Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label AiTM Attacks. Show all posts

Researchers: AiTM Attack are Targeting Google G-Suite Enterprise Users

 

A large-scale adversary-in-the-middle (AiTM) phishing campaign targeting enterprise users of Microsoft email services has also targeted Google Workspace users. 

"This campaign specifically targeted chief executives and other senior members of various organizations which use [Google Workspace]," Zscaler researchers Sudeep Singh and Jagadeeswar Ramanukolanu detailed in a report published this month.

The AiTM phishing attacks are said to have begun in mid-July 2022, using a similar method to a social engineering campaign designed to steal users' Microsoft credentials and even circumvent multi-factor authentication. 

The low-volume Gmail AiTM phishing campaign also includes the use of compromised emails from CEOs to conduct additional social engineering, with the attacks also utilizing several compromised domains as an intermediate URL redirector to take victims to the final landing page.

Attack chains entail sending password expiry emails to potential targets that encompass an embedded malicious link to supposedly "extend your access," tapping which takes the recipient to Google Ads and Snapchat redirect pages that load the phishing page URL.

Aside from open redirect abuse, a second variant of the attacks uses infected sites to host a Base64-encoded version of the next-stage redirector in the URL, as well as the victim's email address. This intermediate redirector is a piece of JavaScript code that directs you to a Gmail phishing page.

In one case, the redirector page used in the Microsoft AiTM phishing attack on July 11, 2022, was revised to take the user to a Gmail AiTM phishing page, connecting the two campaigns.

"There was also an overlap of infrastructure, and we even identified several cases in which the threat actor switched from Microsoft AiTM phishing to Gmail phishing using the same infrastructure," the researchers said.

Overall, the findings suggest that multi-factor authentication safeguards alone are insufficient to defend against advanced phishing attacks, necessitating that users scrutinize URLs before entering credentials and avoid opening attachments or clicking on links in emails sent from untrusted or unknown sources.

RTLS Systems Found Vulnerable to MiTM Attacks & Location Manipulation

 

Multiple vulnerabilities in Ultra-wideband (UWB) Real-time Locating Systems (RTLS) have been reported, allowing threat actors to launch adversary-in-the-middle (AitM) attacks and tamper with location information. 

The cybersecurity firm Nozomi Networks disclosed in a technical write-up last week, "The zero-days found specifically pose a security risk for workers in industrial environments. If a threat actor exploits these vulnerabilities, they have the ability to tamper with safety zones designated by RTLS to protect workers in hazardous areas."

RTLS is used for automatically identifying and tracking the location of objects or people in real-time, typically within a confined indoor area. This is accomplished by attaching tags to assets, which broadcast USB signals to fixed reference points known as anchors, which then determine their location. 

However, flaws discovered in RTLS solutions (Sewio Indoor Tracking RTLS UWB Wi-Fi Kit and Avalue Renity Artemis Enterprise Kit) meant they could be weaponized to intercept network packets exchanged between anchors and the central server and stage traffic manipulation attacks.

Simply stated, the concept is to guesstimate the anchor coordinates and use them to manipulate the RTLS system's geofencing rules, effectively tricking the software into allowing access to restricted areas and even disrupting production environments. Even worse, by changing the position of tags and placing them within geofencing zones, an adversary can affect the shutdown of entire production lines by indicating that a worker is nearby even when no one is present. 

In another situation, the location data could be tampered with to place a worker outside of a geofencing zone, causing dangerous machinery to restart while a worker is nearby, posing serious safety risks. However, it is worth noting that doing so requires an attacker to either compromise a computer connected to that network or covertly add a rogue device to gain unauthorised access to the network.

Last but not the least, how to prevent these attacks?

To prevent AitM attacks, it is recommended to enforce network segregation and add a traffic encryption layer on top of existing communications. 

"Weak security requirements in critical software can lead to safety issues that cannot be ignored," researchers Andrea Palanca, Luca Cremona, and Roya Gordon said. "Exploiting secondary communications in UWB RTLS can be challenging, but it is doable."

Nozomi recommends that administrators of RTLS systems use firewalls to restrict access, intrusion detection systems, and SSH tunneling with packet synchronisation counter-values for data encryption.