Mon, Oct 30, 2023
Marc Brawner
Devon Ackerman
Keith Wojcieszek
George Glass
Ryan Hicks
In Q2 and Q3 of this year, Kroll observed an increase in large-scale AiTM phishing and BEC attacks targeting organizations within the professional services, banking and financial industries. In 90% of Kroll’s recent BEC investigations, MFA was in place at the time of unauthorized access, but attackers can obtain authentication tokens and/or session cookies to easily evade defenses.
Once obtained, threat actors successfully “replayed” the intercepted tokens to authenticate. Exploitation activities included payroll redirection and invoice payment fraud; data exfiltration and extortion; and follow-on phishing attacks leveraging the compromised accounts to leapfrog against additional victims, resulting in global supply chain disruption in a ripple effect.
In addition to AiTM attacks, threat actors have been increasingly observed leveraging legitimate credentials and personally identifiable information (PII) sourced from previous data breaches to impersonate employees and convince IT service desk staff to reset a legitimate employee’s password, remove MFA protections or add a new phone or device to an account.
Often, criminals targeted employees with privileged access after simple LinkedIn reconnaissance. Once an employee’s password was reset or MFA was added to a new device, threat actors gained remote access to the target network.
Kroll recognizes that many organizations have only recently succeeded in establishing basic MFA policies to thwart credential compromises. Novel phishing-as-a-service toolkits are forcing organizations to go even farther to address what has quickly become a mainstream form of attack. State-of-the-art options rely heavily on newer technologies, such as FIDO2 or Passkeys, that are resistant to AiTM attacks. In the meantime, organizations must focus their efforts on minimizing the scope of successful AiTM attacks against current MFA solutions through creative access evaluation policies and anomaly monitoring.

Advanced MFA-bypassing phishing toolkits and services have become easily available as a subscription service or sold directly on dark web forums. These toolkits are used to intercept credentials, MFA codes, cookies and session tokens via targeted phishing attacks. Session token theft is particularly dangerous because once a user has authenticated successfully to an application, a session cookie is created, recognizing the authenticated user. If an attacker obtains this cookie, they would not need credentials or an MFA token to retain access the victim’s account. Traditional MFA factors, including challenge/response codes, app-based codes and the like are vulnerable to this interception and replay as depicted below. 

EvilProxy is a phishing-as-a-service toolkit used by threat actors to circumvent MFA protection used by many services online. The toolkit creates phishing links that are clones of known services, such as Microsoft, Google, GitHub, NPM, PyPi and many other services, to harvest credentials, tokens and session cookies.
A campaign throughout July and August 2023 saw threat actors leveraging EvilProxy to target C-suite employees across a wide variety of sectors. Utilizing an open redirect technique against the legitimate “indeed.com” domain, the threat actor led victims to a phishing page impersonating a Microsoft365 login page. When the victim enters their credentials and MFA token, they will be successfully authenticated to the legitimate service, however, the credentials and session cookie will have been captured by EvilProxy, ready for reuse by the threat actor.

Two other popular phishing toolkits are Evilginx2, an open-source phishing framework which expanded upon the foundation of its predecessor, Evilginx, and W3LL. Like EvilProxy, these kits offer an array of capabilities that can expertly emulate login pages for well-known platforms such as Citrix, Microsoft365, Okta, PayPal and GitHub, among others. In September, it was reported that W3LL had captured credentials for over 56,000 Microsoft 365 accounts, and the kit is regarded as one of the most advanced thanks to its API, source code protection and other unique features.

MFA fatigue, or MFA spamming, relies on the victim approving a push notification rather than any form of number or code matching. This is deemed as a “simple approval” method where approving the push notification is all that is required to complete the authentication, often without the user having awareness of the session they are authenticating to. During an MFA fatigue attack, the threat actor will have already gained access to credentials of the victim, likely either through a prior compromise or bought on the dark web.

In most reported intrusions, the threat actor group KTA243 has achieved initial access through targeted social engineering. Observed methods have included phone calls and SMS messages impersonating active employees through MFA fatigue. Furthermore, the group has conducted more direct approaches to gain access by calling an organization’s help desk to socially engineer the victim into resetting a user’s password and adding or changing the MFA token/factor to enable the threat actor to authenticate through their own device.
KTA243 actors are assessed to primarily target data exfiltration for financial gain after accessing a target’s environment. However, recent reports have linked the group to data extortion and ransomware deployment within the victim environment.
Additional Resources

Kroll has previously published several articles that  cover this topic in more depth:

Recommendations 

Additional guidance and recommendations, including targeted Microsoft 365 configuration reviews, are available for Kroll customers, Contact your technical account manager or account executive for more information. 
Our threat intelligence leaders will dive much deeper into the current threat landscape and share other cutting edge insights they’re seeing on the front line.
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Kroll's cyber risk assessments deliver actionable recommendations to improve security, using industry best practices & the best technology available.
Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.
Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.
Validate your cyber defenses against real-world threats. Kroll’s world-class penetration testing services bring together front-line threat intelligence, thousands of hours of cyber security assessments completed each year and a team of certified cyber experts — the foundation for our sophisticated and scalable approach.
Kroll’s ransomware preparedness assessment helps your organization avoid ransomware attacks by examining 14 crucial security areas and attack vectors.
Enlist experienced responders to handle the entire security incident lifecycle.
Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.
Oct 30, 2023
by Marc Brawner, Devon Ackerman, Keith Wojcieszek, George Glass,  Ryan Hicks
Oct 25, 2023
by James McLeary, John deCraen, Christopher White
Oct 17, 2023

Oct 09, 2023
by George Glass,  Ryan Hicks
55 East 52nd Street 17 Fl
New York NY 10055

+1 212 593 1000
Subscribe to Kroll Reports
Thank you! A confirmation email has been sent to you.
Sorry, something went wrong. Please try again later!
Sign up to receive periodic news, reports, and invitations from Kroll. Our privacy policy describes how your data will be processed.
© 2023 Kroll, LLC. All rights reserved. Kroll is not affiliated with Kroll Bond Rating Agency, Kroll OnTrack Inc. or their affiliated businesses. Read more.

source