In Q2 and Q3 of this year, Kroll observed an increase in large-scale AiTM phishing and BEC attacks targeting organizations within the professional services, banking and financial industries. In 90% of Kroll's recent BEC investigations, MFA was in place at the time of unauthorized access, but attackers can obtain authentication tokens and/or session cookies to easily evade defenses.
Once obtained, threat actors successfully “replayed” the intercepted tokens to authenticate. Exploitation activities included payroll redirection and invoice payment fraud; data exfiltration and extortion; and follow-on phishing attacks leveraging the compromised accounts to leapfrog against additional victims, resulting in global supply chain disruption in a ripple effect.
In addition to AiTM attacks, threat actors have been increasingly observed leveraging legitimate credentials and personally identifiable information (PII) sourced from previous data breaches to impersonate employees and convince IT service desk staff to reset a legitimate employee’s password, remove MFA protections or add a new phone or device to an account.
Often, criminals targeted employees with privileged access after simple LinkedIn reconnaissance. Once an employee’s password was reset or MFA was added to a new device, threat actors gained remote access to the target network.
Kroll recognizes that many organizations have only recently succeeded in establishing basic MFA policies to thwart credential compromises. Novel phishing-as-a-service toolkits are forcing organizations to go even farther to address what has quickly become a mainstream form of attack. State-of-the-art options rely heavily on newer technologies, such as FIDO2 or Passkeys, that are resistant to AiTM attacks. In the meantime, organizations must focus their efforts on minimizing the scope of successful AiTM attacks against current MFA solutions through creative access evaluation policies and anomaly monitoring.
Adversary in the Middle (AiTM)
Advanced MFA-bypassing phishing toolkits and services have become easily available as a subscription service or sold directly on dark web forums. These toolkits are used to intercept credentials, MFA codes, cookies and session tokens via targeted phishing attacks. Session token theft is particularly dangerous because once a user has authenticated successfully to an application, a session cookie is created, recognizing the authenticated user. If an attacker obtains this cookie, they would not need credentials or an MFA token to retain access the victim’s account. Traditional MFA factors, including challenge/response codes, app-based codes and the like are vulnerable to this interception and replay as depicted below.
EvilProxy
EvilProxy is a phishing-as-a-service toolkit used by threat actors to circumvent MFA protection used by many services online. The toolkit creates phishing links that are clones of known services, such as Microsoft, Google, GitHub, NPM, PyPi and many other services, to harvest credentials, tokens and session cookies.
A campaign throughout July and August 2023 saw threat actors leveraging EvilProxy to target C-suite employees across a wide variety of sectors. Utilizing an open redirect technique against the legitimate "indeed.com" domain, the threat actor led victims to a phishing page impersonating a Microsoft365 login page. When the victim enters their credentials and MFA token, they will be successfully authenticated to the legitimate service, however, the credentials and session cookie will have been captured by EvilProxy, ready for reuse by the threat actor.
Evilginx2 and W3LL
Two other popular phishing toolkits are Evilginx2, an open-source phishing framework which expanded upon the foundation of its predecessor, Evilginx, and W3LL. Like EvilProxy, these kits offer an array of capabilities that can expertly emulate login pages for well-known platforms such as Citrix, Microsoft365, Okta, PayPal and GitHub, among others. In September, it was reported that W3LL had captured credentials for over 56,000 Microsoft 365 accounts, and the kit is regarded as one of the most advanced thanks to its API, source code protection and other unique features.
MFA Fatigue
MFA fatigue, or MFA spamming, relies on the victim approving a push notification rather than any form of number or code matching. This is deemed as a “simple approval” method where approving the push notification is all that is required to complete the authentication, often without the user having awareness of the session they are authenticating to. During an MFA fatigue attack, the threat actor will have already gained access to credentials of the victim, likely either through a prior compromise or bought on the dark web.
KTA243 (aka Scattered Spider)
In most reported intrusions, the threat actor group KTA243 has achieved initial access through targeted social engineering. Observed methods have included phone calls and SMS messages impersonating active employees through MFA fatigue. Furthermore, the group has conducted more direct approaches to gain access by calling an organization’s help desk to socially engineer the victim into resetting a user’s password and adding or changing the MFA token/factor to enable the threat actor to authenticate through their own device.
KTA243 actors are assessed to primarily target data exfiltration for financial gain after accessing a target’s environment. However, recent reports have linked the group to data extortion and ransomware deployment within the victim environment.
Additional Resources
Kroll has previously published several articles that cover this topic in more depth:
Recommendations
- Cloud identity providers are actively adding features and capabilities to their platforms to enhance identification and mitigation options against these attacks. Keep abreast of the latest developments from your providers. As of this writing, to assist in hardening against the attacks described in this report, Kroll recommends the following:
- Ensure users are aware and trained to identify the latest in tactics and techniques surrounding MFA bypass, including caution, when entering credentials from links in emails
- Implement phishing-resistant authentication methods, such as devices enrolled in FIDO (Fast IDentity Online), especially for privileged users.
- Review and update IT helpdesk policies and exception handling procedures to address social engineering attacks aimed at enrolling or disabling MFA and unauthorized devices.
- Implement mobile device management (MDM) for mobile devices and enforce security and version control policies.
- Use creative conditional access control (CAC) policies to reduce your attack surface. For example:
- If your corporate device policy only includes Windows for desktop and iOS mobile devices, block Android and MacBooks from authenticating.
- Disable or limit the scope of allowed MFA methods, such as SMS and voice approval, or unused MFA application types.
- Consider blocking or flagging authentication attempts and enrollment from geographies outside the scope of your organization’s footprint.
- Limit the number of allowed MFA devices per –user and require extra authentication factors when authorizing MFA devices.
- Review and reduce session token lifetimes and implement continuous access evaluation features (CAE) where available.
- Train your security operations teams to identify signs of potential compromise.
- Consider a managed detection and response (MDR) service, such as Kroll Responder, with endpoint detection and response (EDR) and key identity log ingestion capabilities to help detect and respond to identity attacks.
Additional guidance and recommendations, including targeted Microsoft 365 configuration reviews, are available for Kroll customers, Contact your technical account manager or account executive for more information.