Otherwise, every webapp simply has to employ the use of hardware keys and migrate to the WebAuthN and FiDO2 standards for web authentication. First, set more restrictive session lifetime in your web apps. Thanks to this video by CyberMattLee, you can see in practice how the EvilGinx2 is used to bypass your 2FA/MFA.
This article gives a working guide to the architecture of EvilProxy. These tools are really easy to use and set up. The other option is to use EvilGinx2, an open source reverse proxy. You simply pay for this service, and voilà, you target your victim. Most attacks use EvilProxy, which is a reverse-proxy-as-a-service. So it still boils down to stealing those good old session cookies through phishing. Note that this is not a vulnerability in MFA since AiTM phishing steals the session cookie, the attacker gets authenticated to a session on the user’s behalf, regardless of the sign-in method the latter uses." Such a setup allows the attacker to steal and intercept the target’s password and the session cookie that proves their ongoing and authenticated session with the website. Quoting the article, "In AITM phishing, attackers deploy a proxy server between a target user and the website the user wishes to visit (that is, the site the attacker wishes to impersonate). It is so devastating that Microsoft's Threat Intelligence Center published an article about it and you can find it here
In this article, I will explain the second technique, which is the most prevalent, and it is called AiTM, or an Adversary-in-the- Middle attack.Īgain, this works through an elaborate and sophisticated phishing attack using strategically placed reverse proxy servers on the Internet to steal session cookies (remember them?).
I called that local simply because the bad actor needs to be in somewhat close proximity to the victim. In my last entry, I explained the first technique through which hackers bypass most 2FA. 2FA Bypass through Adversary-in-the-Midlle (AiTM) Attack
0 kommentar(er)
