EvilProxy Bypasses MFA by Capturing Session CookiesAlso: Lloyd's to Exclude Nation-State Cyberattacks; Confusion for Okta's Sales Force
The latest ISMG Security Report discusses a new phishing-as-a-service toolkit used by threat actors to bypass multifactor authentication, the decision by Lloyd's of London to exclude nation-state attacks from cyber insurance policies, and challenges at Okta since its acquisition of customer identity giant Auth0.
In this report, you'll hear (click on player beneath image to listen):
- ISMG's Jeremy Kirk discuss fresh research that details a newly identified criminal service called EvilProxy that steals session cookies to bypass MFA and compromise accounts;
- Jonathan Armstrong of Cordery law firm analyze the announcement by insurance market giant Lloyd's of London that its cyber insurance policies will no longer cover state-sponsored cyberattacks;
- ISMG's Michael Novinson explain how Okta's acquisition of customer identity giant Auth0 has confused its own sales force.
The ISMG Security Report appears weekly on this and other ISMG websites. Don't miss the Aug. 25 and Sept. 1 editions, which respectively discuss whether ransomware-as-a-service groups are in decline and the evolving state of ransomware response.
Anna Delaney: Cybercriminal service EvilProxy bypasses MFA, and analyzing Lloyd's of London's decision to exclude nation-state attacks from insurance policies. These stories and more on this week's ISMG Security Report. Hello, I'm Anna Delaney. EvilProxy, a new phishing-as-a-service toolkit is being advertised on popular crime forums as a means for threat actors to bypass MFA and compromise accounts. Executive editor Jeremy Kirk investigates.
Jeremy Kirk: One of the biggest challenges for cybercriminals right now is how to get past multi-factor authentication. Cybercriminals can often either hack or buy login credentials, but one-time passcodes often stop their attacks in their tracks. But there are ways to bypass MFA. Nation-states and advanced cybercriminal groups have been doing it for some time with a technique called session hijacking. Some enterprising cybercriminals have now packaged this technique in an easy-to-use phishing kit that's sold on a subscription basis. It appears set to open up a powerful way to take over accounts to groups of less technical cybercriminals. The service is called EvilProxy. It appeared in early May in advertisements on cybercrime forums. Gene Yoo is CEO of Resecurity, which is a Los Angeles-based security consultancy. He says EvilProxy has been used against multiple employees from Fortune 500 companies. EvilProxy creates the phishing pages and offers a dashboard for its customers to keep track of their hacking campaigns. A key part of EvilProxy is its use of reverse or transparent proxy. A reverse proxy is a server that sits in between a phishing site and the real service. It can intercept data sent back by the real service. This is sometimes referred to as an adversary in the middle attack. Gene explains.
Gene Yoo: The reverse proxy concept is simple. The bad actor leads the victims into a phishing page, uses a reverse proxy to fetch all the legitimate content, which the user expects, including the login page, and sniffs their traffic as it passes through a proxy. This way they can harvest the actual valid session cookies and bypass the need to authenticate with username passwords and/or MFA token.
Kirk: So, to say this another way, when the session cookie comes back from the real service, the attacker grabs it. A cookie is a small bit of data in your web browser that knows if you've authenticated to this service. By taking that cookie and inputting it into a browser, the legitimate service thinks the user is logged in. No username, password or MFA token is needed. It's a powerful way to take over an account. Here's Gene, again.
Yoo: 2FA and MFA is like the gold standard. Everybody talks about it. This is something we need. But now it's like, "Wait a minute! There is a phishing as a service." If you're able to fool the end user - this is all done transparently - and you don't even know what happened.
Kirk: EvilProxy has already been successfully used against users of services, including Apple, Microsoft and GitHub. It's also capable of targeting users of services that are players in the software supply chain, including GitHub, the Python Package Index and RubyGems. That kind of targeting suggests it could be aimed at helping cybercriminals that want to tamper with, or install backdoors in, software packages. Yoo says that EvilProxy may be difficult to shut down. It employs the Tor anonymity system to frequently change up its phishing infrastructure. So, how do you avoid all this? One way to avoid this style of attack is to spot a phishing site and not enter your credentials. That can be difficult because the phishing sites look exactly like the real login dialogs that you would see for a service. Another way is to employ hardware security keys when logging into services, or even new passwordless protocols like WebAuthn. Experts say that these kinds of login methods, which are known as strong authentication, are the safest path forward. For Information Security Media Group. I'm Jeremy Kirk.
Delaney: Insurance market giant Lloyd's of London has announced that beginning in March 2023, its cyber insurance policies will no longer cover state-sponsored cyber attacks. ISMG's executive editor Mathew Schwartz asked Jonathan Armstrong, a partner at London-based law firm Cordery, about whether this move is a useful evolution, or could it backfire for insurance firms?
Jonathan Armstrong: I think the simple answer is that we won't know until we know how the courts are going to interpret these clauses. And that might be four or five years down the line. One thing we will see is that insurers aren't equal. We have seen from the cases that we've been involved with, some good insurers who will stand shoulder to shoulder with clients in a crisis, and some other insurers who don't. So I think that one of the lessons from this will be that organizations will have to involve their CISOs more in obtaining insurance if they don't already. Secondly, they're going to have to look at the quality of the insurer that they're dealing with. Is it somebody who's got a track record in the space of offering support when things go wrong? And thirdly, I think people are going to have to invest more efforts to look into the nitty gritty of the policy wording because whilst this applies to Lloyd's policies at this stage, we're seeing other policies also adapt the wording, as I've said, since 2017. So, policy wording isn't necessarily the same. And people are going to have to follow that through. I think the other elements of this that is interesting to me is a number of our clients say, "Insurance premiums are rising. Even if the premium isn't rising, the access level is rising." So, just as with car insurance, you might have an excess of 100 pounds. So, you might have an excess of 10,000 pounds. With cyber insurance, people might have an excess of $250,000-$500,000. So, we're paying more in terms of premium because we've got a bigger access. And now you're going to toughen up the wording and exclude the type of attacks that's our worst nightmare. Should we have a different relationship with our insurers? And for some organizations, I think wrongly, they treated insurance as an alternative to investing in procedures to stop ransomware. And I think there's a realization amongst many organizations that that's a flaw of strategy, always was, but now the light is shining on that strategy. So, I'm seeing some clients think, "Should we diverse cyber insurance spending, so putting processes in place to stop attacks?" I don't think it's that binary discretion either, because many good insurers are insisting that you lock the perimeter, lock the doors on your shop, before they will insure you in any event. So I think it's shining a spotlight, not only on insurance, not only on the nation-state attacks, but also on the steps that organizations take to prevent bad things happen.
Delaney: And finally, identity management and authentication service Okta has been facing some challenges, as of late. I caught up with Michael Novinson, ISMG's head of business news for the latest. Really good to see you, Michael. You wrote a piece this week, saying that there's been an unintended effect from Okta's acquisition of customer identity giant Auth0. What's happened?
Michael Novinson: So, Okta closed the acquisition of Auth0 back in May of 2021. The big thing for Okta was they've been primarily focused on workforce identity. Auth0 is a market leader in customer identity. And that was a space Okta realized that they needed to do more in, but things unfortunately haven't gone according to plan, which is something that investors are not happy to hear after spending $6.5 billion on the company. In particular, there's been some challenges around the sales force integration. The two sales forces operated separately from the close of the deal in May of 2021 until the end of January 2022, which is the end of Okta's fiscal year, but then starting in February of this year, they began to bring the two sales forces together and it's led to a lot of confusion. In particular, the confusion stemmed from the fact that Okta had a CIAM offering or a customer identity and access management offering of its own, while Auth0's principle product is CIAM. So the company was going to market with two products called CIAM, which actually do two different things. And that was making it tough for salespeople to figure out which one they should lead with to customers, which of the CIAM products was a better fit for customers. And that perhaps has contributed to some attrition, higher turnover rates. In Okta, they're seeing turnover rates upward of 20%, while historically, they're having turnover of 15% each year, and Auth0 even higher rates in terms of folks leaving, maybe joining other startups. Just being part of a big company like Okta is maybe a little different than what they've signed up for. So it's been a challenge for Okta trying to manage the turnover, while making it clear to both the sales forces in the market what their technology portfolio is.
Delaney: And how does Okta hope to clean up the mess?
Novinson: The big thing Okta's doing is they're rebranding one of their products. So what Okta historically was calling the CIAM, their own customer identity offering, they're rebranding as extended workforce identity. And they're putting it as part of the workforce portfolio. The reason being is this technology is focused on securing third parties, like contractors, vendors, supply chain, maybe channel partners, it's allowing them access into the corporate systems. So, it's never a classic customer identity offering. So, they want to make it clear to the marketplace that what was historically known as Okta CIAM is more for this extended ecosystem of people who need to access corporate resources, while Auth0 CIAM is a true customer identity offering that goes through developers and helps secure customer-facing applications and websites. So, they're hoping that the rebranding will help clear some things up and then they've also done some shuffling around in terms of leadership. Frederic Kerrest, who's the co-founder and the chief operating officer at Okta is going to be taking a leave of absence for a year. So, they've reshuffled some of the leadership there to keep things going on the operations and the go-to-market side. So, they're hoping that the turnover will start to go down and the confusion will decrease in the months ahead.
Delaney: So, another event. Okta disclosed earlier this week that some customers' authentication data had been exposed by the attack on customer engagement platform Twilio. How has Okta responded?
Novinson: So, Okta was caught up in the compromise of Twilio. The reason being that one of the methods that they offer to customers to authenticate their identity is via mobile device that uses Twilio. So, via the compromises of Twilio, the adversaries were able to compromise some Okta customers as well. The message from Todd McKinnon, the co-founder and CEO for Okta, is to try to find more secure authentication methods. The SMS push notification via Twilio, while something Okta offered was maybe a less secure method, and to try to push toward a true passwordless where there's no inputting a password, there's no sign-in screen, and instead, a user's identity is being authenticated through biometric or through some other method where an adversary can't insert themselves in the middle. And if they have access to credentials, impersonate a legitimate user. So, McKinnon was urging people to take advantage of some of the more secure authentication methods that Okta has, and to get away from passwords and to get away from login screens altogether.
Delaney: This has been very helpful. Michael, thank you for your time.
Novinson: You're welcome. And I'm glad we could do this.
Delaney: That's it from the ISMG Security Report. Theme music is by Ithaca Audio. I'm Anna Delaney. Until next time.