Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label phishing kit. Show all posts

'Tycoon' Malware Kit Bypasses Microsoft and Google Multifactor Authentication

 

An emerging phishing kit called "Tycoon 2FA" is gaining widespread use among threat actors, who are employing it to target Microsoft 365 and Gmail email accounts. This kit, discovered by researchers at Sekoia, has been active since at least August and received updates as recent as last month to enhance its evasion techniques against multifactor authentication (MFA).

According to the researchers, Tycoon 2FA is extensively utilized in various phishing campaigns, primarily aimed at harvesting Microsoft 365 session cookies to bypass MFA processes during subsequent logins. The platform has amassed over 1,100 domain names between October 2023 and late February, with distribution facilitated through Telegram channels under different handles such as Tycoon Group, SaaadFridi, and Mr_XaaD.

Operating as a phishing-as-a-service (PhaaS) platform, Tycoon 2FA offers ready-made phishing pages for Microsoft 365 and Gmail accounts, along with attachment templates, starting at $120 for 10 days, with prices varying based on the domain extension. Transactions are conducted via Bitcoin wallets managed by the "Saad Tycoon Group," suspected to be the operator and developer of Tycoon 2FA, with over 1,800 recorded transactions as of mid-March.

The phishing technique employed by Tycoon 2FA involves an adversary-in-the-middle (AitM) approach, utilizing a reverse proxy server to host phishing webpages. This method intercepts user inputs, including MFA tokens, allowing attackers to bypass MFA even if credentials are changed between sessions.

Despite the security enhancements provided by MFA, sophisticated attacks like Tycoon 2FA pose significant threats by exploiting AitM techniques. The ease of use and relatively low cost of Tycoon 2FA make it appealing to threat actors, further compounded by its stealth capabilities that evade detection by security products.

Sekoia researchers outlined a six-stage process used by Tycoon 2FA to execute phishing attacks, including URL redirections, Cloudflare Turnstile challenges, JavaScript execution, and the presentation of fake authentication pages to victims.

The emergence of Tycoon 2FA underscores the evolving landscape of phishing attacks, challenging the effectiveness of traditional MFA methods. However, security experts suggest that certain forms of MFA, such as security keys implementing WebAuthn/FIDO2 standards, offer higher resistance against phishing attempts.

To assist organizations in identifying Tycoon 2FA activities, Sekoia has published a list of indicators of compromise (IoCs) on GitHub, including URLs associated with Tycoon 2FA phishing campaigns.

Warning: Ransomware Attacks Spreading via Fortinet Kit

 

The eSentire’s Threat Research Unit (TRU) confirmed in its recent research that the threat actors are exploiting Fortinet Virtual Private Network (VPN) devices that remain vulnerable to critical authentication bypass vulnerability.  The VPNs were being controlled by third-party providers; thus, the company had no direct visibility into the devices. 

Fortinet is a security ecosystem, which provides a variety of different products including next-generation firewalls, antivirus, VPNs, and endpoint solutions, among other offerings. 

On October 10, 2022, Fortinet issued a public statement in which it disclosed the critical vulnerability (CVE-2022-40684) in the system impacting several of their products including FortiOS, FortiProxy, and FortiSwitchManager. 

If the vulnerability is successfully exploited, the hacker could gain access to the Fortinet device. Specifically, devices are often integrated with organization-wide authentication protocols such as Lightweight Directory Access Protocol (LDAP) and Active Directory (AD). 

The TRU further said that its team detected and shut down two attacks on its customers – one was a Canadian-based college and the other, was a global investment firm. 

Additionally, once the threat actors had gained access to the target network, they exploited Microsoft’s Remote Desktop Protocol (RDP) to successfully get lateral movement and legitimate encryption utilities BestCrypt and BitLocker. 

Keegan Keplinger, research and reporting lead for the eSentire TRU, said “SSL VPNs are easy to misconfigure, and they are highly targeted for exploitation since they must be exposed to the internet and they provide access to credentials for the organization…” 

“Additionally, the tendency for these devices to be managed by a third party often means that the organization and their security providers have no direct visibility into activities being conducted on the device. This allows threat actors longer dwell times, as observed in the sale of these devices on the dark web, [making] SSL VPNs a prime target for initial access brokers [IABs].” 

Furthermore, Keplinger said the TRU’s research had shown that threat actors are always ready when it comes to exploiting vulnerabilities in well-used products. The attack is giving high singles to big tech companies if their technology is bing exploited in such a way.

Threat actors are Looking for Ways to Bypass MFA with Evolving Phishing Kits

 

People have been concerned about information security since the first password was included in the Compatible Time-Sharing System at MIT in 1961. While multi-factor authentication (MFA) did not arrive on the scene until years later, in 1986, with the first RSA tokens, it has recently achieved broad consumer acceptance. According to the annual State of the Auth Report from MFA digital authenticator firm Duo, 78% of respondents have used two/multi-factor authentication (2FA/MFA) in 2021, up from 28% in 2017.   

While several organisations, including Duo and RSA, have contributed to making MFA more widespread and user-friendly, threat actors have not been sitting on their laurels, preferring to attack MFA as well as seeking for ways to circumvent MFA with changing phishing kits. 

 Phishing kits are software created to assist threat actors acquire credentials and swiftly capitalise on them. Many of these kits, which are either installed on a dedicated server owned by the threat actor or secretly put on a hacked server owned by an unlucky user, may be purchased for less than a cup of coffee. 

Proofpoint threat researchers have seen a wide range of MFA phishing kits, from simple open-source kits with human-readable code and no-frills functionality to sophisticated kits with multiple layers of obfuscation and built-in modules that allow for the theft of usernames, passwords, MFA tokens, social security numbers, and credit card numbers. These kits, at their heart, use the same mechanisms for credential harvesting as conventional kits that steal only usernames and passwords. 

 Proofpoint researchers have witnessed the introduction of a new sort of kit in recent years that does not rely on duplicating a target website. Instead, these kits use a transparent reverse proxy to provide the victim with the actual website. A reverse proxy is a computer network application that sits in front of back-end applications and forwards client (e.g., browser) requests to those apps. Scalability, performance, resilience, and security are all improved by using reverse proxies. 

 Modern web pages are dynamic and constantly change. As a result, providing the actual site rather than a copy considerably improves the perception that an individual is logging in safely. Another advantage of using a reverse proxy is that it allows a threat actor to man-in-the-middle (MitM) a session and capture not only the usernames and passwords, but also the session cookie in real-time.

 In a recent publication, researchers from Stony Brook University and Palo Alto Networks investigated MitM phishing kits and uncovered an industry blind spot. The researchers created Phoca, a machine learning tool, to scan suspected phishing pages and identify if they were utilising a transparent reverse proxy to access MitM credentials. They discovered over 1200 MitM phishing sites.

Threat Actors Use Phishing Kits to Target Mobile Devices

 

Few threat actors are inspired by political leaders, some others by mischief or malice, but most of them are only I'm the game for cash and money. To make sure the criminal activities are making a profit, balance bus required between potential payday running against time, risk, and the resources required. It's no surprise that many people use phishing scams as their go-to attacks, harmful emails can be used to attack many targets without much difficulty, threat actors can buy easily available phishing kits that work as a basic prerequisite for everything the hackers need for a campaign. 

After thorough research of phishing email traffic, experts found that most of these attacks follow the cash either to big financial firms or big tech companies. Apple, Facebook (now Meta), and Amazon were among the top brands targeted with the phishing campaign. "On the financial side, Charles Schwab was by far the most popular target, and was the most used brand URL overall, accounting for 13.5 percent of all cases. Chase Bank – an American subsidiary of JP Morgan Chase & Co – RBC Royal Bank and Wells Fargo were also widely used in phishing URLs," reports Helpnet security. 

The top trend experts noticed was using of mobile technology for these phishing attacks like WhatsApp, SMS, and other services. Threat actors have also been using these techniques as a response to strict email security solutions. A mobile technology is said to be less secured compared to a desktop endpoint when it faces a phishing attack. Even if the mobile has a business email app, mediums like Whatsapp and SMS will escape any anti-phishing security that the device has. 

Cybercriminals might also combine mobile messaging and emails in a single attack, for instance, sending a phishing mail including QR code which is scanned by a mobile, doing so results in escaping detection and reaching the mobile endpoint. "Mobile-based phishing attacks are also harder to identify due to mobile devices’ smaller screen and simplified layout, compounding the lack of security solutions on mobile," reports Help Net Security.