Video: Inside the Threat: Secureworks CTU Analysis | Episode 3 | Duration: 2104s | Summary: Inside the Threat: Secureworks CTU Analysis | Episode 3 | Chapters: Introduction to AITM (16.255001s), Network Attack Techniques (92.08501s), Network Attack Tactics (287.02002s), Adversary-in-the-Middle Attacks (355.82498s), Credential Theft Monetization (636.635s), Phishing Attack Tools (760.075s), Axios-Based Phishing Campaign (940.51s), Mitigating Phishing Attacks (1423.7001s)
Transcript for "Inside the Threat: Secureworks CTU Analysis | Episode 3": Good afternoon. Good morning. Good evening, depending where you're joining me from. Thank you for joining us today. My name is Rafe Billing. I'm the director of intelligence for the Secureworks CTU. And today, I'm gonna be talking to you about understanding adversary in the middle, AITM, tactics and credential theft more generally. So we're gonna start off with some definitions. Adversary in the middle attacks, generally speaking, are a form of cyber attack with the malicious actor intercepts and potentially alters the communication between two parties without their knowledge. That's the broad definition of of adversary in the middle, formerly known as as man in the middle style attacks. Increasingly, we see us we see a specific subset of these types of attacks known as adversary in the middle phishing attack. And in this case, the adversary often using email or a messaging service, creates the conditions for them to be, in the middle of that communication stream and intercept and manipulate communications between a user and the legitimate service that that user is trying to access. So how do adversary in the middle attacks work more generally? There's a number of different techniques that can be used to achieve that middle position in a communication stream. For most cases, these sort of attacks are done locally to the to the victim because trying to do them on the Internet can be more difficult unless perhaps you're a, an advanced nation state actor. But generally speaking, you can use techniques like network spoofing, saying the right kind of packets to someone's system to redirect their traffic through yours and then onto, onto whatever the the real destination should be. Tempering with network routing, on that network. So again, traffic is routed through your host, and you may maybe have a sniffer or sort of packet capture device. And, similarly, the use of proxy servers. And And in some cases where the traffic is not already plain text, you may need to use, a particular type of service known as SL or or TLS stripping. And what that does is it breaks the end to end communication between the the user and the legitimate service that they're trying to communicate with and puts, the adversary, the attacker system in the middle of that, even and then has a connected session between the user and the adversary system and the adversary and the end system allowing the adversary to view the traffic, in plain text. So while I said this is is relatively rare to see from, a network perspective, we did have a case, that we responded to, that did involve a a network based, adversary in the middle attack. And in this case, we do believe that a a nation state, actor was behind it. What we see on the screen here is a, a fairly sort of standard view of a network. You have a corporate perimeter. There's some internal routers. There's the perimeter firewall. Outside of that corporate perimeter is the the perimeter router that the company uses to access the Internet. You have the wider Internet and then and then a remote router at the at the destination. So, generally, what should happen is communications will flow out of the corporate network across the Internet and to that remote router as demonstrated by the email icon flying across the screen just there. However, in this incident, the attacker targeted the perimeter router used by this, this company and was able to gain access to that router by, brute forcing SNMP community strings, and that give them the ability to modify or read and modify the configuration on that router. The technical details here are are not super important, but the bottom line is they were able to use built in functionality within the router to, mirror traffic that was passing through that router to an IP address that they controlled. So in addition to the the traffic flowing through the router from the the internal system, to wherever, the the data was supposed to go, they were able to take a copy of that and redirect it to a system, that they controlled. And they could go further, on this with some additional configuration changes to make all the traffic from that router flow through, a host that they controlled and conduct some of those adversary in the middle attacks that we discussed. So now what the, now what the situation looks like is something like this. When that traffic is flowing through all those devices, it's flowing through the compromised perimeter router. The adversary has that middle position on, on the the communication flow. And what happens is that in this case, they receive a copy of the communication. If they had modified the router in a different way, they could receive the entire communication flow, run it through their own host, and and tamper with it, or extract things like, sensitive credentials or or any plain text, and potentially if they did some additional, configuration, encrypted communications. But generally, the way we see this, attack manifest is, is through phishing. So those those attacks on routers and and other sort of network based attacks while they they do occur and certainly perhaps some of the most, the most frequently occurring situations would be in a red team or pen test exercise, within a corporate network. What we tend to see in in the real world is the use of that adversary in the middle tactic being used for phishing campaigns. So how does an adversary in the middle campaign differ from a traditional phishing campaign? In a traditional phishing campaign, you've got a a phishing page, usually part of a phishing kit. So the the threat act or the criminal may have bought this, from an online marketplace, and it provides them all the, the bits and pieces that they need to to conduct this sort of attack, including these this sort of fake login pages. So they will they will fish, they will send an email with a link and some sort of pretext for a user to click that link to the targeted user. The user will open that email, they will read the message, and if they believe whatever the pretext, that is, is in that email, they will click that link and they'll be directed through to, an authentication page like this. Often, you know, the the the sort of, pretext or message used in a phishing campaign like this might be, you need to view an encrypted document that's online or you've you've been sent some document on a document sharing service, and you click that link and then you sort of expect to hit some sort of authentication page, before you can you can get that item, whatever it might be. And so they, provide this fake interface, for you to put your credentials into. So these credentials capture the username, password, multi factor authentication tokens. In some cases in the past, certainly, that was one of the things that would be taken as an offline field, and then the threat actor will reuse those credentials at some later stage. So if we just look at how that sort of plays out, you've got the user, they receive that phishing email, they click on that link, that link directs them to the the malicious phishing page, and then ultimately their credentials are captured, by the the malicious, adversary. So if we compare that to an adversary in the middle phishing model, what we see is, the user receives a phishing email. So same same kind of beginning. They click on that link. But in this case, the the link will take them to, a page. And sometimes they can be multiple pages. They can be redirections. But the the connection will be directed through a reverse proxy, an intermediate system that can then view the traffic between the user and the end service. And usually what happens is that, the the middle piece there around the proxy will be part of a a tool or a framework, that will establish a tunnel to the remote site, and the user will actually be viewing the the real, remote site through this, through this tunnel. But the the the the proxy in the middle gives the adversary the ability to to view the user's traffic as well. And And so the user will go ahead and authenticate. They put in their username, password, their multifactor authentication code. And when they do that, the the remote system will authenticate them. And assuming they got everything right, will issue them with a, a session token of some kind, a, a persistent token that will sit on their system that will tell the the site or service that this is a legitimate authorized user. They've been through the authentication process. They know their password. They have access to whatever the multifactor authentication token is and and has successfully completed that stage. And so you end up with this authenticated token that can then be stolen by the adversary because they can view the end to end transactions. And the way these kits work is they they tend to automate all this. So there there's very little for the the threat act to to actually do beyond, initiating the phishing campaign and waiting for the results to come in. And as I mentioned before, because of, the way these things work, you can create them particularly if you use a sort of a typo spoofing, so a domain name that the the threat actors registered that look very similar to the the real legitimate service. You can create a certificate on there. So the connection between the user and the proxy will appear secured. The the user will see, the little padlock icon or similar on the browser to tell them that that's an encrypted connection that their, that their details, that their credentials are being sent over, and give them that reassurance, at least in theory, that their connection is secure. Actually, what's happened is that there's a tunnel built between the user and that middle system, and then the middle system and the end service. And it's because it's broken into two parts rather than one continuous tunnel, the the thread actor has that middle system, that proxy that can intercept those details and and capture the sensitive credentials, including the authenticated session cookie. So why why are credentials valuable to threat actors? Well, obviously, they are the things that we use to access the sensitive servers services that, maybe we use for work on a daily basis, maybe our personal email, maybe our our bank accounts, whatever it might be. There's a whole range of, secure and sensitive services that are authenticated using usernames and passwords and increasingly these days, multifactor authentication, particularly for corporate systems. So this this kind of attack enables the theft of those session cookies, and there are a variety of of monetization options for criminals, once they've stolen those session cookies. So for example, business email compromise, and I will talk through some examples of this having happened in cases that, that Secureworks has responded to. Data theft extortion is another another big category of crime, that's pretty prevalent these days, and you have a variety of groups. So for example, the elements of the the gold harvest or or scattered spider group, have been known to use this approach in order to capture authenticated, session cookies and use them to access targets. And lastly, ransomware. And these things aren't necessarily exclusive. You can have business email compromise, data theft extortion, and ransomware in the same overall attack if the threat actor, decides that they they want to use all of those options. And, of course, they can do anything else they want to once they have authenticated access, to your environment. Lastly, in some cases, some criminals are just doing this in order to get the access and sell it onto others via the dark web. And there are marketplaces dedicated to selling, authenticated stolen access, to people who don't wanna go to the effort of, conducting this kind of scheme themselves. They just wanna buy that access and then move straight on to business email compromise, data theft extortion, ransomware, whatever it might be. So how do people go about, setting up these types of attacks? Well, unfortunately, there are a number of, very easy to use ready made toolkits for this kind of activity. Evilginx is one of the most popular. It's often used by by red teams and, penetration testers to test the security of company networks, and that's great. Obviously, tools like this can also be abused by threat actors. And, as I mentioned, Gold Harvest, Scattered Spider is one of the threat groups that, has has abused this and may continue to abuse this. We've seen Russian groups using this. So, Iron Frontier, also known as Callisto or Cold River or Star Blizzard. So state sponsored groups also using these, these tools in order to conduct this kind of adversary in the middle phishing. And you can see on the screen there, it kinda gives you a breakdown of of what the tool does. It's used for, phishing login credentials, along with session cookies, allowing people to bypass that that multifactor authentication protection. So the tool itself, isn't necessarily complete. In addition to the tool, you need, what Evolginx refers to as a fishlet. So it is a, a module that is customized to a particular end service. And there are other people out there who will write and make available these these fishlets or or modules, that are tailored towards specific services. So you see on the screen there a number of, popular online services, that are targeted or can be targeted, with this tool. Now I'm sure that the the creators of these tools and specialists will argue that they are there for, educational purposes or for legitimate security testing with the permission of the the targeted organization, but you can see how they are also, wide open for abuse. And to go a step further, if, if, evil jinx wasn't, powerful enough for for some of these adversaries, there is a, an additional tool known as evil go phish, which combines a phishing framework known as go phish with evil jinx into, into one sort of super tool, enabling this whole process to be done through through one tool rather than having to run a separate phishing campaign in order to direct people at your, evil Jinx infrastructure. There are a number of other tools that have been used by by threat groups, and others out there. I'm not sure exactly how to pronounce this, but Mirena, is one, and, Modlischka is another. And there's a number of online services, that that criminals sell through the through the dark web or or underground forums, that can also be used, for for these purposes. And sometimes these are sold as services. Sometimes they're sold as stand alone kits. Prices usually range from, a few tens to a few hundred dollars, to to buy these services or or software packages. So now we're gonna look at a recent campaign that, threat hunters within Secureworks looked at, and were able to, uncover and and intercept at an early stage within our our customer base. So, this happened within the last few months. It was a Microsoft three six five, focused adversary in the middle campaign, leveraging a tool, known as Axios. So Axios isn't one of the, the tools that I've already mentioned. It's not a purpose built adversary in the middle toolkit. It is actually a legitimate HTTP client, for browsers and based on on Node dot JS. So, threat actors leverage the ability of this tool to intercept, and transform requests and response data enable, which which give them basically the same capabilities as some of those other toolkits, that we previously talked about. So they could conduct adversary in the middle attacks, using, an Axios based infrastructure. They set up their own proxy. They set up some landing pages, and they used, Axios as the the automation framework, in between. So the the victim will receive a, phishing email. And, in this case, the threat actors had used a legitimate online service to host, something that looked like a document. So the user gets the email, they click on the link, they go to this online service, and they see, this this document that says document has been shared with you securely. Please click on the, the item below to authenticate and decrypt. This is a very common pretext, a very common scenario, for phishing campaigns. If you were to click on that link where it says view online or download, you would actually be directed to the to the page that's highlighted in yellow, in the the code extract on the other side of the screen. So, the the target is then directed to this page, and this is a threat actor controlled domain, which is the sort of front end to this, adversary in the middle phishing operation. So the way it works is the attacker, sends that phishing email, with a fake Microsoft three six five login link to the user. User clicks on that, enters their credentials, including their multifactor authentication token, maybe it's a token from an app, whatever it might be into that fake login page. Both credentials are captured and relayed using Axios to, to authenticate with the Microsoft, three six five service. A session token is returned and again captured with Axios automation, and the threat actor then gained persistent access, by authenticating with that stolen access token. And, I don't have it in this presentation, but we could see this in the the authentication logs. Initially, the, a legitimate user agents ring. So the user agent is what, identifies the the software that is connecting into a into a service. So instead of a browser well, initially, it's a browser user agent, and then it switches over to being a an Axios specific user agent as we'll see in a minute. So in each incident, involved in this campaign, the the threat actors appear to be trying to conduct business email compromise. And this is a catchall term for a range of attacks that, includes everything from actual compromise of email accounts, but the threat actor then goes through those accounts and tries to find, information of interest or or invoices or or other in flight sales transactions that they can manipulate in order to redirect a payment into to their account. There are other variations of this CEO fraud, invoice fraud, those kind of things. But we see a lot of business email compromise style attacks, and we have developed a range of detections to, to spot the early technical signs of these attacks taking place. So in this case, the Secureworks Tejas XDR business email compromise detector alerted to the creation of inbox rules created to hide and delete email messages from the inbox folder. And threat actors will do this, in order to hide communications that would otherwise alert to the victim to malicious activity. Often these are then moved to things like the, deleted email, deleted items folder, junk folder, or the things like the RSS feed, somewhere that the user is unlikely to look on a regular basis, to see these these hidden messages. And these messages can be things from I mean, it depends on the nature of the scenario. It might be, they're trying to hide real messages from a a supplier or or a customer, so that they can manipulate the the conversation from that compromised inbox, but not have the real user see any responses from the customers or suppliers. It might be even, security notifications that that user may be receiving saying there's been some suspicious activity on your account. It it just really depends, and the threat actor can can respond dynamically to to what's coming into, to that inbox. As I mentioned before, in this particular case, rather than seeing the the user authenticating with their legitimate browser user agent, we could see that the the user agent of Axios, forward slash one dot seven dot two. That was the version used in this case. There are potentially other other versions that may be used in in this kind of attack. So starting off by looking for perhaps Axios based user agent strings, is is a first place to start if you were hunting for this type of attack in your own authentication logs, within your own environment. But certainly, that was a a good giveaway in this particular, campaign, And it's these sort of things that we look for, these sort of minor technical details that can then be, capitalized on to to detect these types of attacks at scale. So who was ultimately behind this campaign? With these sort of things, it's very difficult to, to track back to threat groups, like we do in in some forms of cybercrime or state sponsored activity. Often they're they're just campaigns are too short lived. They target so many customers and and other entities around the world, and the the infrastructure is is used for a particular campaign and then and then disappears. Because we saw a number of inconsistencies in the post compromise actions, across multiple cases, we assess that there's probably multiple actors, performing this particular, campaign. There was a lack of shared infrastructure, although they were in general coming from the 212181040, IP range. There were multiple connections from that that IP range. So, again, I'm sure there's plenty of legitimate activity in that IP range, but it may be one to look for, if you you want to go hunting in your own authentication logs. Combining that with perhaps alerts for anomalous, authentication activity, maybe some impossible travel type alerts. Those sort of things, may give you a a hint that, that there's been a a compromise of authentication session cookies, particularly if you're seeing impossible travel type alerts combined with otherwise authenticated, sessions. Sometimes in post intrusion activity like this, we see the use of legitimate third party applications to facilitate the the harvesting or the theft of emails. So in past business email compromise attacks, we have seen EM client, and perfect data being used to harvest email from the the compromised accounts in bulk. The threat act will then go away and triage, those emails looking for opportunities to to conduct additional fraud. So how do we stop these kind of attacks? What can we do? So when it comes to phishing in general, we're always talking about multifactor authentication, and that is still absolutely necessary, but not always sufficient. So we do need to give some additional thought to to how we can, mitigate against these particular adversary in the middle type scenarios where they have relatively sophisticated tooling that can capture authenticated session tokens from those, from those sessions. There's technologies known as conditional access policies. So in addition to having your multi factor authentication, you can also say, oh, the sign in request, must meet some additional identity related attributes. So they must be in a particular user or group. They must come from particular IP locations. There maybe the device has to be matching a particular fingerprint. There's a number of additional attributes that can be layered on top of, the, the multifactor authentication in order to allow that user into, into the network or or access to whatever resource they're attempt attending to authenticate to. And this can be this can be a great way of, weeding out those attacks when they are successful because the the threat actor will not necessarily then be able to meet the other conditional access policy attributes if they have been set well, even though they have an authenticated session token. And the other the other option to consider is using phishing resistant MFA. So I won't go into this in detail, but, phishing resistant MFA is, another set of more modern protocols and technologies, things like FIDO that can be used to add additional layers of protection on top of that multifactor authentication. That can be making sure that the requests and the access are coming from specific devices and, that that users have taken, purposeful actions in order to, to initiate that session and conduct that that authentication. So it's a phrase to go away and Google if you're not not familiar with it, and look up the the options there supported by a number of major technology providers and increasingly more, well supported as time goes on. In terms of detecting these kind of attacks, they can be tricky. So first off, I was thinking you need to be informed. It starts with threat intelligence. Indicators can be useful, but are often short lived, usually just useful for the duration of a campaign. Although they can be useful to go back and hunt to see if, one of your users has been a victim of, of this these particular campaigns. Again, perhaps in conjunction with other types of anomalous authentication, alerts that you might be receiving. In terms of best practices, obviously, we talked about multifactor authentication. In addition to that, you need to have, network monitoring and anomaly detection, particularly around authentication events, but also, perhaps looking at, where people coming from, which resources they're at, they're accessing once they've they've accessed remote access service. And lastly, employee training and awareness. So making people aware of of these types of attacks, these types of capabilities. Conducting those phishing simulations can be really useful. Getting people used to being a little bit suspicious about the emails that they're receiving, giving them an easy, process that they can follow to report any suspicious emails that they might be receiving. So the security team within the organization can get an early heads up that that somebody may be targeting, their users. Technical solutions, email filtering, obviously, would like to think that, that these sort of, phishing attacks will be filtered out by email, and a lot of them will be. Depending on how persistent the actor is and how specifically they've targeted, your organization, there are things they can do to try and make their email look very benign and credible and and get past, filtering technologies. In which case, you want to make sure there is a a broad suite of, endpoint detection response, network detection response, and ultimately, all of that brought up into a an XDR type solution. So you have broad visibility over what's going on in your network, on your endpoints, on your, your network, and any cloud based, services that you you use, particularly from an authentication, perspective. So that stack will give you a significant, a significant amount of protection, and web protection fails early detection capabilities. So you notice these things before they get out of control. So lastly, and if you enjoyed, what we're talking about today, I would encourage you to sign up for the, Secureworks Global Threat Intelligence Summit. It is happening October 3. It's coming along real soon. The theme for the summit this year is navigating the cybersecurity labyrinth from data to defense. We have an excellent lineup of talks. You can, visit the, short link there. You can scan the QR code, or if you don't trust either of those things, you can go to our website and sign up, sign up there. Absolutely encourage you to do that. We'll dig into, more of the, adversary in the middle type attacks, and a range of other, state sponsored and cybercrime activities, will be on the agenda. Okay. There's everything I have for you today content wise. I think we have some time for additional questions. I'm just gonna see what's been coming in. So what are the potential consequences for businesses and individuals if, an adversary in the middle attack successfully compromised their session cookies and credentials? So as I said in the, in the presentation, there are a number of outcomes. I mean, that authenticated session cookie will give them access, to your remote access service or your cloud based, service that you might be using, whether it's things like, Office three six five, other cloud based services, they can then authenticate as as an authenticator user and gain access to that user's files, do things within that user's permission context. And they can then decide how they want to abuse that access, whether they're gonna use it to move further into the network, laterally expand, and and try to achieve some, some sort of position of network dominance, or, or if they just want to deploy cryptocurrency miners or steal data or or go into the sort of business email compromise model. We seem to see a lot of these adversary in the middle attacks coupled with business email compromise. So that tends to be the the common model. One more here. So can we expect this type of attack to be improved with AI? I think that the tooling at the moment for these types of attacks is pretty slick and effective. What we are likely to see, and I think anecdotally, we are seeing is an improvement in the level of, phishing emails that people are sending, and perhaps the the sort of breadth and scale of camp campaigns. Obviously, AI in cybersecurity is a hot topic for for everyone, and we are constantly on the watch for how it has been used or how it has been discussed and investigated by cybercrime adversaries and state sponsored adversaries. So, yeah, I I would absolutely expect, that the people will be looking out for ways to to use AI technologies to enhance, and expand the scale of these types of attacks. Okay. Well, thank you. I think that is all the time we have today. Really appreciate you joining us, and, and hope you enjoyed that. Please go and sign up for the Threat Intelligence Summit. Thank you very much.