NZ Incident Response Bulletin - May 2024

The May edition of the NZ Incident Response Bulletin was published today. The bulletin is a monthly high-level executive summary containing some of the most important news articles that have been published on Forensic and Cyber Security matters during the last month. Each Bulletin also includes a section of our own content, based on a trending theme, this months being?“Business Email Compromise - Threat actors leveraging MFA bypass”.

Each article contains a brief summary and where appropriate, a linked reference on the web for detailed information.

We'll give you a brief summary of each article, and a link to more information. Why do we publish this bulletin? Because we want to keep you up to date with the latest Forensic and Cyber Security news, so that you aren't caught by surprise - and you'll know about risks and changes before they become problems.

Our Views:

Over the last nine months, we have seen a notable increase in large-scale Adversary in the Middle (AiTM) phishing and Business Email Compromise (BEC) attacks targeting organisations. In many cases, Multi-Factor Authentication (MFA) was in place and it appears that attackers were able to bypass these defences.

A Brief Overview of Adversary-in-the-Middle (AitM) Attacks

AitM attacks are characterised by their active engagement, going beyond passive eavesdropping to actively manipulate data and communications. This makes them a potent threat in the cybersecurity landscape. The concept of AitM attacks is rooted in the historical development of Man-in-the-Middle (MitM) attacks, which originally emerged as a means of intercepting communications between two parties. Today, AitM attacks have evolved to become highly sophisticated and malicious. They can manifest in various forms, including: Credential Harvesting, Data Manipulation, Phishing and Malware Delivery.

Phishing?

Social engineering plays a crucial role in the effectiveness of phishing attacks. For instance, cybercriminals often use legitimate credentials and personally identifiable information (PII) from previous breaches to impersonate employees convincingly. They deploy various social engineering tactics to manipulate IT service desk personnel into resetting passwords, disabling multi-factor authentication (MFA), or registering new devices to specific accounts. This strategy is particularly effective against employees with privileged access, who are often identified through basic searches on platforms like LinkedIn. These techniques significantly increase the likelihood of the initial phishing email being clicked on, leading to successful breaches. There are a number of phishing-as-a-service toolkits that have become prominent (e.g. Evilginx2). These are the tools used to create phishing pages that mimic reputable services to capture the credentials, tokens, and cookies.

How AiTM phishing works

AiTM (Adversary in The Middle) phishing is a type of cyberattack where a hacker tricks a user into thinking they are logging into a legitimate website, but they are actually interacting with a fake site controlled by the hacker. Here’s a simpler breakdown of how it happens:

• Why Session Cookies Matter: Imagine logging into a website and getting a special pass that tells the website you are already logged in, so you don’t have to enter your password on every page. This "pass" is what we call a session cookie.
• Creating a Convincing Fake Site: The hacker sets up a fake website that looks just like the real one you intend to visit. This fake site is a trick; it’s set up to intercept and pass along all the information you try to send to the real site.
• How the Trick Works: When you enter your login details on the fake site, the hacker’s site sends your information to the real site behind the scenes. This makes everything look normal to you, as you can still see your account and do things as if nothing is wrong.
• Stealing the "Pass": As you log in, the fake site steals the session cookie—the "pass" that proves you are logged in. With this cookie, the hacker can get into your account on the real site without needing your password.
• Taking Control: Once the hacker has your session cookie, they can access your account, read your messages, make purchases, or do anything that you could do, even if you have extra security like two-factor authentication.

This attack is particularly sneaky because it’s hard to notice and can bypass extra security measures. It highlights why it's important to check the URL in your browser's address bar before logging into any site to make sure it's the legitimate one.

Defending against AiTM phishing and BEC

The rise of AiTM (Adversary in The Middle) phishing campaigns underscores the adaptive nature of cyber threats in response to security defenses organisations put in place. Despite AiTM's ability to sidestep Multi-Factor Authentication (MFA), it's important to recognise that MFA remains a critical component of identity security. MFA's effectiveness is so notable that it has prompted the evolution of sophisticated phishing techniques like AiTM. To bolster defenses against such advanced threats, organisations can adopt several strategies:

• Implement Phishing-Resistant MFA: Utilising solutions that support Fast ID Online (FIDO) v2.0 and certificate-based authentication can create a more secure authentication environment that is resistant to phishing.
• Enable Conditional Access Policies: These policies are crucial as they are evaluated each time an attacker tries to use a stolen session cookie. By enforcing policies that recognise only compliant devices or trusted IP addresses, organisations can mitigate the risk posed by stolen credentials.
• Deploy Advanced Anti-Phishing Solutions: Investing in technologies that monitor and evaluate the security of incoming emails and the websites users visit can help prevent phishing attacks. Enhanced browser security features that identify and block malicious websites are particularly effective.
• Continuous Monitoring for Suspicious Activities: Vigilance is key in cybersecurity. Monitoring for signs of unusual activities, such as odd sign-in attempts (from unexpected locations or devices) or strange mailbox activities (like creating suspicious inbox rules), can help identify and mitigate potential breaches early.

The Bulletin:

To obtain a full copy of the Bulletin, please visit https://incidentresponse.co.nz/bulletin