CyberSecurity news
FlagThis - #AiTM
|
@gbhackers.com
//
Cybercriminals are increasingly leveraging adversary-in-the-middle (AiTM) attacks with reverse proxies to bypass multi-factor authentication (MFA), a security measure widely adopted to protect against unauthorized access. This sophisticated technique allows attackers to intercept user credentials and authentication cookies, effectively neutralizing the added security that MFA is designed to provide. Instead of relying on simple, fake landing pages, attackers position reverse proxies between the victim and legitimate web services, creating an authentic-looking login experience. This method has proven highly effective in capturing sensitive information, as the only telltale sign might be a subtle discrepancy in the browser's address bar.
The proliferation of Phishing-as-a-Service (PhaaS) toolkits has significantly lowered the barrier to entry for executing these complex attacks. Platforms like Tycoon 2FA and Evilproxy offer ready-made templates for targeting popular services and include features like IP filtering and JavaScript injection to evade detection. Open-source tools such as Evilginx, originally intended for penetration testing, have also been repurposed by malicious actors, further exacerbating the problem. These tools provide customizable reverse proxy capabilities that enable even novice cybercriminals to launch sophisticated MFA bypass campaigns. To combat these evolving threats, security experts recommend that organizations reassess their current MFA strategies and consider adopting more robust authentication methods. WebAuthn, a passwordless authentication standard utilizing public key cryptography, offers a potential solution by eliminating password transmission and rendering server-side authentication databases useless to attackers. Additionally, organizations should implement measures to detect unusual session behavior, monitor for newly registered domains, and analyze TLS fingerprints to identify potential AiTM activity. By staying vigilant and adapting their security strategies, organizations can better defend against these advanced phishing techniques and protect their valuable assets.
Share:
References :
Classification:
@www.welivesecurity.com
//
A China-aligned advanced persistent threat (APT) group known as TheWizards is actively exploiting a vulnerability in IPv6 networking to launch sophisticated adversary-in-the-middle (AitM) attacks. These attacks allow the group to hijack software updates and deploy Windows malware onto victim systems. ESET Research has been tracking TheWizards' activities since at least 2022, identifying targets including individuals, gambling companies, and other organizations in the Philippines, the United Arab Emirates, Cambodia, mainland China, and Hong Kong. The group leverages a custom-built tool named Spellbinder to facilitate these attacks.
The Spellbinder tool functions by abusing the IPv6 Stateless Address Autoconfiguration (SLAAC) feature. It performs SLAAC spoofing to redirect IPv6 traffic to a machine controlled by the attackers, effectively turning it into a malicious IPv6-capable router. This enables the interception of network packets and DNS queries, specifically targeting software update domains. In a recent case, TheWizards hijacked updates for Tencent QQ, a popular Chinese software, to deploy their signature WizardNet backdoor. ESET's investigation has also uncovered potential links between TheWizards and the Chinese company Dianke Network Security Technology, also known as UPSEC. The attack chain typically involves an initial access vector followed by the deployment of a ZIP archive containing files such as AVGApplicationFrameHost.exe, wsc.dll, log.dat, and winpcap.exe. The execution of these files ultimately leads to the launch of Spellbinder, which then carries out the AitM attack. Researchers advise users to be cautious about software updates and monitor network traffic for any suspicious activity related to IPv6 configurations.
Share:
References :
Classification: |