Phishing Kits MFA Bypass

Summary: Researchers have discovered an increased number of Phishing Kits focused on stealing authentication tokens via man-in-the-middle (MITM) attacks. Researchers have tracked the increased adoption of multifactor authentication across businesses. Simultaneously, an increased number of phishing kits have been created.

MFAs have traditionally been used to increase the security of accounts by requiring more than one authentication method. Commonly, these other factors are what you know, what you have, and who you are. These factors allow people to prove their identities and prevent attackers from gaining access to their accounts. However, as authenticated accounts are within a session, this threat does not require the possession of MFA factors but instead requires the theft of the session cookie to impersonate the targeted users.

Why it matters: 

User credentials need to be secured and protected at every step. The creation and adoption of MFAs was to increase the security of users’ accounts in the event of credential leaks. Targeting the MFA systems allows attackers to bypass these new authentication methods through the theft of session cookies. These new phishing kits appear as part of OWASP Top 10’s Web Application Security Risk as Identification and Authentication Failures. MFA was created to enhance identification and authentication, however, these new phishing kits can use existing sessions and credentials to access users’ accounts.

Malicious PowerPoint Add-on

Summary: Attackers have recently been detected using the PowerPoint add-on .ppam files to wrap malicious executables. The format of the emails appears to be a phishing campaign enticing users to download a file such as a purchase order. The file appears as a .ppam file which is a PowerPoint add-on that extends and adds capabilities. The file wraps malicious processes that overwrite registry settings. These malicious processes can install unauthorized programs and create new processes.

Phishing attacks are a common threat actor action that attempts to harvest user credentials via a seemingly legitimate source such as an email or a webpage. Phishing emails are commonly filtered out, however, this lesser-known extension .ppam has evaded detection according to Avanan. As such, this feat of social engineering is more likely to trick users into launching its malicious content.

Why it matters: Phishing is a common attack by malicious actors. Phishing campaigns normally follow a pattern such as containing a sense of urgency to entice users to click on the email attachments. These files can pose risks such as gaining access to the user’s computers. This new phishing campaign’s use of lesser-known .ppam files is used to bypass email scanners. The use of this lesser-known file shows the OWASP TOP 10 Web Application Security Risk of Insecure design. The risk this poses is that malicious file extensions can contain malicious files. Malicious files could include ransomware as seen when a .ppam file was used in an attack on October 2021.


Apple Patch for WebKit Zero Day

Summary: An incorrect use of dynamic memory allocation on iOS, iPadOS, and macOS devices is being actively exploited by hackers. The threat allows malicious actors to execute arbitrary code on affected devices after processing maliciously crafted web content. This vulnerability is currently actively being exploited by thread actors

This vulnerability has been given the designation CVE-2022-22620 and currently affects the WebKit engine used in iOS, iPadOS, and macOS applications. Of particular concern are the browsers for iOS and iPadOS. Apple has since addressed the issue for devices with the recent macOS Monterey 12.2.1, iOS 15.3.1, and iPadOS 15.3.1. The danger of a dynamic memory error allocation could allow pointers to point to newly allocated data. Newly allocated data could contain classes that could contain valid shellcode, allowing arbitrary code could be executed. These new codes could be malicious in content and could affect entire devices.

Why it matters: The security of devices is important for all companies as these devices are used to connect to system resources. The execution of arbitrary code could allow malicious actors unforeseen opportunities to affect the user’s machine. The arbitrary code execution is both an Insecure Design and Vulnerable and Outdated Components list that is part of the OWASP Top 10. The WebKit zero-day is an insecure design that allows malicious actors the ability to execute code. If users do not update their devices, they are exposing themselves to Vulnerable and Outdated components as they will not be patched against this vulnerability.  Given the threat of the WebKit zero-day, it is important for users to update their devices to the latest versions that have been released by Apple. These updates are significant in patching the vulnerabilities of these devices.


Apple AirTag Tracking

Summary: German researchers from Darmstadt University recently published a report on their AirGuard Android app which allows users to scan for Bluetooth devices that follow them around. The Apple AirTag, released in 2021, is a tracking device like Tile or Chipolo aimed to help keep track of belongings like keys or wallets. However, AirTags are button-sized and take advantage of the ubiquity of Apple devices to allow for more granular tracking, lending itself to be abused by malicious actors for stealthy stalking.

How it works is Apple has created a peer-to-peer network of its devices that can communicate with each other to narrow the geolocation of a particular device. An AirTag can be placed on a car or surreptitiously slipped into a bag. Apple has only officially released an Android App as of December to scan for AirTags, leaving those users vulnerable since launch. The research report for AirGuard indicates that it is more accurate at locating rogue AirTags than iOS and Apple’s own Tracker Detect app, particularly regarding finding trackers on cars. The only caveat to this is that it relies on Android devices which log locations less frequently than iOS devices.

Why it matters: As personal technology devices become more and more popular, it becomes increasingly important to weigh privacy risks against the perceived utility. IoT technology is rarely built with security in mind yet has very close contact with your network and personal data. In this case, the AirTags do not even need to belong to you and have a wide potential for misuse. Apple has updated their user safety guide for iOS devices to include tips on how to stay safe with Find My accessories including the AirTag.


Security Tip of the Month

Summary: The addition of a second factor can prevent adversaries who are able to brute force or otherwise obtain user credentials from successfully logging in. Multifactor authentication devices can be a hard token such as an RSA keyring or a soft token generated by a mobile phone app like Microsoft Authenticator or PingID. Less secure, but preferable to no multi-factor at all, is SMS authentication, where a security code is sent via text message. These texts typically have a longer validity period and could be vulnerable to interception via SIM swapping. A blog posted by Microsoft in 2019 indicates that adding a second factor prevents 99.9% of attacks, however, as of 2022, 78% of organizations with Azure Active Directory still do not have MFA enabled.

Why it matters: MFA is a shining example of the power of defense-in-depth. Account compromise and credential leakages are almost inevitable; however, the scope of damage can be mitigated by the addition of controls. Particularly in the case of attacks like ransomware, limiting access to accounts and subsequently, any resources the account is authorized for, is tantamount.

The rise of remote work capabilities has decentralized corporate IT and increased the risk of sprawl while simultaneously normalizing MFA for many organizations. Users have also grown increasingly used to MFA requirements. Google has recently auto-enabled two-step verifications for its users and has purported to have cut account compromise risk in half by the action. For relatively little effort, MFA has a big impact on securing your organization.