CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Bypassing 2FA Authentication with Evilginx2

Due to the increasing number of cyberattacks, particularly zero days, organizations are scrambling to obtain the best security services available. While even the smallest organization might feel that implementing Two-Factor Authentication (2FA) will keep its data secure, a targeted attack from a nefarious threat actor could lure an employee into clicking and opening a malicious document.

In this blog, we will detail the steps of such an attack using the Adversary In The Middle (AITM) phishing attack method.

First, let's understand how an Adversary In The Middle (AITM, also known as Man In The Middle (MITM), phishing attack works.

This process involves sending an email specifically crafted for the victim. Once clicked and opened, the malicious email redirects the victim to a site that is identical to the application that the victim believes needs to be accessed. The web server used by the attacker is then used to proxy all the HTTP packets being sent to and from the target application server.

The phishing page acts as an AITM agent using two TLS sessions: One session connects to the victim, and the other session connects to the target server. Once the victim is connected to the server, the attacker can steal passwords and session cookies. Session cookies are provided to the user by the target webserver to show that it has an authenticated session and does not need reauthentication for every page it visits. The attacker then uses the stolen session cookie to replay the authenticated instance, thereby gaining access to the user's email account and bypassing any authentication processes, including 2FA.

19345_picture1 Figure 1: Flow of the attack

Microsoft has a blog which contains additional details about how this tactic was used in a Business Email Compromise (BEC) campaign this year.

For research purposes, let us look at how to perform this attack. In modeling this attack I used Evilgnx2, a framework designed for AITM attacks.

The Attack

First, a little social engineering. Create a domain capable of tricking the target into thinking they are on the correct website. For this research, I used miscrsoft.co. It’s low cost makes it easy for threat actors to purchase.

An external host to the Internet is required which will be configured with steps for the attack provided here: https://github.com/kgretzky/evilginx2

Next, type in the following commands to download and set evilginx2:

sudo apt-get -y install git make
git clone https://github.com/kgretzky/evilginx2.git
cd evilginx2
make
run using evilginx -p ./phishlets/ 

19346_picture2

Figure 2: Running Evilginx2

Now that Evilginx2 has been set, prepare the domain. Since we are targeting Outlook in this example, we need to add the appropriate A records.

I set Namesaver records and A records in my domain admin portal.

Nameserver records:

Ns1.miscrsoft.co ->  external_server_ip
Ns2.miscrsoft.co ->  external_server_ip 

A records:

account.miscrsoft.co -> external_server_ip
outlook.miscrsoft.co -> external_server_ip
login.miscrsoft.co -> external_server_ip

Both the Namesaver and A records can be changed, based on the applications being attacked.

Next, set up Phishlet for Outlook since this is the target in our research. Run the following commands on Evilginx2:

config domain miscrsoft.co
config ip external_server_ip 
phishlets hostname outlook miscrsoft.co
phishlets enable outlook
lures create outlook
lures get-url 0

After running the commands, all SSL certs should be set up, giving the attacker a fully functional phishing URL to be sent to the victim’s email.

This is how the URL will appear to the victim:

19347_picture3

Figure 3: Phishing website page

This page is identical to the legitimate website. The phishing page has an added secure connection so that the victim will not know it’s a phishing page.

Once the password is entered, the victim receives a prompt for 2FA.

19348_picture4 Figure 4: Prompt for 2FA

After 2FA credentials are entered, the user is sent to their valid Outlook inbox.

19349_picture5 Figure 5: The victim’s valid Outlook inbox.

The attacker has now captured the victim’s account, password, and session token in plaintext, all of which can be seen via Evilginx2.

19350_picture6 Figure 6: Captured username and password

19351_picture7 Figure 7: Account accessed

Using Cookie Editor, we can copy the session and paste it into a browser gaining access to the account without further authorization. 

Conclusion

As you can see, 2FA can be bypassed. However, with additional email security measures in place such attacks can be minimized or prevented. Organizations must implement stringent email security measures to hedge against phishing attacks. Restricting access to accounts, trusted devices and IPs, along with monitoring traffic and flagging malicious behavior can aid in preventing a successful phishing attack. Additionally, cybersecurity teams must monitor for anomalies such as sign-ins from different IP’s or locations to assist in preventing compromises.

It is important to note that this attack will not work on Universal 2nd Factor Authentication (U2F) implementation, due to hardware keys which verify the login URL and prevent 2FA tokens from being issued for malicious URLs. 

Latest SpiderLabs Blogs

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway

Overview A command injection vulnerability has been discovered in the GlobalProtect feature within Palo Alto Networks PAN-OS software for specific versions that have distinct feature configurations...

Read More

CNAPP, CSPM, CIEM, CWPP – Oh My!

We all know the cybersecurity industry loves its acronyms, but just because this fact is widely known doesn’t mean everyone knows the story behind the alphabet soup groups of letters, we must deal...

Read More

Phishing Deception - Suspended Domains Reveal Malicious Payload for Latin American Region

Recently, we observed a phishing campaign targeting the Latin American region. The phishing email contained a ZIP file attachment that when extracted reveals an HTML file that leads to a malicious...

Read More