Adversaries are increasingly utilizing novel phishing toolkits (open-source, commercial, and illicit) to carry out adversary-in-the-middle (AitM) assaults.
AitM allows malefactors to not only gather credentials but seize live sessions, enabling them to skirt usual phishing prevention measures like MFA, EDR, and email content filtration.
In this post, we’ll delve into what AitM phishing entails, how it functions, and what measures organizations must take to identify and quash these assaults effectively.
What is AitM phishing?
AitM phishing is a tactic that employs specialized tooling to function as an intermediary between the target and an authentic login portal for an application.
Since it acts as a proxy to the genuine application, the webpage will appear exactly as expected by the user, as they are signing in to the legitimate site – detouring through the attacker’s device. For instance, when accessing their webmail, the user will view all their actual emails; when accessing their cloud file store, all their authentic files will be visible, and so forth.
This grants AitM a heightened aura of genuineness and makes the breach less apparent to the user. Nevertheless, as the attacker positions themselves in the middle of this connection, they are capable of monitoring all interactions and asserting authority over the authenticated session to attain control of the user account.
Although this access is essentially transient (as the attacker is incapable of revalidating if prompted), in practicality authenticated sessions often persist for about 30 days or beyond if kept active. Additionally, various persistence tactics are available for an attacker to maintain some degree of entry to the user account and/or targeted application indefinitely.
How do AitM toolkits operate?
Lets’ explore the two primary methods used for executing AitM phishing: Reverse web proxies (conventional AitM) and Browser-in-the-Middle (BitM) techniques. Two fundamental variants of AitM toolkits are:
Reverse web proxy:
This is conceivably the most scalable and dependable approach from the viewpoint of an attacker. When a victim accesses a malevolent domain, HTTP requests are shuttled between the victim’s browser and the authentic site through the nefarious site. Upon receiving an HTTP request, the malicious site routes this entreaty to the genuine site it is impersonating, obtains the response, and then transmits it to the victim.
Open-source tools exemplifying this methodology include Modlishka, Muraena, and the enduringly favored Evilginx. In the criminal realm, analogous private toolsets exist, which have been used in numerous breaches previously.
BitM:
Instead of operating as a reverse web proxy, this method dupes a target into directly influencing the attacker’s browser remotely using desktop screen sharing and control methods such as VNC and RDP. This provides the attacker with access not just to the username and password, but all other associated secrets and tokens linked to the login.
In this scenario, the victim is not engaging with a counterfeit website clone or proxy. They are effectively controlling the attacker’s browser remotely to sign in to the legitimate application unknowingly. This mirrors an attacker passing their laptop to their victim, requesting them to log in to Okta, and then retrieving their laptop afterward. Thank you very much!
From a pragmatic perspective, the prevalent approach for embedding this technique is through the open-source project noVNC, a JavaScript-based VNC client permitting the usage of VNC within the browser. One of the most recognized instances of an offensive tool implementing this is EvilnoVNC, which deploys Docker instances of VNC and mediates access to them while also documenting keystrokes and cookies to facilitate account compromise.
For deeper insights on SaaS-native attack strategies, explore this blog post.
Phishing is not a new phenomenon – so what has evolved?
Phishing stands as one of the oldest cybersecurity predicaments confronting organizations, with certain representations of identity/phishing attacks being the primary attack vector since at least 2013. Nonetheless, both the capabilities of phishing toolkits and their significance in contemporary attacks have undergone substantial transformation.
As already alluded to, AitM toolkits primarily serve as a means for infiltrators to sidestep controls like MFA to commandeer workforce identities – affording access to a wide array of business apps and services accessed via the internet.
The verity is that we are presently amidst a fresh era of cybersecurity, where identity symbolizes the novel perimeter. This implies that identities are the ripest targets for infiltrators seeking an entrance into prospective victims.
 |
| The digital perimeter for organizations has shifted as business IT has evolved away from centralized networks to web-based services and applications. |
The fact that infiltrators are pouring resources into the advancement and commercialization of sophisticated phishing toolkits serves as a robust indication of the opportunity identity attacks present. This is corroborated by data revealing:
- 80% of present-day attacks involve identity and compromised credentials (CrowdStrike).
- 79% of web application compromises resulted from breached credentials (Verizon).
- In 2023, 75% of breaches occurred without malware, while attacks with a “cloud-aware” approach surged by 110% (CrowdStrike).
However, recent high-profile breaches highlight the attractiveness for threat actors to exploit employee identities as a gateway to web-based corporate applications. Notably, the Snowflake breach, one of the largest in history, stands out as a glaring example.
Threat actors now possess numerous avenues to inflict substantial harm with much less effort than previously required. For instance, targeting an application like Snowflake for data exfiltration involves a significantly shorter Kill Chain compared to traditional network-focused attacks. Furthermore, as Single Sign-On (SSO) solutions such as Okta gain traction, an identity compromise can swiftly spread through various applications and accounts, expanding the potential impact radius. This underscores the critical importance of vigilance against identity-based attacks like AitM phishing, as conventional endpoint and network defenses may not be sufficient.
In this evolving threat landscape, attacks no longer need to breach conventional boundaries, as the vast array of desired data and functionalities exists openly on the internet. Consequently, there is a rising trend of attacks targeting Software as a Service (SaaS) applications, with the entire attack chain executing outside the confines of customer networks, bypassing traditional endpoints and networks.
Tools for AitM phishing effectively serve as the equivalent of a C2 framework for identities. In the realm of endpoint and network assaults, toolkits like Metasploit and Cobalt Strike have increasingly emphasized post-exploitation activities and automation to enable more sophisticated compromises. This trend is already evident with tools such as Evilginx integrating with GoPhish for automating and orchestrating phishing campaigns.
Adversaries are circumventing existing defenses effortlessly
Existing anti-phishing solutions have predominantly focused on safeguarding email inboxes, a common (though not exclusive) attack vector, and blocking lists of known malicious domains.
The sustained prevalence of phishing attacks despite these efforts signifies the inadequacy of such methods, which have historically proven ineffective.
The primary defense against phishing involves blocking known malevolent URLs, IP addresses, and domain names. However, a key limitation is that for defenders to identify a threat as malicious, it must be observed in an attack scenario first. And when does identification typically occur? Only after an actual attack has taken place – thus, someone inevitably falls victim, and defenders constantly trail behind perpetrators.
Even when identified, malefactors can easily obfuscate or alter these elements:
- While scanning emails for known harmful URLs is an option, these URLs change for each phishing campaign. Modern attacks customize emails and links for each target, potentially utilizing URL shorteners or embedding malicious links within documents to evade detection. This adaptability is analogous to altering malware hashes – easy to modify, making them unreliable for detection.
- Inspecting the IP address a user connects to was once viable, but cybercriminals now effortlessly add new IPs to cloud-hosted servers.
- If a domain is identified as malicious, threat actors can register new domains or compromise trusted domains, such as WordPress servers. This trend is widespread, with attackers proactively stockpiling domains years in advance to ensure a consistent supply of reputable domains. They’re willing to invest $10-$20 per new domain, considering the potential illicit gains.
- Perpetrators may dynamically modify their websites based on visitors’ origins, rendering detection tools ineffective at analyzing redirection paths.
For instance, a recent study investigating the NakedPages phishing kit outlined nine distinct techniques used by threat actors to obscure the phishing site and conceal its malicious behavior:
- Utilizing Cloudflare Workers to present the site with a legitimate domain.
- Applying Cloudflare Turnstile to block bot access to the site.
- Requiring specific URL parameters and headers for proper HTTP(S) requests.
- Mandating JavaScript execution to evade static analysis tools.
- Automatically redirecting to trusted domains if conditions aren’t met.
- Masking the HTTP referer header to anonymously redirect traffic.
- Redirecting to a pool of URLs to sustain malicious links.
- Defeating basic login page signatures.
- Targeting Microsoft work accounts exclusively, ignoring personal accounts.
Consequently, a different strategy is imperative to effectively detect AitM phishing sites before victims are ensnared.
Enhancing detection capabilities using the Pyramid of Pain
So, how can organizations develop defenses capable of identifying and blocking phishing sites upon initial usage?
The solution lies in identifying indicators that are more resistant to manipulation by attackers. Security professionals have long relied on the Pyramid of Pain concept to steer them towards such resilient detections for over a decade.
 |
| Original Pyramid of Pain model, designed by David Bianco. |
To ascend the Pyramid toward the summit, organizations must pinpoint increasingly general facets of an attack technique for detection. Therefore, emphasis should steer away from specifics such as the code of a particular malware or its communication endpoints. Instead, the focus should be on the actions of malware or its impact when activated since these traits are more universally discernible and relevant for defenders.
The transition from static code signatures and fuzzy hashes to dynamic analysis of malware behavior on live systems underscores the essence of why Endpoint Detection and Response (EDR) superseded traditional antivirus solutions a decade ago. This shift demonstrated the efficacy of elevating detection methodologies up the Pyramid.
A prudent starting point involves assessing the essential conditions for a successful phishing attack to occur:
- Phase 1: Enticing the victim to visit a specific website.
- Phase 2: Ensuring that the website can deliver malicious payloads or steal credentials.
- Phase 3: Masking the malicious behavior to evade detection.
- Phase 4: Executing the attack without alerting security controls.
– The user needs to be somehow deceived or persuaded into believing that it’s authentic and reliable, like imitating a legitimate website.
It has been established that evading detection based on the initial two stages is simple for attackers by modifying those signs.
For a phishing attempt to be successful, the target must provide their true login details on the webpage. Therefore, if the user refrains from entering their real password, the attack will be thwarted.
But how can one prevent a user from submitting their password on a phishing site?
Utilizing security features within the browser
In order to create controls that can significantly impede attackers, a fresh platform for detection and control enforcement is necessary – much like EDR for identities.
There are compelling reasons why the browser is the primary choice for this task. The browser has become the new operating system in many aspects, acting as the central hub where contemporary work transpires – the main entryway to the web-based applications and services utilized by employees daily, upon which business operations depend.
From a technical standpoint, the browser offers a superior option compared to other identity telemetry sources:
 |
| The browser has a significant edge over other identity attack data sources. |
Within the browser, you have the capability to dynamically engage with the DOM or the displayed web application, including its JavaScript code. This facilitates the identification of input fields for usernames and passwords, for example. By monitoring where and what information the user inputs, without needing to decipher the data’s encoding and transmission back to the application. These are rather standard fields that can be recognized across your array of applications without necessitating intricate custom code. An excellent viewpoint to design detections relating to user behavior when entering a password.
The browser also serves as a natural enforcement touchpoint. Data can be gathered and assessed in real-time, and an immediate response can be generated – instead of removing the data, analyzing it, and providing a detection minutes or hours later (which could prompt manual intervention).
Hence, intercepting users at the critical instance (i.e., when a password is entered into an input field on a phishing page) to avert the attack before its execution is entirely feasible.
Introducing detection and response capabilities into the browser to counter identity attacks is therefore immensely beneficial for security teams. There is a significant correlation with the rise of EDR – a reaction to the insufficiency of existing endpoint log resources and controls. Nowadays, trying to detect and counteract endpoint-based attacks without EDR is inconceivable – it’s high time to contemplate identity threats and the browser through a similar lens.
Dive into the video below for a live demonstration of the Evilginx and EvilNoVNC phishing kits in play, and how security controls embedded within the browser can be employed to identify and thwart them before the phishing ploy is finalized.
If you desire to delve deeper into identity attacks and strategies to inhibit them, explore Push Security – test their browser-based agent for free!
About Author
