BG - Authentication Proxy Attacks: Detection, Response and Hunting

today's talk is authentication proxy attacks um I got to admit um finding out that I was right after Josh Corman the IND dominal Josh Corman was was was a bit intimidating um but uh you know we're GNA we're going to talk a bit about this and and a few of the things Josh said um resonated with me um the first is the fact that it's it's up to us it's up to all of us um to to make this difference make the difference in the organizations that you all collectively represent um so in this talk um my focus is on the Practical um I'm hoping that everybody regardless of where you are right so we talked about Wendy neither's security poverty line Google it if you haven't heard it but I know that many of you are below some of you are above my goal here is not just to speak to the people who are at or above the well resourced right the ones who can send you here and you know pay your way and all that kind of stuff I want to make sure that everybody has the opportunity to take something back with them so a little bit about myself my name is Chris Merkel I'm a senior director of cyber defense at Northwestern Mutual which is an insurance company uh I've been doing security for a long time long enough where I stop tell telling you what it is in years because I just rather not it's been too long um I've been coming to besides Las Vegas on and off for over a decade now uh I love this conference I love the vibe I love the people that come here this is hands down top five uh I like to reverse engineer malware for fun most of my days are spent uh leading teams of people who do the fun things so I I still try to uh spend my time doing that I also have um bad habits and opinions uh yeah I like Nano over Vim um uh I have been convinced that pineapple actually does taste good on pizza so my mind can be changed and I put those two bullet points in to remind myself that my terrible opinions and decisions do not represent those of my employer that's like a that's like a little mental bookmark right there all right and then the last Point here uh I got to meet John McAfee here almost 10 years ago how many of you were here when he came came to to bides a couple of you that was wild okay um that experience of uh hearing him get grilled in depth by people who understood uh facts details and timelines was was was crazy um and reflecting on it my first point here about being in security for a long time the longer I've been in security the longer I can start to understand John mca's uh uh overall uh Arc to go from cyber security luminary to bath salts Enthusiast to cryptog grifter I used to think man how did that happened and now I've been doing this for a while I'm kind of like that doesn't sound half bad um I'll have my contact information on the last slide as well um you can find me on the uh the fediverse and uh on the zucka verse um I'm out there right now um the other thing I want to point out here is that the the stuff I'll be talking about here is uh not solely my research um I work with some of the uh most brilliant people working in cyber security in counter threat in intelligence in threat hunting in incident response in detection engineering um and and I am sharing that Collective knowledge with all of you so let's talk about all of you you did it you got multiactor authentication look it is the year 2023 and I know some of you are thinking to yourselves well yeah but mostly okay that's fine but take the victory lab okay that's a big deal if you've pushed your organization through if you've had those conversations about uh user experience and the challenges that come with that particularly if you're working with uh consumers clients people outside your organization those are tough conversations you did good now some of you may have also moved on from sms okay uh SMS is weak but SMS is great okay it can be both I'll talk a little bit about why that is if you're in this position most of the threats that your organization faces um against your your logons your sign on your authentication you've made IND at those that's great okay um but as we know our adversaries they change their tactics and we're going to talk about that so um with the the good news comes the bad news and and the bad news is that even while you might have multiactor authentication protecting your organization and its assets increasingly it is not enough so we're starting to see uh attacks that were really demonstrated to be possible like well over five years ago starting to actually materialize okay um so we're we're seeing these these types of campaigns going on and so what I'm going to be talking about is an evolution in aders iial trade craft that's taking your typical adversary in the middle and moving it to the next layer um for for targeting organizations uh for whom they've done those fundamental cyber hygiene Basics like turn on multiactor authentication okay so that's the bad news now um shout out to ca so cisa entered this conversation about almost two years ago and they they released a a paper on this I strongly recommend you look it up but I have summarized it for you um it it's it's fantastic and what I love in particular about this and and by the way again another shout out to Josh Corman he talked about changing the dialogue changing the framing right right so what did we used to say we used to say that you need to make sure you have strong authentication and and if you got into the weeds with somebody they would say well I've got a long password so that's strong authentication oh no no no no no no you need multiactor authentication is strong authentication well okay okay I can do that I can do that well well the problem is and I'm going to assume most of you understand this problem to some extent or another um these other second factors have weaknesses and specifically the weakness of token theft is what I'm going to talk about today and so they embraced the term fishing resistant multiactor authentication now here's why I love that term it's a term of art I'm saddened that it was first an industry term before cisa came up with it but what that means is as you are talking to the decision makers in your organization and they're going to ask you questions like are we resistant to fishing attacks you might say are we okay you might say it's time for your outrageous speaker request my what when we uh have speakers who apply to speak in the program we have this thing called uh an outrage of speaker request it's a little field at the very end of the uh the application okay that uh them a chance to ask for anything else they might want what I ask for it was really late at night in this case uh we were asked to bring back green apple Skittles which has been please yes discontinued and replaced uh with lime I believe again lime is terrible got rid of the lime for those who are not up on the the drama of Skittles lime was around they got rid of it they put in green apple now they got rid of green apple brought back the lime and so now everybody's angry this is It's a classic Coke New Coke thing anyway so there there is now on change.org uh a petition to bring back green apple Skittles and I have here Flyers to hand out to everybody in the audience uh I ask you to please consider honoring our speaker request and helping us to bring back green apple Skittles here at besides change the world one person one thing at a time one Skittle at a time so so according to this handout that he's provided me the change.org petition only has 834 signatures that means if every one of you in this room by my rough count went and petition for this change we could get this over a thousand people we can do [Applause] this all right let me transmition back into uh where was all right so so again we're talking about changing the framing to change the discussion if you are talking with your leaders again if you're talking with your ciso CIO board member and they want to ask you are we resistant to fishing attacks now your answer can be some but not all we don't run fishing resistant authentication in our Oran organization and it's not just your opinion now you can bring up Eagle Shield because that carries a lot of weight we'll talk a little bit more about the technical mechanics of this in a minute I promise token replay attacks are on the Rise um I don't know if you any of you have um read the long form wired article on the hack at EA but it is fantastic um and I strongly encourage you to to look at what can happen when you start with one stolen slack token okay uh this data is a little old um but it comes from a good source from from Microsoft um I do reserve the right to give them grief um but they've been making some positive moves so I might pull my punches but we can see that the use of tokens is on the rise so let's get into uh how this all works now it's a bit of a complicated diagram and I'm going to keep staring at this screen over here because it's it's a little bit bigger than I can see on my presenter view but we're going to walk through step by step technically how this attack works okay so so first it's going to start with a fishing message yall get this okay your victim is going to enter their creds and they're going to enter in their MFA now that could be uh a code request from SMS that could be a device approval uh something along those lines now again I'm not talking about uh PH2 webn this is everything that's not that I think the attacker has a proxy setup so what they're doing here is they are taking your actual log on page and just proxying it they're not making a copy they're not doing like copy and paste into word and then back into HTML I always laugh when I see word HTML in adversary uh pages and stuff like that it really cracks me up it also makes me sad because it totally still works um and what's going to happen is when they put their credentials in that's going to get forwarded across the proxy to your identity provider so your identity provider is like oh I I I've received credentials because they were asked for they they were requested by this proxy and now I'm getting this back this all looks normal to me the attacker along the way is going to steal the credentials cuz you know you can use those later even if you're not even if your your primary target is the token the identity provider they don't know what's up this is just a request from a client for off that's normal so they're going to go yep everything checks out MFA AOK here's your session token now the attacker is like yeah cool I have your session token that session token that gets passed right back to the user so so the other thing you tend to run into with these fishing attacks is the what have you done once you've actually updates thank you J um what do you do when uh you've you've successfully Conn that person you have to take them somewhere and and then this is where where where adversaries are kind of like I don't know maybe I'll dump you at google.com or something who knows or m whatever right um but by forwarding that that session token back your user has a valid session so where do they go next they go to the actual site that they've just authenticated to so to them from their perspective and experience they just successfully logged in why because they just successfully logged in because that's how this works now that becomes a real problem for your security awareness and education right because at this point nothing looks different you've successfully logged in the documents that you've most recently worked on on Microsoft 365 they're all there so now what does the attacker do they just replay the session token now um I I I'm not an expert in um you know all of the Microsoft primary tokens refresh tokens sub tokens app tokens it's complicated suffice it to say if you can get your hands on that primary refresh token uh by default in Microsoft 365 you have seven days of access that you can parlay uh and then of course you know those creds go on to secondary markets maybe it used in password spray attacks uh go find those little uh corners and edge cases in your organization where uh you haven't quite gotten that two-factor authentication in yet so let's talk a little bit about delivery um I could give a whole talk on this instead I'm going to give one slide um delivery methods are getting pretty interesting in my opinion um first and foremost we are seeing these types of advanced MFA proxy attacks coming across bog standard dumb fishing emails okay still works why why why change right we're also seeing what I call encrypted message hollowing um and what this is is so if you've if you've ever uh used a you know proof Point uh Microsoft sending to Gmail um mcast Etc you've gotten this message that says you have a a secure message waiting for you you need to log into a portal yada yada yada okay most of the time those types of systems are used in business to Consumer type of relationships and what that means means is you don't want to necessarily burden that poor end user with having to set up full MFA or whatever it is just to read that one important email that you want to send them about uh a a a healthc care issue about a financial transaction about a real estate deal whatever it is right well what attackers are doing is they're gaining access to one of these encrypted messages how do they do it a traditional account takeover uh you know those kinds of things they hit a think maybe they do a password reset whatever it is and they get into that corporate uh Email encryption solution from one of these bigname vendors and if it's not configured properly they go into this message and they hit the reply button but then what they do is they just blank out everything in there um or I'm sorry they don't hit reply they hit forward critical difference they're going to hit forward on that message and they're going to blank out the message body they're going to blank out the subject line and they're going to put you in as a Target now instead of having to create those goofy looking fakey you have an encrypted document kind of nonsense that could potentially be taken down because it is part of adversary infrastructure and all of that they are now landing at your big corporation's encrypted messaging solution but what they're seeing is a holy new message and we have witnessed uh one adversary group literally make hay from one account in one message just blanking it out and using it over and over and over and over and over again and every time the recipient gets you've got a secure message they're not going to get any warnings and it comes from a big Corporation and so the big Corporation is inherently trusted we're we're also seeing account takeovers uh in the Microsoft 365 space abusing Microsoft purview Microsoft purview is the encryption solution that used to be called something else I guess their branding rebranding worked because I can't remember the old one um but it's basically when you hit send secure in Microsoft Outlook uh that's Microsoft purview messaging as a tenant administrator or as a exchange administrator you have very little ability to inspect what goes into that okay and and if somebody is in the Microsoft 365 world and they receive a purview message it actually gives the attackers additional credibility because you get this green banner across the top of your outlook that says congratulations this message is encrypted and if you're the end user and you see a green bar with a green check mark in it how do you interpret that do you do you as a as the end do our end users go wow that's fantastic they employed Transit encryption on this I feel good about that no the way they interpret this is oh bar is green I'm safe I don't have to think about those security awareness messages anymore click if you're sending it outside of a Microsoft organization you're going to you know to Gmail whatever you're going to get that typical log into the portal uh you'll get a message attachment that message attachment is fully encrypted you can't inspect any of this and that really uh is is unfortunate so I talked a bit about what the the victim experience is like this is what it looks like the only thing that you're going to see different is the URL in the browser bar uh you can't can't fake that out um you can do tricky things right to left I don't you know uh you know all those obfuscation techniques that that we know and love but again your security awareness messaging it's lot less effective at this point why because if you're if you have a branded portal like I show off one on the right here um this is the one they see every single day if it's a standard Microsoft log on it's the standard Microsoft log on so what's your click rate already on F log on it's pretty bad right but when you have nothing to tell somebody I mean yeah you can tell them go go look at the browser bar but but again think about this whole attack chain from end to end you receive an encrypted message from a well-known reputable Corporation maybe it's something somebody you already do business with because they've done account takeover for that outside organization you're working with you receive an encrypted message message the encrypted message has a green bar on it now it's trusted you click on that I do not believe that it is even fair to ask our users to catch this so's talk a little about the evolution of tradecraft um I'll uh one of my colleagues um shares my same passion for for terrible clip art um so there's your your Dolly generated hacker um thanks Chris um our adversaries are also evolving their tradecraft so we are seeing a lot more anti- inspection techniques okay so so so even if you'd gotten to the point where you were extracting all of the URLs from your email traffic um and things like that passing that through some sort of reputation service sandbox whatever it is doing that you know uh inbk um you're you're probably not going to catch it why they're doing things like referr checking right they want to make sure that this looks like it came from an email click uh you know things like that uh they're doing you know basic sandbox detection stuff um like I said they're using uh encrypted email they're also um looking for uh egress IPS so if they're targeting uh you know a specific Corporation or set of Corporations and you're not coming from one of those egress IPS that's noted on uh the the Aaron uh or ripe or whatever net blocks you're you're just going to get redirected somewhere else um beyond that they're they're doing a lot of uh redirect chains um and and other obfuscation techniques right so your your typical automated sandbox that's going to look at a web page um maybe it'll follow one refer maybe two two not six so that becomes uh a bit of a challenge uh to do any kind of inspection at scale um so let's talk about how we detect these things um I did put in the uh the description of this talk that there is one fatal flaw there is it's a bit weak so if you don't like it I'm sorry um um but you know yeah you got to put butts and seats what are you going to do um so let's talk about detecting attacks um first and foremost none of these things individually is going to be the tell the detection the one thing that allows you to catch 100% 80% 60% but if you treat these as signals if you have the ability to to look at multiple Dimensions if you have the ability to do any type of correlation you can build strong signals out of this um depending on the the nature of the organization you represent uh impossible travel is reasonably accurate uh the problem is that uh all of your users who watch YouTube have now installed nor VPN after the three-month trial subscription um and it's all running on their phones all of the time um and not not just picking on Nord they're fine for for for what they are other than uh snake oil for consumers um they do they go to Great Lengths to hide their their egress traffic why because