intelligence (AI) and machine learning to enhance their espionage capabilities. Over the course of more than eight months, the attackers gained access to sensitive information, including call records, unencrypted text messages, and some audio communications from senior U.S. national security and government officials.
The breach also impacted systems used by telecom providers to manage compliance with U.S. surveillance requirements, heightening concerns within counterintelligence circles. Investigators continue to assess the scope of the breach, which involved the compromise of systems that handle U.S. law enforcement requests for surveillance data. Lumen Technologies, which does not offer wireless services, confirmed that while its systems were accessed, no customer data or wiretap functions were compromised, according to insider sources.
The cyber-espionage operation also extended to several foreign telecom companies, including those in countries within intelligence-sharing alliances with the U.S., underscoring the global reach of this campaign.
The Biden administration recently acknowledged the gravity of the attack in a public statement following initial reports by The Wall Street Journal. The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint statement confirming that hackers associated with the Chinese government had compromised multiple telecommunications networks to access customer call records and the private communications of individuals primarily engaged in government and political activities.
“We expect our understanding of these compromises to grow as the investigation continues,” the joint statement concluded.
This breach is among the most significant cyber-espionage campaigns in recent years, and its full implications on national security are still being assessed.
Palo Alto Networks has released an urgent advisory regarding active exploitation of a critical remote command execution (RCE) vulnerability affecting the management interfaces of its firewall products. This flaw allows unauthenticated attackers to execute arbitrary commands on vulnerable systems and has been observed in a limited number of cases where management interfaces are exposed to the internet.
The vulnerability, rated critical with a CVSSv4.0 base score of 9.3, poses a significant risk to organisations that have not secured their firewall interfaces as per recommended best practices. Palo Alto Networks is investigating and has confirmed that threat actors are currently exploiting this vulnerability in live environments. Systems primarily affected are those with management interfaces accessible over the internet, and Palo Alto Networks urges customers to promptly review their firewall configurations, ensuring that access to these interfaces is restricted to trusted internal IP addresses.
Palo Alto clarified that its Prisma Access and Cloud NGFW services are unaffected, which may allay concerns for users of these platforms. However, the company warns that any unmanaged firewall management interface could be susceptible to exploitation.
“At this time, we believe that devices whose access to the management interface is not secured as per our recommended best practice deployment guidelines are at increased risk,” Palo Alto Networks stated.
To support customers in identifying potentially vulnerable devices, Palo Alto Networks has provided instructions on its Customer Support Portal. Customers are advised to:
While active exploitation has only been observed in limited cases, Palo Alto has not yet released specific indicators of compromise (IoCs). Customers are advised to monitor their systems for signs of unusual activity, such as unrecognised configuration changes or unfamiliar user logins.
As part of its response, Palo Alto Networks is preparing patches and threat prevention signatures to address the vulnerability, with these updates expected shortly. In the meantime, restricting access to firewall management interfaces remains the most effective immediate defence. The advisory will continue to be updated with new information as it becomes available.
Customers can subscribe to Palo Alto Networks’ security RSS feed or email alerts via the support portal to receive ongoing updates and notifications.
Contact Periculo for expert cyber security solutions tailored to the digital health industry.
