April | 2024 | Dark Lab

Tracking the proxy: a canary-based approach to locate users from Adversary-in-the-Middle Phishing

Posted on April 8, 2024 by darklabhk

As we step through a busy season of ransomware, financial scams involving deepfake, and sophisticated phishing campaigns, we continue to witness campaigns targeting enterprise users with Adversary-in-the-Middle (AiTM) attacks. As discussed in our previous blog post[1], AiTM leverages proxy-based toolkits such as Evilginx and EvilProxy. This technique has proven extremely effective, even in our red team assignments, in capturing credentials, and authenticated sessions.

In this article, we explore a use case in Microsoft 365, in which a feature has allowed opportunities to build a canary-based detection mechanism in an unconventional way. Inspired by the effectiveness of bug bounty programs in identifying vulnerabilities, this strategy aims to locate and mitigate the risks associated with AiTM attacks.

Understanding Adversary-in-the-Middle Attacks

Traditionally, in combating phishing and scams, our approach to protecting accounts in Microsoft 365 has revolved around the use of strong credentials and multi-factor authentication (MFA). These proved mostly effective against password brute-force and credential harvesting with fake phishing sites. Coupling this with new solutions such as Microsoft’s Intune or Mobile Device Management (MDM) applications, threat actors need to explore new ways of gaining access to their victims’ Microsoft 365.

AiTM attacks have proven to be extremely effective choice of technique leveraged by cybercriminals. We have previously covered use cases observed in phishing campaigns targeting our clients in Hong Kong, Macau, and in the region. This is because, unlike traditional phishing techniques, AiTM captures both the victims’ passwords, as well as valid login sessions cookie – another form of valid credentials. Threat actors have also explored new ways of using the compromised identities, not just to access confidential data from the victim’s mailbox, but also the data files on OneDrive and SharePoint.

From a defender’s perspective, it is difficult to identify individuals who has fallen victim to this kind of technique as, unlike traditional phishing, the victim is engaged in an interactive flow, supplying both credentials and any multi-factor authentication. The phishing site acts as an intermediatory internet reverse proxy, completing the authentication on the victim’s behalf and, capturing the materials in between. The diagram below illustrates a complete flow of how a threat actor can compromise the victim’s account.

Figure 1: Typical compromise flow of an AiTM attack

In general, detection of a compromised user account would require heuristics approaches (e.g. Microsoft’s Risky IP Address, or Impossible Travel) or detection of specific threat-actor activities (e.g. New-InboxRule). These are very effective in identifying anomalies in interactions with the mailbox, prompting additional investigations and mitigations with the downside being, in our experience, a late detection where the threat actor might have taken actions or information with the victim’s account.

The Canary-Based Approach to Detection

For those experienced in cyber defense, canaries are a familiar tool used to provide detection opportunities against specific behaviors. They act like tripwires or indicators which are designed to stand out in attack scenarios. A prime example is “honey accounts” in Active Directory environment, where a failed attempt to log in to this decoy account should warrant immediate attention to identify the source for potential behavior in the environment.

How can we do the same in our use case in M365? Going back to our drawing board, the authentication process in both normal and AiTM attack scenario involves interaction with the official Azure login page. Earlier this year, security researchers at IronPeak identified a feature in Azure called “Company Branding” which can enable such a detection mechanism.

The reader can follow the original blog post here.[2]

Company Branding is a feature that allows Azure administrators to apply branding to their login page by setting company logos, brand colors, and more through customising a cascading style sheets (CSS) file. A user browsing the login page will load the corresponding components referencing the style sheets. It is then possible, by introducing a single-pixel web-beacon as a CSS component, to capture referred request to the beacon, and identify if a user is falling victim to a phishing site.

Figure 2: Canary-based detection via CSS component

Setting up canary-URL for detecting AiTM

The section below outlines sample steps to configure a canary-based detection for AiTM attack on Microsoft 365 platform. This is based on the research conducted by IronPeak team.

To begin, download a copy of the template CSS file available from Microsoft.[3] Add the custom reference canary URL to the CSS file template and upload to the sign-in page.

Figure 3: Addition of custom reference canary URL to CSS template

Access the “Company Branding” section of Microsoft Entra admin center. Click “Edit” for the default sign-in, or corresponding sign-in pages.

Figure 4: Edit Company Branding in Microsoft Entra admin center

Select the “Layout” tab and upload the customised CSS file under the “Custom CSS” section.

The configuration will take effect during new login against M365 at the login page (e.g. https://login.microsoftonline.com).

Figure 6: Sample implementation of custom reference canary URL via CSS template

As a website is created in the detection site, a web server can be configured to capture the full request, including header values such as “Referrer”. Note that the existence of the requested file does not matter as we just needed the web service to capture the request. A sample set of logs is shown below.

47.39.x.x - - [03/Apr/2024:03:43:56 +0000] "GET /beacon.png HTTP/1.1" 404 197 "https://login.microsoftonline.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36" "3.03" 174.102.x.x - - [03/Apr/2024:03:47:30 +0000] "GET /beacon.png HTTP/1.1" 404 197 "https://totally-not-phishing.site/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36" "3.03" 185.240.x.x - - [03/Apr/2024:03:47:30 +0000] "GET /beacon.png HTTP/1.1" 404 197 "https://login.microsoftonline.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36" "3.03"

The key point here is that the canary-URL is triggered when the user key in the email address i.e. the log is not indicative of an access session or credentials compromise. However, we can take steps to determine if an AiTM attack has taken place:

Determine if the URL specified in the “Referrer” field above exhibits behavior of an AiTM phishing portal
Review the Microsoft 365 logs to identify the actual user behind the IP address
If a successful authentication has matched the logs, we can determine that the user account has been compromised : perform the necessary mitigations e.g. revoke sessions, credentials reset, inbox rule cleanup, etc.

Faring against advance phishing kits

While this canary URL is effective against open-source, proxy-based phishing framework (e.g. Evilginx), there are other phishing toolkits which take a different approach in displaying contents to the victim. One example is the more advanced Phishing-as-a-Service (PhaaS) platforms, such as “Caffeine” or “Tycoon 2FA”.

In our research, these phishing kits are well-designed to hide from public scanners behind Cloudflare or other anti-DDoS pages. During interaction, they also behave differently by displaying pre-loaded components and styles from the official Microsoft 365 login pages to the user, while leveraging embedded JavaScript as the API engine with Microsoft 365 in authentication. In other words, the victim is not interacting directly with the official Microsoft 365 login page and thus, the custom CSS files as well as the canary-URL will not be triggered.

An example of such a page is shown below.

Figure 7: Sample phishing site with pre-loaded components and styles, and embedded JavaScript

This seems like a bypass of the canary-URL detection, but not all hope is lost.

Since we are using canary-URL to collect data for every access to the official Microsoft 365, the resulting data set can be compared against the Azure sign-in log. The analysis of data will still allow isolation of IP addresses in login records that security analysts should further conduct review.

Figure 8: Sample detection via canary-URL

Conclusion

In an era of increasingly sophisticated cyber threats, the detection of AiTM attacks is of paramount importance. The canary-based approach presents a proactive strategy to identifying victims in AiTM attacks. By combining dynamic canary URL and behavioral analysis, organisations can enhance their security posture and protect sensitive data from falling into the wrong hands.

Canary-based approach uses triggers to create new opportunities in attack detection. The Canary URL above targets anomalies as early as the authentication process, reduces the time-to-detect duration in AiTM attack, and allows for prompt response and mitigation.

This technique has proven effective in combating phishing toolkits such as Evilginx. As cybercriminals up their game with additional Phishing-as-a-Service frameworks, we shall continuously evaluate the limitations in our detection tricks and explore additional techniques or data-centric approaches to identify anomalies.

Further information

Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.

The 2024 Cyber Threat Landscape

Posted on April 3, 2024 by darklabhk

2023 saw threat actors relentlessly innovating and specialising to remain sophisticated in speed and scale, through the use of automation intelligence, targeting against supply chains and managed service providers, and a shifted focus to identity-based attacks. As we ushered in the new year, we expected that these threats would continue to drive the cyber threat landscape in 2024 as threat actors continuously seek to outmanoeuvre defenders. In this blog, we outline Dark Lab’s expectations of the most prevalent issues in 2024, and validate that with observations from the first quarter of incident response insights and threat intelligence investigations.

Ransomware continues to evolve as affiliates seek independence from RaaS groups, weaponize supply chains, and crowdsource efforts by specializing in tradecraft

Ransomware attacks have surged, with a 65% increase in compromised victim listings observed in 2023. There are multiple reasons for this increase, such as the rapid exploitation of new and known vulnerabilities as well as managed service providers (MSPs) becoming prime targets due to their ability to launch downstream attacks on the MSP’s clients. However, we have observed other factors such as affiliates branching out to craft their own trade through specialization (e.g., leveraging crowdsourcing to procure credentials from Initial Access Brokers) and customization of ransomware tools. This is likely compounded by law enforcement efforts to dismantle prominent RaaS operators, such as Hive[1] in early 2023 and more recently BlackCat[2] and LockBit[3].

In 1Q 2024, we responded to an incident involving Mario ESXi ransomware strain. Consistent with other ransomware actors, the threat actor strategically targeted the victim’s backup systems to maximise damage and thereby increase their chances of receiving ransom payment. We assessed that the threat actor may be working with RansomHouse Ransomware-as-a-Service (RaaS) group to publish leaked data as part of their double extortion tactics. However, we had observed that RansomHouse collaborated with other opportunistic threat actors leveraging different strains of ransomware, such as 8BASE, BianLian, and White Rabbit. This specialization allows smaller threat actors to devote their limited resources to developing custom malware strains, potentially off leaked source code of other larger RaaS groups. For example, Mario ransomware utilised leaked Babuk code to develop the .emario variant to target ESXi and .nmario to target Network Attached Storage (NAS) devices.[4][5] We anticipate new, smaller RaaS groups in 2024, and a continued increase in ransomware attack volume.

Organisations must rethink how they define vulnerabilities as threat actors now leverage different “classes” to target their victims

Organisations have made efforts to mitigate the exploitation of Common Vulnerabilities and Exposures (CVEs) through timely patching and vulnerability management. However, opportunistic threat actors have adapted their attacks by targeting different “classes” of vulnerabilities, such as misconfigurations, exposed administrative portals, or unintended disclosure of sensitive information, as opposed to phishing as the ticket of entry for their attack.

In early 2024, we responded to a Business Email Compromise (BEC) incident in which there were two “classes” of vulnerabilities. First, the production web server had been misconfigured to expose the underlying directory listing; within that directory listing contained a configuration file (.env) that included plain text credentials of various email accounts. Second, those email accounts did not enable multi-factor authentication (MFA), which allowed the threat actor to login to Microsoft 365. Traditional penetration testing exercises may overlook these vulnerability “classes”, but threat actors have adapted their reconnaissance methods to identify these means of achieving initial access. It is crucial for organisations to rethink how they define vulnerabilities and consider any weakness that can be exploited by threat actors to gain access to their environment.

At the tail end of 1Q 2024, we observed a sophisticated supply chain attack unfold, as unknown threat actors attempted to inject malicious code into an open-source library.[6] Despite its assignment of a Common Vulnerabilities and Exposures Identifier, the “vulnerability” emphasises the heightened dependency on libraries and supply chain risks associated. Not only should these vulnerability “classes” be expedited for remediation, but they should also be treated as cyber-attacks given the nature of the impact. As this vulnerability “class” cannot be addressed through preventive or detective measures, it is crucial that organisations develop proactive response plans to enhance their cyber-readiness against such attacks. This includes maintaining asset inventories and cooperating with DevSecOps to identify impacted systems and containing the incident through patching and subsequent threat hunting.

Prioritise resources on securing identity, as this is becoming the most valuable and targeted asset

While organisations strengthen their security defenses through measures like rapid vulnerability patching and MFA enablement, threat actors would explore other means to bypass heightened controls. For example, phishing attacks once focused solely on obtaining valid credentials such as username and password. As MFA become more commonplace, threat actors had to shift their targeting to steal valid, authenticated sessions cookies that proves the victim’s ongoing and authenticated session within the website. Though adversary-in-the-middle (AiTM) has been observed at least since 2022[7], the adaptation has been rapidly accelerating, compounded by the availability of Phishing-as-a-Service toolkits to lower the technical entry thresholds of cybercriminals.

In 1Q 2024, we responded to two separate BEC incidents launched within days of each other against the same victim. While we were unable to confirm if they were two separate campaigns, they both harboured similar characteristics of AiTM attacks – such as the use of rented infrastructure in abnormal geographies to conceal true identity upon login; achieving persistence through manipulating inbox rules, deleting emails, and removing email notifications to hide suspicious actions; and impersonating the user as a trusted party to execute fraudulent transactions to internal users and external parties. This demonstrates the need to adopt a more robust security baseline to secure identities, including managing devices against a compliance profile together with innovative means to detect for AiTM attacks. Please look out for our upcoming blog post would elaborate the latest BEC incidents as well as our proprietary approach to detect and respond to AiTM attacks.

Artificial Intelligence (AI) is the new hype which both attackers and defenders are looking to weaponize

The emergence of AI has led to a significant wave of interest in how it can be leveraged in cybersecurity. From a threat actor’s perspective, we have observed since mid-2023 and throughout 1Q 2024 the use of AI in the form of “automation intelligence” to reduce the time to weaponize certain “classes” of vulnerabilities. For example, we have observed through our threat intelligence investigations that threat actors are rapidly generating new social media profiles to target unsuspecting victims. While their motivation and capabilities are unclear, it is evident they are exploring and fine-tuning their standard operating procedures due to potential operational security errors (e.g., use of male pronoun for a LinkedIn profile with a female picture, likely generated from AI). In other reports, we have observed that deepfakes have been utilized for financial gain, with one Hong Kong-based incident involving a digitally recreated version of its chief financial officer ordering money transfers in a video conference call.[8] It is likely that AI would be further adapted to be misused for various motivations.

This is a call for cyber defenders to explore how to weaponize AI to keep pace with threat actors. Machine learning techniques allow AI-embedded solutions to adapt to an organisation’s environment and distinguish between normal and anomalous behavioural activity. AI also has the potential to identify abnormal activity by regular users, indicating potential impersonation attempts or credential abuse, addressing the threat of identity-based attacks. Additionally, AI is employed in investigating and responding to incidents, as seen in solutions like Microsoft Copilot for Security, enables heightened efficiency and capabilities of defenders using generative AI. It is expected that AI will continue to uplift cybersecurity professionals by automating repetitive tasks, conducting analysis, proactively identifying threats, and accelerating knowledge acquisition.

Recommendations to Secure Your 2024

Whilst there is no telling for certain how the rest of 2024 will unfold, our 2023 experiences taught us invaluable lessons on how organisations can continue to harden their cyber security posture to adapt to the ever-evolving cyber threat landscape.

Continuously monitor and minimise your attack surface to proactively and rectify potential security weaknesses that may expose you to external threats and improve situational awareness to prioritise improvement areas in your cyber defense strategy.
- Regularly review your asset inventory, ensuring Internet-facing applications, exposed administrative ports, and non-production servers are intended to be publicly accessible, are appropriately configured and segmented from your internal network, and prioritised in your vulnerability and patch management process.
- Conduct dark web monitoring, social media listening, and young domain monitoring to identify mentions or impersonation attempts of your organisation that may indicate potential intent, opportunity, or active targeting against your organisation.
- Leverage a bug bounty program to crowdsource the expertise of ethical hackers to identify otherwise unknown vulnerabilities and security weaknesses that could otherwise expose you to potential exploitation by malicious actors.
Protect identities through a layered defense strategy to prevent and detect unauthorised access, impersonation, or misuse of personal information.
- Govern and apply appropriate access controls and permissions following the principle of least privilege for all users, ensuring access is conditional and restricted only to the resources necessary to perform their job functions. This includes implementing strong authentication mechanisms such as multi-factor authentication (MFA), role-based access controls (RBAC), and continuous monitoring of user activities to detect any suspicious behaviour.
- Establish behavioural-based detection for user activity to monitor for anomalies, tuning rules to expire tokens and disable sign ins when suspicious behaviour is detected.
- Prioritise the protection of privileged accounts by implementing strong privileged access management (PAM) controls, such as privileged identity and session management, regular credential rotation, and monitoring of privileged user activities, to mitigate the risk of unauthorised access and potential misuse of high-level privileges.
Adopt a zero trust strategy, enforcing authentication and authorisation at every access point, regardless of whether it is within or outside the organisation’s network perimeter.
- Unify and consolidate applications to streamline access controls and reduce potential attack surfaces by eliminating unnecessary or redundant applications, minimising the complexity of managing access policies, and ensuring consistent security measures across the application landscape.
- Implemented and enforce a compliance profile across your managed devices, regardless of whether it is corporate-provisioned or bring-your-own-device (BYOD).
- Secure DevOps environments through the implementation of zero trust principles, ensuring cybersecurity is considered at the forefront of innovation and implementation of new technologies. Ensure appropriate training is provided to DevOps professionals to build and implement securely.
- Consider the long term goal of transforming your security architecture to follow the Secure Access Service Edge (SASE) framework to enable a flexible, scalable, more secure approach to your network security strategy.
Manage supply chain risks posed by third- and fourth-party vendors through robust vendor risk management and ongoing monitoring
- Conduct thorough due diligence before engaging with a third-party vendor or partner. Perform comprehensive due diligence to assess their security practices, including their vulnerability management processes, security controls, and incident response capabilities, to ensure they align with your organisation’s risk tolerance.
- Implement a robust vendor management program that includes regular assessments, audits, and contractual agreements that define security requirements and expectations. This program should also outline the responsibilities of both parties regarding vulnerability management, incident reporting, and remediation timelines.
- Continuously monitor third-party systems and conduct regular vulnerability assessments to identify potential weaknesses. This includes scanning for vulnerabilities, tracking patch management, and engaging in ongoing dialogue with vendors to address any identified vulnerabilities in a timely manner and mitigate supply chain risks.

Further information

Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.