When MFA is requested after successful password validation, the server displays a fake MFA page. Unlike typical AiTM attacks, there are no HTTP packets proxied between the target and the actual website. In addition, since the phishing infrastructure is controlled by the attackers, they have the flexibility to create multiple servers to evade detections. In this AiTM attack with indirect proxy method, since the phishing website is set up by the attackers, they have more control to modify the displayed content according to the scenario. The said sign-in page contained resources loaded from an attacker-controlled server, which initiated an authentication session with the authentication provider of the target application using the victim’s credentials. Instead, the attack used AiTM attack with indirect proxy method, in which the attacker presented targets with a website that mimicked the sign-in page of the targeted application, as in traditional phishing attacks, hosted on a cloud service. Unlike campaigns we have previously reported, this attack did not use the reverse proxy method that AiTM kits like EvilProxy and NakedPages use, in which the attacker’s server proxies the request from the application’s legitimate sign-in page. More details about AiTM campaigns can be found on the blog Attackers use AiTM phishing sites as entry point to further financial fraud. With this session, the attackers could access the affected user’s resources and applications and perform business email compromise attacks and other malicious activities. The attackers can then replay the session with the stolen session cookie before the token expiration time and impersonate the user without user intervention or MFA. The attackers position themselves between a user and the service to steal credentials and intercept MFA in order to capture the session cookie. AiTM with indirect proxyĪdversary-in-the-middle ( T1557, T1111) is a type of attack that aims to intercept authentication between users and a legitimate authentication service for the purpose of compromising identities or performing other actions. As part of our threat actor tracking and naming taxonomy, Microsoft uses Storm-# designations as a temporary name given to an unknown, emerging, or developing cluster of threat activity, allowing Microsoft to track it as a unique set of information until we reach high confidence about the origin or identity of the actor behind the activity. To launch this attack, the attackers used an AiTM phishing kit developed, maintained, and operated by a threat actor that Microsoft tracks as Storm-1167. The incident also highlights the importance of proactive threat hunting to discover new TTPs on previously known campaigns to surface and remediate these types of threats. Affected organizations need to revoke session cookies and roll back MFA modifications made by the threat actor. This sophisticated AiTM attack requires beyond the typical remediation measures for identity compromise such as a password reset. This attack highlights the complexity of AiTM attacks and the comprehensive defenses they necessitate. A second-stage phishing campaign followed, with more than 16,000 emails sent to the target’s contacts. After signing in with the stolen cookie through a session replay attack, the threat actors leveraged multifactor authentication (MFA) policies that have not been configured using security best practices in order to update MFA methods without an MFA challenge. The use of indirect proxy in this campaign provided attackers control and flexibility in tailoring the phishing pages to their targets and further their goal of session cookie theft. While the attack achieved the end goal of a typical AiTM phishing attack followed by business email compromise, notable aspects, such as the use of indirect proxy rather than the typical reverse proxy techniques, exemplify the continuous evolution of these threats. AiTM and BEC attacks spanning multiple suppliers and partner organizations This attack shows the complexity of AiTM and BEC threats, which abuse trusted relationships between vendors, suppliers, and other partner organizations with the intent of financial fraud. The attack originated from a compromised trusted vendor and transitioned into a series of AiTM attacks and follow-on BEC activity spanning multiple organizations. Microsoft Defender Experts uncovered a multi-stage adversary-in-the-middle (AiTM) phishing and business email compromise (BEC) attack against banking and financial services organizations.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |