As per a new phishing technique,adversaries can defeat multi-factor authentication (MFA) by having victims connect to their accounts directly on attacker-controlled servers using the VNC screen sharing system.
Bypassing multi-factor authentication (MFA) configured on the intended victim's email accounts is one of the most difficult barriers to successful phishing attempts.
Even if threat actors can persuade users to input their credentials on a phishing site, if the account is protected by MFA, completely breaching the account requires the victim's one-time passcode.
Phishing kits have been upgraded to employ reverse proxies or other means to obtain MFA codes from unwitting victims to get access to a target's MFA-protected accounts.
Companies, on the other hand, are becoming aware of this technique and have begun implementing security measures that prevent logins or cancel accounts when reverse proxies are found.
VNC is here to help.
Mr.d0x, a security researcher, attempted to create a phishing attack on the client's employees to get corporate account credentials while conducting a penetration test for a customer.
Mr.d0x put up a phishing assault utilising the Evilginx2 attack framework, which operates as a reverse proxy to steal credentials and MFA codes because all of the accounts were configured with MFA.
The researcher discovered that when reverse proxies or man-in-the-middle (MiTM) attacks were detected, Google blocked logins.
According to Mr.d0x, this was a new security feature installed by Google in 2019 precisely to avoid these types of attacks.
Websites like LinkedIn, according to the researcher, identify man-in-the-middle (MiTM) assaults and delete accounts following successful logins.
To get around this, Mr.d0x devised a cunning new phishing technique that employs the noVNC remote access software and browsers in kiosk mode to display email login prompts that are hosted on the attacker's server but shown in the victim's browser.
VNC is a remote access software that allows users to connect to and control the desktop of a logged-in user. Most people use dedicated VNC clients to connect to a VNC server, which opens the remote desktop in a similar way to Windows Remote Desktop.
An application called noVNC, on the other hand, allows users to connect to a VNC server directly from within a browser by merely clicking a link, which is where the researcher's new phishing method comes into play.
A new report by Mr.d0x on his new phishing technique explained, "So how do we use noVNC to steal credentials & bypass 2FA? Setup a server with noVNC, run Firefox (or any other browser) in kiosk mode and head to the website you’d like the user to authenticate to (e.g. accounts.google.com)."
"Send the link to the target user and when the user clicks the URL they’ll be accessing the VNC session without realizing. And because you’ve already set up Firefox in kiosk mode all the user will see is a web page, as expected."
A threat actor can use this configuration to send targeted spear-phishing emails with links that launch the target's browser and log into the attacker's remote VNC server. These links are highly customisable, allowing the attacker to make links that do not appear to be suspicious VNC login URLs.
Since the attacker's VNC server is set up to run a browser in kiosk mode, which displays the browser in full-screen mode, when the victim clicks on a link, they will be taken to a login screen for the targeted email provider, where they can log in as usual.
However, because the attacker's VNC server is displaying the login prompt, all login attempts will be made directly on the remote server. Once a user logs into the account, an attacker can utilise a variety of tools to obtain passwords and security tokens, according to Mr.d0x.
Even more dangerous, since the user enters the one-time passcode directly on the attacker's server, authorising the device for future login attempts, this technique bypasses MFA.
If the attack was limited to a few people, merely entering into their email account using the attacker's VNC session would grant the device permission to connect to the account in the future.
Because VNC allows many individuals to monitor the same session, an attacker might disconnect the victim's connection after the account was logged in and reconnect later to gain access to the account and all of its email.
While this attack is yet to be observed in the open, the researcher told BleepingComputer that he believes it will be used in the future.
Every phishing advice remains the same when it comes to safeguarding from these types of attacks: do not click on URLs from unknown senders, scan embedded links for strange domains, and take all email as suspect, especially when it asks you to log in to your account.
