Search This Blog

Showing posts with label TLS Certificates. Show all posts

To Mimic Microsoft, Phishing Employs Azure Static Web Pages

 

Microsoft Azure's Static Web Apps service is being exploited by phishing attacks to acquire Microsoft, Office 365, Outlook, and OneDrive passwords. Azure Static Web Apps is a Microsoft tool that allows to build and deploy full-stack web apps to Azure using code via GitHub or Azure DevOps.

MalwareHunterTeam, a security expert, uncovered the campaign. Attackers might imitate custom branding and website hosting services to install static landing phishing sites, according to the study. Users using Microsoft, Office 365, Outlook, and OneDrive services are being targeted by attackers who are actively mimicking Microsoft services. 

Several of the web pages and login pages in these phishing attempts are nearly identical to official Microsoft pages. Azure Static Web Apps is a program that uses a code repository to build and publish full-stack apps to Azure. 

Azure Static Apps has a process that is customized to a developer's everyday routine. Code changes are used to build and distribute apps. Azure works exclusively with GitHub or Azure DevOps to watch a branch of their choice when users establish an Azure Static Web Apps resource. A build is automatically done, and your app and API are published to Azure every time they post patches or allow codes into the watched branch. 

Targeting Microsoft users with the Azure Static Web App service is a great strategy. Because of the *.1.azurestaticapps.net wildcard TLS certificate, each landing page gets its own secure page padlock in the address bar. After seeing the certificate granted by Microsoft Azure TLS Issuing CA 05 to *.1.azurestaticapps.net, even the most skeptical targets will be fooled, certifying a fraud site as an official Microsoft login screen in the eyes of potential victims.

Due to the artificial veil of security supplied by the legitimate Microsoft TLS certs, such landing sites are also useful when targeting users of other platforms, such as Rackspace, AOL, Yahoo, or other email providers. 

When trying to figure out if one is being targeted by a phishing assault, the typical advice is to double-check the URL whenever we're asked to enter one's account credentials in a login. Unfortunately, phishing efforts that target Azure Static Web Apps render this advice nearly useless, since many users will be fooled by azurestaticapps.net subdomain and genuine TLS certificate.

Half of Sites Still Using Legacy Crypto Keys

 

While the internet is growing more secure gene but slightly more than half of the websites' cryptographic keys are still generated using legacy encryption algorithms, as per the new research.

Security firm Venafi enlisted the assistance of renowned researcher Scott Helme to examine the world's top one million websites over the last 18 months. The TLS Crawler Report demonstrated some progress in a few areas. 

Nearly three-quarters of websites (72 per cent) now actively redirect traffic to HTTPS, a 15 per cent increase since March 2020. Even better, more than half of the HTTPS sites evaluated are using TLSv1.3, the most recent version of TLS. It has now surpassed TLSv1.2 as the most widely used protocol version. 

Furthermore, nearly one in five of the top one million websites now use the more secure HSTS (HTTP Strict Transport Security), which increased 44 per cent since March 2020. Even better, in the last six years of monitoring, the number of top one million sites using EV certificates has dropped to its lowest level ever. These are known for their slow, manual approval processes, which cause end users too much discomfort. 

Let's Encrypt, on the other hand, is now the most popular Certificate Authority for TLS certificates, with 28 per cent of sites using it. There is, however, still more to be done. 

According to the report, approximately 51% of sites still produce authentication keys using legacy RSA encryption techniques. These, along with TLS, help to verify and secure connections between physical, virtual, and IoT devices, APIs, applications, and clusters. 

ECDSA, a public key cryptography encryption technique with increased computational complexity and smaller authorization keys, is a far more secure alternative to RSA. As per Venafi, this implies they require less bandwidth to establish an SSL/TLS connection, making them perfect for mobile apps and IoT and embedded device support. 

Helme explained, "I would have expected that the rise in adoption of TLSv1.3 usage would have driving the ECDSA numbers up much more. One of the main reasons to keep RSA around for authentication is legacy clients that don't support ECDSA yet, but that seems at odds with the huge rise in TLSv1.3 which isn't supported by legacy clients. We also continue to see the use of RSA 3072 and RSA 4096 in numbers that are concerning.” 

“If you're using larger RSA keys for security reasons then you should absolutely be on ECDSA already which is a stronger key algorithm and offers better performance. My gut feeling here is that there's a lot of legacy stuff out there or site operators just haven't realized the advantages of switching over to ECDSA.”

NSA: Risks Linked with Wildcard TLS Certificates and ALPACA Techniques

 

The National Security Agency issued a technical alert cautioning businesses against using wildcard TLS certificates and the new ALPACA TLS attack. 

The NSA advised companies to follow the technical recommendations in its alert and safeguard servers against situations in which attackers may obtain access and decrypt encrypted online traffic. 

While several instances and techniques might aid attackers in decrypting TLS-encrypted data, the NSA clearly specified the usage of wildcard TLS certificates, which many researchers have also warned against in the past.

A wildcard certificate is a digital TLS certificate obtained by a company from a certificate authority that allows the owner to apply it to a domain and all of its subdomains simultaneously (*.example.com). Companies have used wildcard certificates for years because they are less expensive and easier to administer, so administrators apply the same certificate to all servers instead of having to manage several certificates. 

The NSA stated, “A malicious cyber actor who gains control of the private key associated with a wildcard certificate will provide them the ability to impersonate any of the sites represented, and gain access to valid user credentials and protected information.” 

The agency is now advising administrators of both public and private networks to evaluate the necessity for a wildcard certificate inside their networks and prepare to install individual certificates to isolate and restrict potential breaches. 

About ALPACA attack 

Furthermore, the NSA's alert cautions of the new Application Layer Protocol Content Confusion Attack (ALPACA), which was revealed earlier this summer and is similarly vulnerable due to the usage of wildcard certificates. 

The problem was not taken seriously when it was revealed in June because carrying out an ALPACA attack needed threat actors to be able to intercept web traffic, which is challenging in some circumstances. 

However, the research team that identified the assault stated that over 119,000 web servers were exposed to ALPACA attacks, which is a significant amount. Four months later, the NSA is encouraging companies to take the matter seriously, determine whether their servers are susceptible, and reduce the risk, particularly if the organizations deal with sensitive information or are connected to the US government network. 

On October 7, the NSA stated, “NSA recommends NSS, DoD, and DIB administrators ensure their organization’s wildcard certificate usage does not create unmitigated risks, making their web servers vulnerable to ALPACA techniques.”