Perpetrators are increasingly employing novel phishing toolkits (open-source, commercial, and criminal) to carry out adversary-in-the-middle (AitM) assaults.
AitM allows wrongdoers not only to gather credentials but snatch live sessions, thereby evading traditional phishing prevention measures like MFA, EDR, and email content screening.
In this piece, we are set to explore what AitM phishing entails, how it functions, and the essential capabilities organizations require to detect and thwart such assaults efficiently.
AitM Phishing in a Nutshell
AitM phishing is a strategy that employs dedicated tooling to act as an intermediary between the target and an authentic login portal for an application.
Given its nature as a counterfeit to the actual application, the page will seem identical to what the user anticipates, as they are signing into the legitimate site – merely making a detour via the offender’s device. For instance, when accessing their webmail, the user will encounter all their legitimate emails; when accessing their cloud file repository, all their authentic files will be on display, and so forth.
This grants AitM a heightened sense of genuineness and renders the breach less conspicuous to the user. Nevertheless, as the perpetrator lurks in the midst of this connection, they have the ability to oversee all interactions and commandeer the authenticated session to seize control of the user account.
Though this access is essentially temporary (as the offender cannot reauthenticate if prompted), authenticated sessions can frequently endure for up to 30 days or more if kept active. Additionally, an array of persistence methodologies exists that empower a wrongdoer to maintain some level of access to the user account and/or the targeted application indefinitely.
The Operational Mechanisms of AitM Toolkits
Exploring the two principal tactics leveraged to execute AitM phishing: Reverse web proxies (conventional AitM) and Browser-in-the-Middle (BitM) techniques. Two primary variants of AitM toolkits exist:
Reverse web proxy:
Arguably the most extensible and dependable approach from the offender’s standpoint. When a target visits a malicious domain, HTTP requests are exchanged between the victim’s browser and the legitimate site via the malevolent site. Upon receiving an HTTP request, the malicious site conveys it to the authentic site it is impersonating, acquires the response, and then relays it back to the victim.
Noteworthy open-source tools exemplifying this approach encompass Modlishka, Muraena, and the ever-prevailing Evilginx. Moreover, within the criminal realm, equivalent private toolkits exist that have been instrumental in numerous past breaches.
BitM:
Unalike from serving as a reverse web proxy, this approach entices a target to govern the attacker’s browser directly via desktop screen sharing and control methods such as VNC and RDP. This facilitates the offender to amass not solely the username and password but all companion secrets and tokens linked to the login.
In this scenario, the victim is not interacting with a fraudulent website clone or proxy. Rather, they are essentially managing the attacker’s browser remotely to log in to the authentic application unwittingly. This is reminiscent of an offender physically handing their laptop to the victim, soliciting them to log in to Okta, and then retrieving the device post-login. Many thanks!
From a practical angle, employing the noVNC open-source project is the prevalent modus operandi for implementing this approach. noVNC is a JavaScript-rooted VNC client that facilitates VNC utilization within the browser. An eminent instance of an offensive tool employing this is EvilnoVNC, which sets up Docker instances of VNC and mediates access to them, while concurrently recording keystrokes and cookies to expedite account compromise.
If you wish to delve deeper into SaaS-native attack methodologies, explore this blog entry.
Phishing: an Age-Old Problem with Modern-day Twists
Phishing stands as one of the longest-standing cybersecurity predicaments pursuant to intimate descriptions of identity/phishing attacks being the foremost attack channel since 2013 at least. Nevertheless, both the functionalities of phishing utilities and their role in the contemporary attack landscape have transformed drastically.
As previously underscored, AitM toolkits principally serve as a conduit for offenders to sidestep controls like MFA, thereby commandeering workforce identities – granting entry to a wide array of business applications and services accessed via the internet.
The veracity is that we now inhabit an epoch of cybersecurity where identity serves as the latest demarcation line. This connotes that identities constitute the easiest prey for offenders seeking a gateway into potential victims.
 |
| The digital perimeter for organizations has shifted as business IT has evolved away from centralized networks to web-based services and applications. |
The fact that offenders are investing in the enhancement and commercialization of cutting-edge phishing toolkits underscore the prospects that identity assaults present. This notion finds validation in data revealing:
- 80% of ongoing attacks implicate identity and breached credentials (CrowdStrike).
- 79% of web application breaches resulted from compromised credentials (Verizon).
- An estimated 75% of the attacks in 2023 lacked malware, and assaults demonstrating a “cloud-conscious” approach surged by 110% (source: CrowdStrike).
When examining recent high-profile breaches, one can observe the significant profits that attackers stand to gain by tampering with workforce identities to infiltrate web-based business applications. The recent Snowflake breach, one of the most massive breaches in history, serves as a glaring example of this concerning trend.
Attackers now possess numerous opportunities to inflict substantial harm with significantly less effort than in the past. For instance, when targeting an application like Snowflake to extract its data, the steps involved in the attack are notably shorter compared to traditional network-based intrusions. Furthermore, the rise in popularity of Single Sign-On (SSO) platforms such as Okta amplifies the potential impact of an identity compromise by facilitating rapid proliferation across multiple applications and accounts. Consequently, there is little room for error in combating identity-related attacks like AitM phishing, necessitating a proactive approach rather than relying solely on endpoint and network defenses for post-attack mitigation.
In this evolving landscape of cyber threats, intruders no longer need to breach traditional network perimeters since the wealth of data and functionalities they seek are readily available on the public internet. This shift has led to an uptick in attacks targeting Software as a Service (SaaS) applications, with the entire assault chain unfolding outside customer networks, thereby circumventing conventional endpoints and networks.
AitM phishing tools essentially serve as the identity equivalent of a C2 framework. In the realm of endpoint and network attacks, toolkits like Metasploit and Cobalt Strike have progressively pivoted toward post-exploitation activities and automation to enable more sophisticated breaches. This trend is already evolving, evident in the integration of tools like Evilginx with GoPhish for streamlining phishing campaigns.
Adversaries circumvent existing security measures effortlessly
Although current anti-phishing solutions have focused on safeguarding email inboxes, a predominant but not exclusive attack vector, and blacklisting known malicious domains, the persistent threat of phishing underscores the ineffectiveness of these methods, which have historically failed to address the ever-evolving nature of cyber threats.
One primary anti-phishing measure involves blocking identified malicious URLs, IPs, and domain names. Nevertheless, this strategy’s inherent limitation lies in the reactive nature of threat intelligence gathering, as defenders typically act only after an attack has exploited a vulnerability, perpetually keeping them one step behind assailants.
Even when these components are flagged, adversaries can easily obfuscate or alter them:
- While scrutinizing emails for malicious URLs may seem effective, modern phishing campaigns utilize unique URLs for each target, with tactics like URL shortening and linking to documents housing additional malicious URLs to evade detection. This variability in URLs renders traditional detection approaches reliant on static indicators ineffective.
- Verifying the IP addresses users connect to presents another challenge, as attackers can effortlessly add new IPs to cloud-hosted servers.
- Should a domain be classified as malicious, the threat actor need only register a new domain or hijack a trusted domain by compromising a WordPress server. This tactic is increasingly common among attackers, who preemptively procure domains in bulk years in advance, expecting that their domains will eventually be exposed or blocked. Allocating $10-$20 for each new domain pales in comparison to the potential illicit gains, making such investments negligible for attackers.
- Adversaries can dynamically alter their websites based on the visitor’s source, evading detection by tools analyzing link destinations. This adaptability ensures that even resolving links to phishing sites may not reveal the true nature of the malicious page being served.
Recent research examining the NakedPages phishing kit elucidated the attacker’s multi-step approach to obfuscate the malicious site and conceal its nefarious operations:
- Utilizing Cloudflare Workers to legitimize the site’s domain.
- Deploying Cloudflare Turnstile to bar bots from accessing the site.
- Mandating specific URL parameters and headers for HTTP(S) requests to function.
- Mandating JavaScript execution to obfuscate from static analysis tools.
- Redirecting to legitimate domains if conditions are not met.
- Masking the HTTP referer header for anonymous redirection.
- Redirecting to a pool of URLs to maintain malicious links’ activity.
- Evading straightforward login page signatures.
- Targeting Microsoft work accounts exclusively, rather than personal accounts.
Therefore, the need for innovative detection methods is imperative to counter AitM phishing threats effectively.
Enhancing detection capabilities through the Pyramid of Pain
How can organizations deploy controls capable of preemptively identifying and thwarting phishing sites upon initial use?
The key lies in identifying indicators that adversaries find difficult to alter. Security practitioners have long leveraged the Pyramid of Pain concept to guide them in designing resilient defenses against evolving threats.
 |
| Original Pyramid of Pain model, created by David Bianco. |
In order to ascend the Pyramid and effectively confront adversaries, defenders must identify increasingly generic aspects of attack techniques. Rather than focusing on specifics such as malware code snippets or communication destinations, defenders should prioritize understanding the purpose and impact of the malware in action, as these insights offer more robust defense mechanisms.
The transition from static code signatures and fuzzy hashes to real-time scrutiny of code behavior on operational systems underpins the evolution in threat detection methodologies, epitomized by how Endpoint Detection and Response (EDR) superseded traditional antivirus solutions by emphasizing more advanced detection techniques.
Starting with the essential steps required for a successful phishing attack:
- Stage 1: Entice the victim to access a particular website.
- Stage 2: Establish a connection to the site, retrieve and execute malicious content.
- Stage 3: Initiate actions on the victim’s system, leading to security breaches.
- Stage 4: Enable persistence within the compromised environment to facilitate prolonged illicit access.
It is necessary to somehow deceive or persuade the user that it is authentic and reliable, for instance by imitating a genuine website.
We have already determined that detections relying on the initial two phases are simple for attackers to evade by modifying those cues.
In order for a phishing attempt to be successful, the target must input their authentic credentials into the webpage. Therefore, if you can prevent the user from inserting their actual password, the attack will fail.
Yet, how can you hinder a user from keying in their password into a phishing portal?
Utilizing browser-based security measures
To develop the sorts of controls that can impact attackers significantly, a fresh domain for detection and control enforcement is essential – comparable to EDR for identities.
There are evident rationales as to why the browser is the foremost candidate for this task. In numerous aspects, the browser is the contemporary OS and serves as the hub where current tasks are carried out – the entryway to the web-dependent applications and services that workers utilize daily, and business functions depend upon.
From a technological viewpoint, the browser offers a superior alternative to other origins of identity data for assaults:
 |
| The browser provides a significant advantage over different sources of identity assault data. |
In the browser, you can dynamically engage with the DOM or the displayed web application, including its JS code. This simplifies locating, for instance, input areas for usernames and passwords. You can monitor what information the user is entering and where, without the need to discern how the data is encoded and dispatched back to the application. These are relatively general fields that can be pinpointed across your variety of applications sans requiring intricate custom code. Ideal visibility to establish detections around the user action of inputting a password.
The browser also bears the additional advantage of being a native enforcement point. You can accumulate and analyze data dynamically, and generate an instant response – as opposed to extracting information for analysis and then returning with a detection minutes or hours later (and conceivably prompting a manual response).
Hence, it is highly feasible to intercept users at the crux (the moment when a password is input into an input area on a phishing portal) to prevent the assault beforehand.
Incorporating detection and response capabilities into the browser to thwart identity assaults therefore bestows a major advantage to security squads. There are apparent resemblances with the evolution of EDR – which ensued because prevailing endpoint log origins and controls were inadequate. Today, we would not imagine attempting to identify and counteract endpoint-based attacks sans EDR – it is time to begin contemplating identity assaults and the browser in a similar manner.
To delve deeper into how browser-based measures can thwart identity assaults, peruse this blog post.
Observe the video underneath for a display of the Evilginx and EvilNoVNC phishing toolkits in operation, as well as how browser-based security measures can be utilized to identify and obstruct them before the phishing assault is executed.
If you wish to acquaint yourself more with identity assaults and ways to prevent them, explore Push Security – you have the opportunity to test their browser-based agent at no cost!
About Author
