One Article Review
| Source |  ProofPoint |
|---|---|
| Identifiant | 8435197 |
| Date de publication | 2024-01-04 06:00:10 (vue: 2024-01-05 17:10:22) |
| Titre | Cybersecurity Stop of the Month: MFA Manipulation |
| Texte | This blog post is part of a monthly series exploring the ever-evolving tactics of today\'s cybercriminals. Cybersecurity Stop of the Month focuses on the critical first three steps in the attack chain in the context of email threats. The series is designed to help you understand how to fortify your defenses to protect people and defend data against emerging threats in today\'s dynamic threat landscape. The critical first three steps of the attack chain: reconnaissance, initial compromise and persistence. So far in this series, we have covered the following types of attacks: Supplier compromise EvilProxy SocGholish eSignature phishing QR code phishing Telephone-oriented attack delivery (TOAD) Payroll diversion In this post, we examine an attack technique called multifactor (MFA) manipulation. This malicious post-compromise attack poses a significant threat to cloud platforms. We cover the typical attack sequence to help you understand how it works. And we dive deeper into how Proofpoint account takeover capabilities detected and prevented one of these threats for our customer. Background MFA manipulation is an advanced technique where bad actors introduce their own MFA method into a compromised cloud account. These attackers are used after a cloud account takeover attack, or ATO. ATOs are an insidious threat that are alarmingly common. Recent research by Proofpoint threat analysts found that in 2023 almost all businesses (96%) were targeted by cloud-based attacks. What\'s more, a whopping 60% were successfully compromised and had at least one account taken over. MFA manipulation attacks can work several ways with bad actors having multiple options for getting around MFA. One way is to use an adversary-in-the-middle (AiTM) attack. This is where the bad actor inserts a proxy server between the victim and the website that they\'re trying to log into. Doing so enables them to steal that user\'s password as well as the session cookie. There\'s no indication to the user that they\'ve been attacked-it just seems like they\'ve logged into their account as usual. However, the attackers have what they need to establish persistence, which means they can maintain access even if the stolen MFA credentials are revoked or deemed invalid. The scenario Recently, Proofpoint intercepted a series of MFA manipulation attacks on a large real estate company. In one case, the bad actors used an AiTM attack to steal the credentials of the firm\'s financial controller as well as the session cookie. Once they did that, they logged into that user\'s business account and generated 27 unauthorized access activities. The threat: How did the attack happen? Here is a closer look at how this MFA manipulation attack played out: 1. Bad actors used the native “My Sign-Ins” app to add their own MFA methods to compromise Microsoft 365 accounts. We observed that the attackers registered their own authenticator app with notification and code. They made this move right after they gained access to the hijacked account as part of an automated attack flow execution. This, in turn, allowed them to secure their foothold within the targeted cloud environment. The typical MFA manipulation flow using Microsoft\'s “My Sign-Ins” app. 2. After the compromise, the attackers demonstrated a sophisticated approach. They combined MFA manipulation with OAuth application abuse. With OAuth abuse, an attacker authorizes and/or uses a third-party app to steal data, spread malware or execute other malicious activities. Attackers also use the abused app to maintain persistent access to specific resources even after their initial access to a compromised account has been cut off. 3. The attackers authorized the seemingly benign application, “PERFECTDATA SOFTWARE,” to gain persistent access to the user\'s account and the systems, as well as the resources and applications that the user could access. The permissions the attackers requested for this app included: |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | 2023 365 able about abuse abused access access account accounts action activities actor actors add adoption advanced adversary advised after against aitm alarmingly all allowed almost also always analysts analytics analytics and/or anomaly any app application applications approach are around assess assets associated ato atos attack attacked attacker attackers attacks attacks: attacks attempt attempts audits authentication authenticator authorized authorizes auto automated automatically background bad based basis been behavior behavioral behaviors benign between block blocks blog break breaking broke business businesses bypass called can capabilities case centric chain chain: chain changes changing closer cloud code combined common company complete comprehensive compromise compromised compromise conduct conducting configurations configure context continuous controlled controller cookie corrective could cover covered create credentials critical customer cut cybercriminals cybersecurity data data deemed deeper defend defenses define delivery demonstrated designed detect detected detecting detection: detection did digital directed discovery dive diversion doing don download dynamic educate effective email emerging employees enable enables ensure entity environment environments esignature establish establishing estate even ever evilproxy evolving examine execute execution exercises exploited exploring external far fast feeds financial firm first flow focuses following foothold forget fortify found from future gain gained generated getting good granted had happen has have having help helped helping helps here hijacked how however identify immediate incident incidents include: included: indication initial inserts insidious instance ins” integrate intelligence intercepted internal introduce invalid investigate investigating irregularities its just keep landscape large learn learned least lessons leveraged like links log logged logs look loss made mailbox maintain malicious malware manipulated manipulation manipulation: map means measures method methods mfa microsoft middle mitigate monitor month month: monthly more move multifactor multiple native need notification oauth observed off offline once one options oriented other out out: over own part party password payroll people perfectdata permanent permissions persistence persistent phishing phishing pivotal plan platform platforms played points poses post potential prevent prevented preventing proactive profile promptly proofpoint protect provides proxy real really recent recently recognize reconnaissance reduce registered regular remediate remediation remediation: reminder removed report request requested research researchers resources response revealing revoked right risk risks role safe scenarios scenario scopes secure security seemingly seems sensitive sequence series server session sessions several sheet short should showing sign significant simulated socgholish software software” some sophisticated specific spread stack steal steps stolen stop stress successfully such supplier sure suspicious system systems tactics take taken takeover tap targeted team technique telephone test them then there these they third threat threat: threats three through time toad today tools training trick trying turn types typical ueba unauthorized understand unusual use used user users uses using usual victim visibility vulnerabilities vulnerability way ways website well what where which whopping will within work works would your “my “perfectdata |
| Tags | Malware Tool Vulnerability Threat Cloud |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.