Microsoft Says That Adversary-in-the-Middle Strategies Have Spiked

In tweets dated August 28, 2023, Microsoft reported a significant increase in adversary-in-the-middle (AiTM) strategies facilitated by phishing-as-a-service (PhaaS) platforms.

Researchers have observed the emergence of new PhaaS platforms equipped with AiTM capabilities throughout 2023. Simultaneously, established phishing services like PerSwaysion have also incorporated AiTM features.

The two predominant techniques employed in AiTM-enabled phishing attacks are reverse proxy servers and synchronous relay servers.

In the first scenario, as seen in phishing toolkits such as EvilGinx, Modlishka, Muraena, and EvilProxy, every HTTP packet is proxied to and from the original website, making the URL the sole discernible distinction between the phishing page and the authentic site.

In AiTM attacks using synchronous relay servers, the target is presented with a fake sign-in page, much like traditional phishing attacks. Threat group Storm-1295 was reported to offer synchronous relay services to other attackers.

AiTM phishing aims to steal session cookies from browsers, allowing users access to protected systems without reauthentication. Incident response for AiTM attacks requires the revocation of stolen session cookies.

Microsoft emphasized the importance of implementing MFA methods such as Microsoft Authenticator, FIDO2 security keys, and certificate-based authentication as crucial measures for securing identities – “This emphasizes the importance of MFA thru methods like Microsoft Authenticator, FIDO2 security keys, & certificate-based authentication in securing identities.”

George McGregor, VP, Approov had this comment:

   “AiTM phishing aims to steal cookies from browsers and use them to access backend systems.

   “However, there is an even bigger AiTM threat posed by mobile apps which is not mentioned by Microsoft: Mobile apps are highly susceptible to AiTM attacks and secret theft at runtime because hackers can easily manipulate the client environment and/or the communication channel(s). This could certainly also be packaged “as a service” for hackers.

   “Defense against this threat requires app and client attestation and pinning of the communication channel.”

Emily Phelps, Director, Cyware follows with this:

   “Multifactor authentication is table stakes when it comes to safeguarding data. Strong authenticator apps should be used with each log-in session. Human behavior continues to be a common exploit for attackers because it continues to be effective.

   “As an industry, cybersecurity must work to get ahead of these tactics, with threat intelligence programs that include intelligence sharing so that once these strategies are known and can be widely distributed, enabling other organizations and individuals to protect themselves against them.

I’ve been saying for a while to my clients that they need to move towards MFM or passwordless solutions. Because the threats out there are so many and so sophisticated that you will leave yourself open to having bad things happen to you if you don’t.

Leave a Reply

%d bloggers like this: