In cybersecurity, defenders are often a victim of their own success. When enough organizations adopt a successful solution, threat actors adapt. For a long time, multi-factor authentication (MFA) was seen as one of the best defenses against password-based attacks. And this is still true today. However, a sharp increase in adversary-in-the-middle (AiTM) attacks means that MFA alone may no longer be enough.
Our annual State of the Threat Report highlighted a notable rise in AiTM attacks. You could see this as a positive step, resulting from wider use of MFA. But another driver for this growth is the ease and availability of access to the necessary software.
Director of Threat Intelligence in the Counter Threat Unit at Secureworks, a Sophos Company.
AiTM explained
AiTM attacks are a sophisticated method of intercepting and potentially altering communication between two parties, carried out without their knowledge. Increasingly we're seeing these attacks take the form of AiTM phishing attacks. This uses email or a messaging service to create the conditions for an attacker to intercept and manipulate communications between a user and a legitimate service in order to steal credentials and authenticated access tokens.
We’re used to seeing traditional phishing attacks which trick people into visiting fraudulent websites, where entered credentials are then stolen. But AiTM attacks level up on these phishing attacks, taking them a step further. Adversaries use sophisticated but easy-to-use frameworks to set up a server to sit between the person targeted and a real service. Luring victims to authenticate through this server, threat actors can steal the resulting access token. The attacks use reverse proxy servers to intercept the communication, break SSL/TLS encryption, and spy on the data exchange.
In practice, it looks like this – an individual will receive a phishing email that looks legitimate. And in fact, the link provided will take them to the actual website they are expecting, not a fraudulent site as you might expect. However, victims are taken to this website via a malicious reverse proxy server. When the authentication process takes place, the legitimate website provides the user with an authenticated token, or authenticated session cookie, to enable ongoing persistent access. And this is where AiTM attacks really differ from traditional phishing. In the case of AiTM, the malicious proxy server sees both the token and user credentials. Taking this token enables the threat actor to have continued access, bypassing any MFA and without having to reauthenticate.
Access enables attack
There are a number of sophisticated solutions available for free on the Internet and phishing kits can be hired on underground marketplaces and Telegram. Popular kits include Evilginx3, EvilProxy and Tycoon 2FA. These kits not only facilitate attacks, but also automate some parts, making it much easier and cost effective for threat actors to execute attacks.
Credentials form a crucial part of our online identities – both for high-value personal services, like banking, and also our work. Often these are protected by MFA, so even if a threat actor has the credentials, they can’t get any further. However, AiTM enables the theft of authenticated session cookies. These can be used directly in additional fraud and extortion including business email compromise, data theft extortion and ransomware.
Preventing AiTM threats
Before anyone panics, this isn’t a reason to get rid of MFA. Several of the major cyberattacks in 2024 could have been prevented if MFA was in place and it remains a crucial part of necessary defenses against cyberattacks.
However, it's important to have tools in place that are robust enough for changing threats. Phishing-resistant MFA is built on standards like FIDO2 and goes deeper than traditional MFA. This technology ensures tokens are only associated with the person and computer who completed the authentication process, effectively making the AiTM attack fruitless.
For individuals, it can be harder to spot these attacks due to the legitimate original service being passed through to the user. The attack infrastructure is essentially transparent. But there are strategies that can help employees remain secure. Encourage them to think about the initial interaction: Did they receive an email that prompted an urgent action? If they are being asked to follow links and authenticate, they should question whether the context is normal. If there’s any doubt, they should feel empowered to raise it with the internal team. Above all, encourage employees to always be cautious and curious.
We've featured the best authenticator app.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
