NZ Incident Response Bulletin – May 2024

Business Email Compromise – Threat actors leveraging MFA bypass
Over the last nine months, we have seen a notable increase in large-scale Adversary in the Middle (AiTM) phishing and Business Email Compromise (BEC) attacks targeting organisations. In many cases, Multi-Factor Authentication (MFA) was in place and it appears that attackers were able to bypass these defences.

A Brief Overview of Adversary-in-the-Middle (AitM) Attacks
AitM attacks are characterised by their active engagement, going beyond passive eavesdropping to actively manipulate data and communications. This makes them a potent threat in the cybersecurity landscape. The concept of AitM attacks is rooted in the historical development of Man-in-the-Middle (MitM) attacks, which originally emerged as a means of intercepting communications between two parties. Today, AitM attacks have evolved to become highly sophisticated and malicious. They can manifest in various forms, including: Credential Harvesting, Data Manipulation, Phishing and Malware Delivery.

Phishing
Social engineering plays a crucial role in the effectiveness of phishing attacks. For instance, cybercriminals often use legitimate credentials and personally identifiable information (PII) from previous breaches to impersonate employees convincingly. They deploy various social engineering tactics to manipulate IT service desk personnel into resetting passwords, disabling multi-factor authentication (MFA), or registering new devices to specific accounts. This strategy is particularly effective against employees with privileged access, who are often identified through basic searches on platforms like LinkedIn. These techniques significantly increase the likelihood of the initial phishing email being clicked on, leading to successful breaches. There are a number of phishing-as-a-service toolkits that have become prominent (e.g. Evilginx2). These are the tools used to create phishing pages that mimic reputable services to capture the credentials, tokens, and cookies.

How AiTM phishing works

AiTM (Adversary in The Middle) phishing is a type of cyberattack where a hacker tricks a user into thinking they are logging into a legitimate website, but they are actually interacting with a fake site controlled by the hacker. Here’s a simpler breakdown of how it happens:

  • Why Session Cookies Matter: Imagine logging into a website and getting a special pass that tells the website you are already logged in, so you don’t have to enter your password on every page. This “pass” is what we call a session cookie.
  • Creating a Convincing Fake Site: The hacker sets up a fake website that looks just like the real one you intend to visit. This fake site is a trick; it’s set up to intercept and pass along all the information you try to send to the real site.
  • How the Trick Works: When you enter your login details on the fake site, the hacker’s site sends your information to the real site behind the scenes. This makes everything look normal to you, as you can still see your account and do things as if nothing is wrong.
  • Stealing the “Pass”: As you log in, the fake site steals the session cookie—the “pass” that proves you are logged in. With this cookie, the hacker can get into your account on the real site without needing your password.
  • Taking Control: Once the hacker has your session cookie, they can access your account, read your messages, make purchases, or do anything that you could do, even if you have extra security like two-factor authentication.
  • This attack is particularly sneaky because it’s hard to notice and can bypass extra security measures. It highlights why it’s important to check the URL in your browser’s address bar before logging into any site to make sure it’s the legitimate one.

Defending against AiTM phishing and BEC

The rise of AiTM (Adversary in The Middle) phishing campaigns underscores the adaptive nature of cyber threats in response to security defenses organisations put in place. Despite AiTM’s ability to sidestep Multi-Factor Authentication (MFA), it’s important to recognise that MFA remains a critical component of identity security. MFA’s effectiveness is so notable that it has prompted the evolution of sophisticated phishing techniques like AiTM. To bolster defenses against such advanced threats, organisations can adopt several strategies:

  • Implement Phishing-Resistant MFA: Utilising solutions that support Fast ID Online (FIDO) v2.0 and certificate-based authentication can create a more secure authentication environment that is resistant to phishing.
  • Enable Conditional Access Policies: These policies are crucial as they are evaluated each time an attacker tries to use a stolen session cookie. By enforcing policies that recognise only compliant devices or trusted IP addresses, organisations can mitigate the risk posed by stolen credentials.
  • Deploy Advanced Anti-Phishing Solutions: Investing in technologies that monitor and evaluate the security of incoming emails and the websites users visit can help prevent phishing attacks. Enhanced browser security features that identify and block malicious websites are particularly effective.
  • Continuous Monitoring for Suspicious Activities: Vigilance is key in cybersecurity. Monitoring for signs of unusual activities, such as odd sign-in attempts (from unexpected locations or devices) or strange mailbox activities (like creating suspicious inbox rules), can help identify and mitigate potential breaches early.

About the Bulletin:

The NZ Incident Response Bulletin is a monthly high-level executive summary containing some of the most important news articles that have been published on Forensic and Cyber Security matters during the last month. Also included are articles written by Incident Response Solutions, covering topical matters. Each article contains a brief summary and if possible, includes a linked reference on the web for detailed information. The purpose of this resource is to assist Executives in keeping up to date from a high-level perspective with a sample of the latest Forensic and Cyber Security news.

To subscribe or to submit a contribution for an upcoming Bulletin, please either visit https://incidentresponse.co.nz/bulletin or send an email to bulletin@incidentresponse.co.nz with the subject line either “Subscribe”, “Unsubscribe”, or if you think there is something worth reporting, “Contribution”, along with the Webpage or URL in the contents. Access our Privacy Policy.

This Bulletin is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Bulletin. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.