In tweets dated August 28, 2023, Microsoft reported a significant increase in adversary-in-the-middle (AiTM) strategies facilitated by phishing-as-a-service (PhaaS) platforms.
Researchers have observed the emergence of new PhaaS platforms equipped with AiTM capabilities throughout 2023. Simultaneously, established phishing services like PerSwaysion have also incorporated AiTM features.
The two predominant techniques employed in AiTM-enabled phishing attacks are reverse proxy servers and synchronous relay servers.
In the first scenario, as seen in phishing toolkits such as EvilGinx, Modlishka, Muraena, and EvilProxy, every HTTP packet is proxied to and from the original website, making the URL the sole discernible distinction between the phishing page and the authentic site.
In AiTM attacks using synchronous relay servers, the target is presented with a fake sign-in page, much like traditional phishing attacks. Threat group Storm-1295 was reported to offer synchronous relay services to other attackers.
AiTM phishing aims to steal session cookies from browsers, allowing users access to protected systems without reauthentication. Incident response for AiTM attacks requires the revocation of stolen session cookies.
Microsoft emphasized the importance of implementing MFA methods such as Microsoft Authenticator, FIDO2 security keys, and certificate-based authentication as crucial measures for securing identities – “This emphasizes the importance of MFA thru methods like Microsoft Authenticator, FIDO2 security keys, & certificate-based authentication in securing identities.”
George McGregor, VP, Approov had this comment:
“AiTM phishing aims to steal cookies from browsers and use them to access backend systems.
“However, there is an even bigger AiTM threat posed by mobile apps which is not mentioned by Microsoft: Mobile apps are highly susceptible to AiTM attacks and secret theft at runtime because hackers can easily manipulate the client environment and/or the communication channel(s). This could certainly also be packaged “as a service” for hackers.
“Defense against this threat requires app and client attestation and pinning of the communication channel.”
Emily Phelps, Director, Cyware follows with this:
“Multifactor authentication is table stakes when it comes to safeguarding data. Strong authenticator apps should be used with each log-in session. Human behavior continues to be a common exploit for attackers because it continues to be effective.
“As an industry, cybersecurity must work to get ahead of these tactics, with threat intelligence programs that include intelligence sharing so that once these strategies are known and can be widely distributed, enabling other organizations and individuals to protect themselves against them.
I’ve been saying for a while to my clients that they need to move towards MFM or passwordless solutions. Because the threats out there are so many and so sophisticated that you will leave yourself open to having bad things happen to you if you don’t.
Microsoft tightens Zero-Trust protocol after releasing gov hack findings
Posted in Commentary with tags Microsoft on September 8, 2023 by itnerdIn a report released Wednesday, Microsoft published the findings of its internal investigation which detailed that, for more than two years, Chinese hackers accessed high-level, US and European governmental agencies’ email accounts before the breach was discovered in June.
The Chinese-based criminal, Storm-0558, first gained access to the Microsoft emails in April 2021. The breach affecting 33 U.S. and global entities happened when a bug caused Microsoft’s email system to crash, resulting in a data purge that inexplicably contained email access keys. The hacker then forged security tokens that allowed backdoor access to Outlook.com.
As Microsoft admitted, at the time, the system didn’t alert IT to the issue as it should have, and the crack went unnoticed until just two months ago. Microsoft said that it released the investigative findings “as part of our commitment to transparency and trust,” adding that the company was working to tighten up its security protocols.
“For this reason — by policy and as part of our Zero-Trust and ‘assume breach’ mindset — key material should not leave our production environment. While these tools are important, they also make users vulnerable to spear phishing, token stealing malware, and other account compromise vectors,” Microsoft said, referring to emails, conferencing, and web research tools that were used previously by corporate-level employees.
Ted Miracco, CEO, Approov Mobile Security had this to say:
“The two most disconcerting parts of the report are that: Storm-0558 could forge tokens to access email accounts of high-level officials; and that the breach persisted for years without being discovered. This would lead one to question how many other accounts are being compromised today with forged tokens, and how do you go about identifying additional compromised accounts?
“The findings reinforce that constant vigilance is required to stay ahead of sophisticated attackers, and keys and tokens need to be rotated frequently to prevent persistent access to compromised accounts.”
Microsoft should get some kudos for posting this info as it is not easy to admit where you’ve gone wrong. But let’s see what Microsoft does going forward to make sure that this situation isn’t repeated.
Leave a comment »