Stopping a Silent Takeover of a Cloud Development Environment
The Challenge: The Invisible Intruder
A mid-market software development firm specializing in financial services infrastructure began noticing a pattern of low-and-slow anomalies in their cloud environment. A senior engineer’s account was generating automated API calls to their AWS production environment outside of normal business hours. No MFA push notifications had been sent. No failed login attempts had been logged. The session, from the cloud provider’s perspective, was perfectly legitimate.
Their internal EDR solution showed no active threats on any company-managed device. The firm’s SOC escalated the investigation but was stymied: if the session was authenticated and no endpoint was flagged, where was the compromise originating?
The answer lay outside their network perimeter entirely. The engineer occasionally used a personal laptop for remote work. That device was not enrolled in the company’s MDM and had no endpoint agent installed. An infostealer infection on that personal device had gone completely undetected by the firm’s security stack.
The Strategy: Dark Web Visibility Into the Unmanaged Endpoint
The firm integrated Constella Identity Threat Monitoring with a specific use case in mind: extending detection coverage to personal and unmanaged devices used by employees for remote work. By monitoring for infostealer logs tied to their corporate domain and employee email addresses, Constella provided visibility into compromises that their internal tooling could never reach.
Within 48 hours of onboarding, Constella’s Identity Signal Feed surfaced an active infostealer log listed for sale on a prominent dark web forum. The log contained the senior engineer’s active AWS Console session cookie, their GitHub authentication token, and their corporate SSO session — all valid and unexpired at the time of discovery.
How do attackers bypass MFA using session cookies?
Attackers bypass MFA by stealing session cookies using infostealer malware. After a user successfully authenticates (and passes their MFA challenge), the browser stores a session cookie. Infostealer malware silently exfiltrates this cookie to the attacker. The attacker then injects the cookie into their own browser, replaying the authenticated session without triggering a new MFA prompt. This technique, known as a Pass-the-Cookie attack, renders standard MFA completely ineffective against post-authentication session theft.
The Result: Session Terminated Before Damage Was Done
- Detection: Constella flagged the infostealer log within hours of it being listed. The alert included the engineer’s corporate email, the specific AWS and GitHub session tokens, the infected device’s hostname, and attribution to the LummaC2 malware family.
- Verification: Using Identity Fusion, the SOC cross-referenced the hostname against the company’s remote access logs and confirmed the infected device was a personal laptop not enrolled in MDM, explaining why no endpoint alert had fired.
- Response: The SOC immediately invalidated the AWS Console session, revoked the GitHub personal access token, and terminated the SSO session. The engineer was notified and their personal device was submitted for forensic imaging.
- Impact: Post-incident forensics confirmed the attacker had spent approximately six hours in the environment performing reconnaissance. No data had been exfiltrated and no infrastructure changes had been committed. The firm avoided a breach that could have exposed the financial data of their downstream clients.