Search This Blog

Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Showing posts with label Session Hijacking. Show all posts

VoidProxy Phishing Platform Emerges as Threat Capable of Bypassing MFA


 

Researchers in the field of cybersecurity are warning that a sophisticated phishing-as-a-service (PhaaS) platform known as VoidProxy is being used by criminal groups for the purpose of evading widespread security controls and is demonstrating just how far this technology has advanced in criminal groups' ability to circumvent widely deployed security controls. 

In the form of a specialised tool developed by cybercriminals to target high-value accounts neutralising the defences of multi-factor authentication (MFA), VoidProxy is specifically designed and marketed for cybercriminals. There is no question that VoidProxy, developed by researchers at Okta, the identity and access management company, is different from any other phishing kit out there. 

Rather than relying on advanced infrastructures and evasion techniques, it combines these attributes with commoditised accessibility to make it both effective and dangerous even for relatively low-skilled attackers. In particular, VoidProxy makes a great deal of sense because it relies heavily on adversary-in-the-middle (AiTM) phishing, a method of intercepting authentication flows in real time, which makes it particularly alarming. 

Using this method, cybercriminals are not only able to capture credentials, but they can also take possession of multi-factor authentication codes and session tokens generated during legitimate sign-in transactions. By bypassing these common authentication methods, VoidProxy can bypass the security measures offered by SMS-based codes and one-time passwords from authenticator apps, which are typically relied upon by organisations and individuals as a last resort. 

When it comes to VoidProxy's infrastructure, it demonstrates a combination of sophistication and cost-effectiveness that is second to none. This phishing site is hosted by its operators using low-cost top-level domains like .icu, .sbs, .cfd, .xyz, .top, and .home, making it easy to use and easily trackable. It is also important to note that the phishing content, delivered through Cloudflare's reverse proxy services, further obscures the phishing site's actual infrastructure. 

It is a layering of concealment that ensures researchers and defenders cannot determine the true IP address. The combination of this layering of concealment, in combination with its highly deceptive email campaigns, makes VoidProxy one of the most troubling emergences in the phishing service industry. In spite of the fact that the operation has never been reported until now, it demonstrates a level of maturity that is not often found in other phishing kits. 

Researchers at OKTA found that VoidProxy is capable of scaling attacks against large groups of victims, targeting enterprise users, who represent an invaluable entry point for fraud and data theft. In order to intercept authentication traffic, the service inserts itself between the victim and the authenticating service, thereby intercepting authentication traffic. As soon as credentials and multi-factor authentication data are captured, attackers can gain persistent access to a victim’s account, bypassing any protections that would otherwise make it difficult for them to access their account. 

It was only after Okta’s FastPass technology, a passwordless authentication service, identified and blocked a suspicious sign-in attempt via VoidProxy’s proxy network that a discovery of this kind was made. Researchers were able to unravel a much larger ecosystem of campaigns as a result of that single discovery, revealing a set of administrative panels and dashboards that cybercriminals were renting access to the service through the use of this service.

In recent days, the senior vice president of threat intelligence at Okta, Brett Winterford, described VoidProxy as “an example of phishing infrastructure that has been observed in recent years.” Both its ability to bypass the multi-factor authentication and its elaborate anti-analysis mechanisms have been criticised by Winterford. 

The VoidProxy phishing kit offers many layers of obfuscation, which differs from traditional phishing kits that can often be dismantled by tracking servers and blocking malicious domains. Phishing lures are sent through compromised email accounts, multiple redirect chains that make analysis a challenge, Cloudflare CAPTCHA, Workers that inspect and filter incoming traffic, and dynamic DNS that ensures the infrastructure is fast-moving. 

Using these techniques, the operation remained a secret until Okta discovered the operation, but the sophistication of the kit extended far beyond its technical defences. There are many ways attackers can distribute VoidProxy campaigns. The first is by sending phishing emails from compromised accounts linked to legitimate marketing and communication systems, such as Constant Contact, Active Campaign, and Notify Visitors, that are connected to VoidProxy campaigns. 

It is based on the reputation of established service providers that these lures will have a higher probability of escaping spam filters, allowing them to reach the inboxes of targeted users as soon as they click through, providing credentials. VoidProxy's response depends on what authentication the victim has configured.

Users who authenticate through single sign-on (SSO) are forwarded to phishing websites that are designed to harvest additional information from users, while non-federated users are directed directly to legitimate Microsoft and Google servers, while the phishing sites are designed to harvest additional information from users. In the end, affiliates deployed VoidProxy to harvest cookies through the AiTM proxy, which is hosted on an ephemeral infrastructure supported by dynamic DNS, thereby completing the final stage of the attack. 

By hijacking authenticated sessions through session cookies, attackers are able to gain access to the same level of functionality as legitimate users without the need to submit credentials repeatedly. Therefore, attackers can operate undetected until security teams detect unusual behaviour, resulting in the attacker inheriting trusted access. 

In addition to its accessibility, VoidProxy offers an administrative panel that enables paying affiliates to monitor the progress of their campaigns, as well as victim data. Due to the ease with which advanced phishing campaigns are conducted, a broader set of actors—from organised cybercrime groups to less sophisticated attackers- can engage in them as they become more familiar with the technology. 

Despite the fact that VoidProxy is a new and dangerous entrant into the phishing landscape, researchers emphasise the fact that not all defences against it are ineffective. Authenticators which are phishing-resistant, such as hardware security keys, passkeys, and smart cards, are proven to be able to block attackers from hijacking credentials or signing in through proxy infrastructure by preventing the attack. 

As a result of the research conducted by OKTA, it has been demonstrated that users equipped with these advanced authentication systems are less likely to be hacked or to be compromised via VoidProxy, but most organisations continue to rely on weaker methods of multi-factor authentication, such as SMS codes, which leaves them vulnerable to data interception. 

It has been Okta's intention to inform Google and Microsoft of VoidProxy's operations, to share intelligence with its SaaS partners, as well as to issue a customer advisory in response to the discovery. In addition to adopting phishing-resistant authentication, the company recommended that enterprises also take a broad set of security measures. 

There are several ways to do this, including limiting access to devices and networks based on trust, monitoring sign-in behaviour for anomalies, and providing users with streamlined mechanisms for reporting suspicious emails or log-in attempts. Additionally, it is crucial to cultivate a culture of cybersecurity awareness at the company. 

Employees should be trained on how to recognise phishing emails, suspicious login prompts, and common social engineering techniques, which can often lead to compromise in the organisation. Additionally, VoidProxy's rise also demonstrates a wider industry problem that the industry faces today: the proliferation of platform-based PHaaS that commoditises advanced attack techniques into a commodity. 

Other kits, such as EvilProxy, which was first reported in 2022, and Salty2FA, which was discovered earlier this year, have also demonstrated similar capabilities to bypass multi-factor authentication and hijack sessions in the past few years. In each successive platform, the stakes are raised for defenders, as techniques that were once reserved for highly skilled adversaries have become widely accessible to anyone willing to pay for access, which has raised the stakes for defenders. 

By lowering the technical barrier, these services are increasing the pool of attackers, resulting in an increase in phishing campaigns that are more effective than ever before, harder to detect, and more persistent in nature, and have a greater impact. With the emergence of VoidProxy, a critical change has been wrought in the cyber threat landscape that calls for a new approach to enterprise security. 

Legacy defences that depend solely on passwords or basic multiple-factor authentication methods will not suffice in the face of such adaptive adversaries. As a result of these threats, organisations need to create layers of security strategies, which are combined with proactive resilience, in order to protect themselves. 

Authenticators that can resist phishing attacks are essential for protecting the network from cyber threats, but in addition to them, businesses must be able to detect anomalies continuously, implement rapid incident response capabilities, and train their employees adequately. Collaboration across the cybersecurity ecosystem is also crucial. 

There is nothing more important than the importance of intelligence-sharing between vendors, enterprises, and researchers, as early detection of emerging threats and coordinated action can significantly reduce the damage caused by them. 

In today's rapidly evolving PhaaS platforms, enterprises have to change their approach from reactive defence to proactive adaptation, ensuring they are not just prepared to withstand today's attacks, but also prepared to anticipate tomorrow's attacks. Getting the most out of security is crucial in a digital world where trust itself has become one of the main targets. To be secure, one must be able to maintain agility and resilience.

Session Hijacking Surges: Attackers Exploit MFA Gaps with Modern Tactics

 

As multi-factor authentication (MFA) becomes more common, attackers are increasingly resorting to session hijacking. Evidence from 2023 shows this trend: Microsoft detected 147,000 token replay attacks, marking a 111% increase year-over-year. Google reports that attacks on session cookies now rival traditional password-based threats.

Session hijacking has evolved from old Man-in-the-Middle (MitM) attacks, which relied on intercepting unsecured network traffic. Today, these attacks are internet-based, focusing on cloud apps and services. Modern session hijacking involves stealing session materials like cookies and tokens, enabling attackers to bypass standard security controls like VPNs, encrypted traffic, and even MFA.

The rise of identity-based attacks is a result of the growing complexity of user accounts, with each person managing multiple cloud-based services. Once attackers gain access to an active session, they can bypass MFA, leveraging the valid session tokens, which often stay active longer than expected.

Modern phishing toolkits, like AitM and BitM, make hijacking easier by allowing attackers to intercept MFA processes or trick users into controlling their browser. Infostealers, a newer tool, capture session cookies from the victim’s browser, putting multiple applications at risk, especially when EDR systems fail to detect them.

Infostealer infections are often traced back to unmanaged personal devices, which sync browser profiles with work devices, leading to the compromise of corporate credentials. EDRs aren’t always reliable in stopping these threats, and attackers can still resume stolen sessions without re-authentication, making it difficult for organizations to detect unauthorized access.

Passkeys offer some protection by preventing phishing, but infostealers bypass authentication entirely. While app-level controls exist to detect unauthorized sessions, many are inadequate. Companies are now considering browser-based solutions that monitor user agent strings for signs of session hijacking, offering a last line of defense against these sophisticated attacks.

Vulnerability Lab discovered persistent XSS vulnerability in Paypal

vulnerability lab

The Vulnerability Laboratory Research Team discovered persistent web vulnerability in the official Paypal (core) ecommerce website content management system.

The security flaw allows remote attackers to implement/inject own malicious script code on the application side (persistent).

The persistent input validation vulnerability is located in the Adressbuch module with the bound vulnerable search function when processing to request script code tags as `Addressbuch` contacts. The code will be executed out of the search result listing web context. Remote exploitation requires low user interaction and a privileged paypal banking application user account.

Successful exploitation of the vulnerability results in persistent session hijacking (admin), account steal via persistent phishing or persistent search module web context manipulation.

In an email sent to EHN, The Vulnerability has submitted the proof-of-concept for the security flaw. You can find the poc code here : http://pastebin.com/LhB82k4F

The name with the code was saved in the addressbook. Only the matching and successful result leads to the persistent execution of the web context.

When the other user is searching the existing account of the addressbook the code will be executed persistent out of the matching search result web context listing.

Few months after the vulnerability notified the Paypal , Paypal security team has successfully patched the vulnerability on December 11.

PuttyHijack~session hijack POC

PuttyHijack is a POC tool that injects a dll into the Putty process to hijack an existing, or soon to be created, connection. This can be useful during penetration tests when a windows box that has been compromised is used to SSH/Telnet into other servers.

The injected DLL installs hooks and creates a socket in guest operating system for a callback connection that is then used for input/output redirection.

PuttyHijack does not kill the current connection, and will cleanly uninject if the socket or process is stopped. Leaves no race for further analysis.

How to run/install PuttyHijack
  • Start a nc listener on some fully controlled machine.
  • Run PuttyHijack specify the listener ip and port on victime machine (Some socail engg skill may be helpfull)
  • Watch the echoing of everything including passwords (grab it for further analysis)


Help commands of PuttyHijack

!disco – disconnect the real putty from the display
!reco – reconnect it
!exit – just another way to exit the injected shell

DroidSheep ~ one-click session hijacking using your android smartphone

What is this about?
If you know Firesheep or Faceniff, you probably know what this is about – one-click session hijacking using your android smartphone or tablet computer.

If you do not know one of these tools, I’ll try to explain what DroidSheep is.

Maybe you know Bob. Bob is a wellknown person and Bob loves coffee. Every morning, he takes his laptop and visits one the famous green coffee bars, has a “grande vanilla latte” and writes messages to his facebook friends. For doing that, Bob uses the coffee bars WiFi – because it´s free and fast.

One Morning, Bob is just writing a message to his girlfriend, Eve enters the coffee bar. Eve has an Android phone and Eve uses DroidSheep. After ordering a “venti caramel macchiato”, Eve sits down, takes her phone and starts browsing facebook. Using Bobs identity. She can watch at his friends. Read his messages. Write messages. Write wall posts. Remove friends. Delete Bobs account. Without getting ever in touch with Bob.


What happened?

When Bob is using the WiFi, his laptop sends all the data intended to be received by facebook, over the air to the coffee bars wireless router. As “over the air” means “captureable by everybody”, Eve (or her phone) can read all the data sent by Bob. As some data is encrypted before being sent, she cannot read Bobs facebook password, but in order not to make Bob enter his password after each click, facebook sends Bob a so called “session id” after logging in, which Bob sends with each interaction, making it possible for facebook to identify Bob. Usually only Bob knows this id, as he receives it encrypted. But when Bob uses the coffee bars WiFi, he spreads his session id over the air to everybody. So Eve takes this session id and uses it as hers – and facebook cannot determine, if Bob or Eve uses this id.

DroidSheep makes it easy to use for everybody. Just start DroidSheep, click the START button and wait until someone uses one of the supported websites. Jumping on his session simply needs one more click. That´s it.


What do you need to run DroidSheep?
- You need an android-powered device, running at least version 2.1 of Android
- You need Root-Access on your phone (link)
- You need DroidSheep :-) (You can get it in the “GET IT” section)

DroidSheep now supports nearly all Websites using Cookies!
With Version 5, DroidSheep got the new “generic”-Mode! Simply enable it, and DroidSheep will capture all Accounts in the network!!
Successfully tested with ALL already supported Accounts and a lot of other ones (even all WordPress and Joomla-Pages should work!!)


Which pages does DroidSheep support?
- amazon.de
– facebook.com
– fl ickr.com
– twitter.com
– linkedin.com
– yahoo.com
– live.com
– google.de (only the non-encrypted services like “maps”)



Limitations
DroidSheep now supports OPEN, WEP, WPA and WPA2 secured networks.
For WPA/WPA2 it uses an DNS-Spoofing attack.
DNS-Spoofing, means it makes all devices within the network think, the DroisSheep-device is the router and sending their data to the device. This might have an impact to the network and cause connection problems or bandwith-limitations – and it can be spotted. DroidSheeps attack can not, as it only reads the packets sent over the WiFi, but instead of dismissing them, it uses the data :-)

How does this work?
When you use web applications, they usually require you to enter your credentials in order to verify your identity. To avoid entering the credentials at every action you do, most web applications use sessions where you need to log-in once. A sessions gets identified by a session token which is in possession of the user and is sent together with any subsequent request within the HTTP packets.
DroidSheep reads all the packets sent via the wireless network and captures this session token, what allows you to use this session token as yours and make the web application think you are the person identified by this token. There is no possibility for the server to determine if you’re the correct person or not.

DroidSheep is NOT INTENDED TO STEAL IDENTITIES.
It shall show the weak security properties of big websites just like Facebook. Please be always aware of what you’re doing.
I AM NOT RESPONSIBLE FOR ANY DAMAGES THAT HAPPEN BY USING THIS SOFTWARE!


HowTo use.
Using DroidSheep is really simple
Before you start — Make sure your phone is ***ROOTED***
DroidSheep will not work without Root-Privileges! If it is not, try THIS
Installation:
There are two possible ways to install DroidSheep:
  • One of the Android Markets (Google, AppBrain, …) — Simply search for DroidSheep and install the application
  • Download it from the “GET-IT” section using your phones browser and open the file — your phone should ask for installing the app.



Download