Researchers on Thursday reported that threat actors are using phish kits that leverage transparent reverse proxy, which lets them launch man-in-the-middle (MitM) attacks on a browser session and steal credentials and session cookies.
In a blog post, Proofpoint researchers said they are especially concerned by these MitM attacks because the threat actors are stealing multi-factor authentication (MFA) tokens, bypassing what for several years has been widely considered a trusted security layer.
The researchers expect that threat actors will turn to these MitM attacks in the months and years ahead, citing a recent report from researchers at Stony Brook University and Palo Alto Networks that MitM attacks have become an industry blind spot.
“For years, defenders have used MFA as a silver bullet against account takeover,” said Sherrod DeGrippo, vice president, threat research and detection at Proofpoint. “We’re seeing the beginnings of a shift in the threat landscape driven by the wide adoption of MFA.”
DeGrippo said MFA remains an important preventative control for account takeover, however it’s clear that defenders need to also have detective controls in place. She said a lot of leading organizations implemented MFA and have largely been able to discount credential phishing for several years. Those organizations need to assess their ability to detect account compromise, not just prevent it.
“The days of the MFA silver bullet for credential phishing are gone,” DeGrippo said. “Defenders need to focus on credential phishing defenses and post-compromise detection and response. MFA phishing kits have been around for several years and the technique itself is not what concerns us. We are very concerned about the rapid adoption of MFA and the broad spread adoption of these MFA kits.”
Jon Gaines, senior application security consultant at nVisium, confirmed the trend reported by Proofpoint that more threat actors have moved to using phishing kits that allow some form of MFA bypass. Gaines said there are even some open-source options, such as EvilNginx2.
“Since that’s available, the organization's blue team and outside red teams should perform phishing campaigns at least annually to learn how to recognize and monitor this type of phishing,” Gaines said. “This works by forwarding the request to the proper service — such as Microsoft — and capturing the credentials before they're sent and the session's cookies in the response. Luckily, in my experience, the domains used for this type of phishing are burned fairly quickly once they have been accessed. It’s also another reason why paying attention to the URL you're signing onto is vital. Overall, MFA is still the top advice for protecting all of your online accounts.”