Authentication Proxy Attacks: Detection, Response and Hunting

today's talk is authentication proxy attacks um I got to admit um finding out that I was right after Josh Corman the IND dominal Josh Corman was was was a bit intimidating um but uh you know we're GNA we're going to talk a bit about this and and a few of the things Josh said um resonated with me um the first is the fact that it's it's up to us it's up to all of us um to to make this difference make the difference in the organizations that you all collectively represent um so in this talk um my focus is on the Practical um I'm hoping that everybody regardless of where you are right so we

talked about Wendy neither's security poverty line Google it if you haven't heard it but I know that many of you are below some of you are above my goal here is not just to speak to the people who are at or above the well resourced right the ones who can send you here and you know pay your way and all that kind of stuff I want to make sure that everybody has the opportunity to take something back with

them so a little bit about myself my name is Chris Merkel I'm a senior director of cyber defense at Northwestern Mutual which is an insurance company uh I've been doing security for a long time long enough where I stop tell telling you what it is in years because I just rather not it's been too long um I've been coming to besides Las Vegas on and off for over a decade now uh I love this conference I love the vibe I love the people that come here this is hands down top five uh I like to reverse engineer malware for fun most of my days are spent uh leading teams of people who do the fun things so I I still try to uh

spend my time doing that I also have um bad habits and opinions uh yeah I like Nano over Vim um uh I have been convinced that pineapple actually does taste good on pizza so my mind can be changed and I put those two bullet points in to remind myself that my terrible opinions and decisions do not represent those of my employer that's like a that's like a little mental bookmark right there all right and then the last Point here uh I got to meet John McAfee here almost 10 years ago how many of you were here when he came came to to bides a couple of you that was wild okay um that experience of uh

hearing him get grilled in depth by people who understood uh facts details and timelines was was was crazy um and reflecting on it my first point here about being in security for a long time the longer I've been in security the longer I can start to understand John mca's uh uh overall uh Arc to go from cyber security luminary to bath salts Enthusiast to cryptog grifter I used to think man how did that happened and now I've been doing this for a while I'm kind of like that doesn't sound half bad um I'll have my contact information on the last slide as well um you can find me on the uh the fediverse and uh on the

zucka verse um I'm out there right now um the other thing I want to point out here is that the the stuff I'll be talking about here is uh not solely my research um I work with some of the uh most brilliant people working in cyber security in counter threat in intelligence in threat hunting in incident response in detection engineering um and and I am sharing that Collective knowledge with all of you so let's talk about all of you you did it you got multiactor authentication look it is the year 2023 and I know some of you are thinking to yourselves well yeah but mostly okay that's fine but take the victory lab okay that's a big deal if you've

pushed your organization through if you've had those conversations about uh user experience and the challenges that come with that particularly if you're working with uh consumers clients people outside your organization those are tough conversations you did good now some of you may have also moved on from sms okay uh SMS is weak but SMS is great okay it can be both I'll talk a little bit about why that is if you're in this position most of the threats that your organization faces um against your your logons your sign on your authentication you've made IND at those that's great okay um but as we know our adversaries they change their tactics and we're going to talk about that so um with the the good

news comes the bad news and and the bad news is that even while you might have multiactor authentication protecting your organization and its assets increasingly it is not enough so we're starting to see uh attacks that were really demonstrated to be possible like well over five years ago starting to actually materialize okay um so we're we're seeing these these types of campaigns going on and so what I'm going to be talking about is an evolution in aders iial trade craft that's taking your typical adversary in the middle and moving it to the next layer um for for targeting organizations uh for whom they've done those fundamental cyber hygiene Basics like turn on multiactor authentication okay so that's the bad news

now um shout out to ca so cisa entered this conversation about almost two years ago and they they released a a paper on this I strongly recommend you look it up but I have summarized it for you um it it's it's fantastic and what I love in particular about this and and by the way again another shout out to Josh Corman he talked about changing the dialogue changing the framing right right so what did we used to say we used to say that you need to make sure you have strong authentication and and if you got into the weeds with somebody they would say well I've got a long password so that's strong authentication oh no no no no no

no you need multiactor authentication is strong authentication well okay okay I can do that I can do that well well the problem is and I'm going to assume most of you understand this problem to some extent or another um these other second factors have weaknesses and specifically the weakness of token theft is what I'm going to talk about today and so they embraced the term fishing resistant multiactor authentication now here's why I love that term it's a term of art I'm saddened that it was first an industry term before cisa came up with it but what that means is as you are talking to the decision makers in your organization and they're going to ask

you questions like are we resistant to fishing attacks you might say are we okay you might say it's time for your outrageous speaker request my what when we uh have speakers who apply to speak in the program we have this thing called uh an outrage of speaker request it's a little field at the very end of the uh the application okay that uh them a chance to ask for anything else they might want what I ask for it was really late at night in this case uh we were asked to bring back green apple Skittles which has been please yes discontinued and replaced uh with lime I believe again lime is terrible got rid of the lime for

those who are not up on the the drama of Skittles lime was around they got rid of it they put in green apple now they got rid of green apple brought back the lime and so now everybody's angry this is It's a classic Coke New Coke thing anyway so there there is now on change.org uh a petition to bring back green apple Skittles and I have here Flyers to hand out to everybody in the audience uh I ask you to please consider honoring our speaker request and helping us to bring back green apple Skittles here at besides change the world one person one thing at a time one Skittle at a time so so according to this handout that he's

provided me the change.org petition only has 834 signatures that means if every one of you in this room by my rough count went and petition for this change we could get this over a thousand people we can do [Applause]

this all right let me transmition back into uh where was all right so so again we're talking about changing the framing to change the discussion if you are talking with your leaders again if you're talking with your ciso CIO board member and they want to ask you are we resistant to fishing attacks now your answer can be some but not all we don't run fishing resistant authentication in our Oran organization and it's not just your opinion now you can bring up Eagle Shield because that carries a lot of weight we'll talk a little bit more about the technical mechanics of this in a minute I promise token replay attacks are on the Rise um I don't know if you any of you

have um read the long form wired article on the hack at EA but it is fantastic um and I strongly encourage you to to look at what can happen when you start with one stolen slack token okay uh this data is a little old um but it comes from a good source from from Microsoft um I do reserve the right to give them grief um but they've been making some positive moves so I might pull my punches but we can see that the use of tokens is on the rise so let's get into uh how this all works now it's a bit of a complicated diagram and I'm going to keep staring at this screen

over here because it's it's a little bit bigger than I can see on my presenter view but we're going to walk through step by step technically how this attack works okay so so first it's going to start with a fishing message yall get this okay your victim is going to enter their creds and they're going to enter in their MFA now that could be uh a code request from SMS that could be a device approval uh something along those lines now again I'm not talking about uh PH2 webn this is everything that's not that I think the attacker has a proxy setup so what they're doing here is they are taking your actual log on page and just

proxying it they're not making a copy they're not doing like copy and paste into word and then back into HTML I always laugh when I see word HTML in adversary uh pages and stuff like that it really cracks me up it also makes me sad because it totally still works um and what's going to happen is when they put their credentials in that's going to get forwarded across the proxy to your identity provider so your identity provider is like oh I I I've received credentials because they were asked for they they were requested by this proxy and now I'm getting this back this all looks normal to me the attacker along the way is going

to steal the credentials cuz you know you can use those later even if you're not even if your your primary target is the token the identity provider they don't know what's up this is just a request from a client for off that's normal so they're going to go yep everything checks out MFA AOK here's your session token now the attacker is like yeah cool I have your session token that session token that gets passed right back to the user so so the other thing you tend to run into with these fishing attacks is the what have you done once you've actually updates thank you J um what do you do when uh you've you've successfully Conn

that person you have to take them somewhere and and then this is where where where adversaries are kind of like I don't know maybe I'll dump you at google.com or something who knows or m whatever right um but by forwarding that that session token back your user has a valid session so where do they go next they go to the actual site that they've just authenticated to so to them from their perspective and experience they just successfully logged in why because they just successfully logged in because that's how this works now that becomes a real problem for your security awareness and education right because at this point nothing looks different you've successfully logged in the documents

that you've most recently worked on on Microsoft 365 they're all there so now what does the attacker do they just replay the session token now um I I I'm not an expert in um you know all of the Microsoft primary tokens refresh tokens sub tokens app tokens it's complicated suffice it to say if you can get your hands on that primary refresh token uh by default in Microsoft 365 you have seven days of access that you can parlay

uh and then of course you know those creds go on to secondary markets maybe it used in password spray attacks uh go find those little uh corners and edge cases in your organization where uh you haven't quite gotten that two-factor authentication in yet so let's talk a little bit about delivery um I could give a whole talk on this instead I'm going to give one slide um delivery methods are getting pretty interesting in my opinion um first and foremost we are seeing these types of advanced MFA proxy attacks coming across bog standard dumb fishing emails okay still works why why why change right we're also seeing what I call encrypted message hollowing um and what this is is so if you've if

you've ever uh used a you know proof Point uh Microsoft sending to Gmail um mcast Etc you've gotten this message that says you have a a secure message waiting for you you need to log into a portal yada yada yada okay most of the time those types of systems are used in business to Consumer type of relationships and what that means means is you don't want to necessarily burden that poor end user with having to set up full MFA or whatever it is just to read that one important email that you want to send them about uh a a a healthc care issue about a financial transaction about a real estate deal whatever it is

right well what attackers are doing is they're gaining access to one of these encrypted messages how do they do it a traditional account takeover uh you know those kinds of things they hit a think maybe they do a password reset whatever it is and they get into that corporate uh Email encryption solution from one of these bigname vendors and if it's not configured properly they go into this message and they hit the reply button but then what they do is they just blank out everything in there um or I'm sorry they don't hit reply they hit forward critical difference they're going to hit forward on that message and they're going to blank out the message

body they're going to blank out the subject line and they're going to put you in as a Target now instead of having to create those goofy looking fakey you have an encrypted document kind of nonsense that could potentially be taken down because it is part of adversary infrastructure and all of that they are now landing at your big corporation's encrypted messaging solution but what they're seeing is a holy new message and we have witnessed uh one adversary group literally make hay from one account in one message just blanking it out and using it over and over and over and over and over again and every time the recipient gets you've got a secure message they're not going to get any

warnings and it comes from a big Corporation and so the big Corporation is inherently trusted we're we're also seeing account takeovers uh in the Microsoft 365 space abusing Microsoft purview Microsoft purview is the encryption solution that used to be called something else I guess their branding rebranding worked because I can't remember the old one um but it's basically when you hit send secure in Microsoft Outlook uh that's Microsoft purview messaging as a tenant administrator or as a exchange administrator you have very little ability to inspect what goes into that okay and and if somebody is in the Microsoft 365 world and they receive a purview message it actually gives the attackers additional credibility because you get this green banner across the top

of your outlook that says congratulations this message is encrypted and if you're the end user and you see a green bar with a green check mark in it how do you interpret that do you do you as a as the end do our end users go wow that's fantastic they employed Transit encryption on this I feel good about that no the way they interpret this is oh bar is green I'm safe I don't have to think about those security awareness messages anymore click if you're sending it outside of a Microsoft organization you're going to you know to Gmail whatever you're going to get that typical log into the portal uh you'll get a message attachment that

message attachment is fully encrypted you can't inspect any of this and that really uh is is unfortunate so I talked a bit about what the the victim experience is like this is what it looks like the only thing that you're going to see different is the URL in the browser bar uh you can't can't fake that out um you can do tricky things right to left I don't you know uh you know all those obfuscation techniques that that we know and love but again your security awareness messaging it's lot less effective at this point why because if you're if you have a branded portal like I show off one on the right here um this is the one

they see every single day if it's a standard Microsoft log on it's the standard Microsoft log on so what's your click rate already on F log on it's pretty bad right but when you have nothing to tell somebody I mean yeah you can tell them go go look at the browser bar but but again think about this whole attack chain from end to end you receive an encrypted message from a well-known reputable Corporation maybe it's something somebody you already do business with because they've done account takeover for that outside organization you're working with you receive an encrypted message message the encrypted message has a green bar on it now it's trusted you click on that I do not believe that it is even

fair to ask our users to catch

this so's talk a little about the evolution of tradecraft um I'll uh one of my colleagues um shares my same passion for for terrible clip art um so there's your your Dolly generated hacker um thanks Chris um our adversaries are also evolving their tradecraft so we are seeing a lot more anti- inspection techniques okay so so so even if you'd gotten to the point where you were extracting all of the URLs from your email traffic um and things like that passing that through some sort of reputation service sandbox whatever it is doing that you know uh inbk um you're you're probably not going to catch it why they're doing things like referr checking right they want to make

sure that this looks like it came from an email click uh you know things like that uh they're doing you know basic sandbox detection stuff um like I said they're using uh encrypted email they're also um looking for uh egress IPS so if they're targeting uh you know a specific Corporation or set of Corporations and you're not coming from one of those egress IPS that's noted on uh the the Aaron uh or ripe or whatever net blocks you're you're just going to get redirected somewhere else um beyond that they're they're doing a lot of uh redirect chains um and and other obfuscation techniques right so your your typical automated sandbox that's going to look at a web page um maybe

it'll follow one refer maybe two two not six so that becomes uh a bit of a challenge uh to do any kind of inspection at scale um so let's talk about how we detect these things um I did put in the uh the description of this talk that there is one fatal flaw there is it's a bit weak so if you don't like it I'm sorry um um but you know yeah you got to put butts and seats what are you going to do um so let's talk about detecting attacks um first and foremost none of these things individually is going to be the tell the detection the one thing that allows you to catch 100%

80% 60% but if you treat these as signals if you have the ability to to look at multiple Dimensions if you have the ability to do any type of correlation you can build strong signals out of this um depending on the the nature of the organization you represent uh impossible travel is reasonably accurate uh the problem is that uh all of your users who watch YouTube have now installed nor VPN after the three-month trial subscription um and it's all running on their phones all of the time um and not not just picking on Nord they're fine for for for what they are other than uh snake oil for consumers um they do they go to Great Lengths to

hide their their egress traffic why because the only reasonable reason to use a consumer VPN service is so you can watch content outside your region right and so you're always this cat and mouse game between uh your uh streaming video providers of the world and you know them having to comply with restrictions around uh uh countries and intellectual property and things like that um so so what that means is as a Defender you're going to you're going to get hits from weird places on the planet with really non-descriptive names and often times if you do more analysis on asns some really sketchy neighborhoods okay um and and so you're going to go oh I'm under attack

no no just Bob and accounting was you know watching YouTube and installed the VPN um and then of course the other challenge is the use of uh uh proxies um proxy services so that you can tunnel out machines here in the US there are there are large and and very um well-known ones uh that we see used a lot um so so what we try to look for is is a little bit of correlation right so um do I have a person logging in from an IP address that they haven't logged in from before and is there an authenticator change of some kind like a password reset uh an addition uh to their their multiactor authentication options uh a

change in those authentication options things like that um also look for new device registration attempts I'll I'll talk a little bit about conditional access policies later um but you know as of right now I believe that the standard default configuration in a Azure tenant is to allow devices to register themselves in Azure ad across the internet just because you're authenticating right um so you're going to want to look for um gaining persistence so going back to the uh the the hack that happened at EA um that's one of the things they did they they did an actual device enrollment as a persistence mechanism uh I believe they used a virtual machine so that's what you can do a lot

on the the detection side uh so let's talk a little bit more about um investigating these types of attacks responding and those kinds of things so first of all has successful MFA occurred um Microsoft's uh logs if you're if you're taking these somewhere other than uh Azure Sentinel um they are a nested Maze of terribly constructed javasript Java Json that um you know it'll take you a long time to figure out and that sucks um do you know how to invalidate session tokens so in a lot of organizations if if you have reasonable confidence in your external MFA and somebody clicks on something and enters their creds you can issue a soft password reset it's nicer to the user

because they just change their password and next log on and you just kind of Coast by knowing that they're okay because there wasn't uh you've got MFA protecting you the problem is in in in a in a session attack um against tokens um that soft password reset in Azure that does not invalidate the session token okay so so even if you detect the user clicking on a fishing email or and and and entering their credentials you do that soft password reset the attacker still in they still have that token now here's what sucks you got to do a hard password reset and by hard password reset I mean change it to an arbit arbitary value of your choosing

and then make them figure out how to recover call the help desk you know the self-service password portal probably not going to work because the attacker could use it right um that is really really um not great user experience um but that's where we are right now so beyond uh just Microsoft specific tokens think about the other things that the attacker might have had access to slack um other other uh you know Federated systems or or other systems that might have provided their own token that's not tied necessarily to the uh the SLE token that comes with Azure ad um you're going to want to look at your Microsoft 365 logs for evidence of access so what did they do once they got

here um the thing that I've seen most commonly is male forwarding rules right because while the attack is a little more more sophisticated these are people who are just using software as a service like evil proxy okay they are not the Geniuses who invented the technique they're the ones using the commoditized kit that they paid money for so the the adversaries are still the same lowest common denominator kind of folks so so so you know unless you're in a a more highly targeted sector with more Advanced adversaries most of y'all are just dealing with cyber crime and and what do they want to do they just want to compromise that mailbox so they'll set up like an exchange mail forwarding or

not a not an exchange but an Outlook mail forwarding rule um you want to look for user creation events right what kind of a account did they compromise um did they access data on on on one drive and and things like that um I should also point out that in the last two month or so um uh cisa uh successfully bullied Microsoft into giving full log access to people who have Microsoft 365 tenants um I don't know the full scope of what that means um but that is forthcoming um and shout out to cisa because nobody should have to pay for logs that's [Applause]

so let's talk about continue go on the offensive threat hunting um make sure you know your authentication end points um you can do showan Hunts uh we talked a little bit about that um look for the usual typo squats page titles things like that um if there's a page title that's specific to the Microsoft log on Flow you should never see that come from anywhere other than Microsoft so if that page title exists and you can detect that in your network traffic if you have the inspective capability to do so look for it so do you know where all your authentication endpoints are you probably have some authentication endpoints that should be on a milk

carton um look at your Microsoft conditional access policies um it's almost cliche but they they people say that identity is the new perimeter I tend to agree with that um and Microsoft conditional access policies if identity is the new perimeter conditional access policies are the new firewall and it's the new firewall in that it really is a pain in the neck to configure and you can screw it up easily in unintended ways okay because conditional access policies have the same concept of inheritance uh they have you can get order of operations wrong and the eval valuation of a cap policy can go wrong and you don't realize it because staring at it on the screen it looks right just

like your firewall console so there are ways to to evaluate your cap policies the the more that you can do to strengthen your cap policies uh for users coming in from outside your network perimeter the better I know some organizations can can uh have more latitude in that than others um you want to look for attempts to Target your organization so again look for uh type of squats related to SSO hunt inside your firewall logs um you know uh you know DNS logs passive DNS you can hunt externally um so in a in a previous iteration of this talk um I was able to to demonstrate that I could find a whole bunch of people on showan running evil

proxy and evil engine X um because of the use of those redirect change I talked about before that's getting increasingly difficult um but the main things we see are evil proxy which is the software as a service version of evil engine X and evil engine X itself now one of the things you can do is look for things like jarm hashes um they're not rotating out the default TLS certificates that come with this software so um you know they're bad at tradecraft um so so and then I'm sorry there was one thing I wanted to go back to and point out here if we go back to the victim experience now there are if you

get down into the Dom in Microsoft or a custom branded page and and this is this is that you know here's that that one weird trick kind of kind of thing um there are elements in this Dom that only exist in this Dom okay for example on that Microsoft signin page there are links to a domain called Ms off.net as far as I can tell the only time that domain is called is when you are doing authentication to Microsoft so if you see that um in your network traffic coming from a source that is not Microsoft that means somebody is proxying the traffic you can catch it another thing that you can do is you

can look for people who are faking your corporate identity that color blue is a very very specific hex code I know blue is the cool color for most corporations but I guarantee you they're not all using the same shade of blue okay so the marketing department is going to make sure that that RGB code that represents our cherished corporate identity is unique okay so now again if you if and this is that poverty line discussion so I'm sorry if you're not in this position but if you are in a position where you can inspect inbound web traffic you can start to profile for people using your corporate identity then you start to tune out and filter out the people that

are known right that that SAS provider that made a copy of your log on that's totally okay right uh any any other additional logons you might have to your your sites and systems and then you can catch them using your color or your you know logo specific size shape whatever it is so so that is one thing that you can actually search for and hunt for um that can give you a tell that your corporate identity is being abused regardless of whether it's coming through one of the proxies I'm talking about or if they're simply doing you know copy and paste into their their their uh adversarial

infrastructure so uh I've I've walked through a lot of um specific ideas techniques things like that um you can do this um the last thing I want to point out here is simulate attacks um you don't have to be a red teamer to do red teamy things okay it's not as technologically sophisticated as those cool red teamers would have you to believe okay um setting up evil engine X is as simple as spinning up a Docker container okay so run these types of tests against your organization to see what you see what do you see in your logs um you know what is the user experience like those types of things um so I strongly encourage doing

that um so you got this you can do this All right so I've got uh I am going to post um slides within two to three days um you can catch those out there um if it's Mastadon I will pin it to the uh the top of my profile for for a little while so you can catch those there so I want to thank all of you for your time I want to thank all of you for taking time out of your work schedule to be here at bsides um and uh I I just want to say I greatly value uh the contribution each and every one of you make on a day-to-day basis to the safety

of the organization and the people that you're responsible for protecting so uh thank you very much and uh I'll take questions for about five minutes here if anybody has

any

here so I I saw the Microsoft authentication window and this that came up like where it has someone looks at the URL and you said hey we shouldn't rely on our users to to look for that I I completely agree but I I don't maybe it's just my organization that issue came up as uh in in another like uh cyber group that I that I attend like hey they pointed this out I went back to my my company I didn't see a URL in in that authentication screen so that that's weird like just seeing the just seeing that Banner itself or having that revealed so I don't know like what's common or not but I was like well so so

what I see commonly is um I'm not so much sure about the Microsoft side but but but oftentimes what we do with our authentication pages is we put them in pop-up Windows yeah that are like modal and they don't have an address bar in them yeah yeah like um that makes this attack even worse yeah just well just seeing it to me at my organization would be but I didn't know if it was an option for like other people you know it shows up the fact that it's there is like well this is weird but I I wouldn't trust my users for that either right exactly exactly and and I I have another whole another hobby horse talk about why

putting all the onus on users is terrible as well yeah thank you thank you hello um hi so with the um the session token thing that you described there's generally that um sorry oh a little closer to M um so with the um session token um attacks um I guess one of the cand measures that you can take is reducing the validity of that token but how do you strike that balance like with user productivity because often users are quite lazy and your it managers are going you know I don't want to deal with complaints from users about constantly needing to authenticate and reauthenticate absolutely so so the the Crux of the question is how do you

balance uh user experience against you know uh the life cycle of a token and making people reauthenticate um I don't know I mean you know an adversary can can get in and establish persistence very very fast um so I don't think the solution is shorter token life cycles um Microsoft is starting to roll out or they do they have um uh risky behaviors or risky sign on events um I would strongly recommend implementing those um uh and this is actually where my gripe against Microsoft is I don't think they should allow uh logons from things like uh browser agents that aren't actual web browsers um I mean it's such stupid loow hanging fruit but it still seems to work

for some reason um the the the one thing that I I I think that should happen is there should be a matchup between um the token and the actual browser agent that was used for the token okay so if your browser agent changes and you have a successful off with that token it should just Auto invalidate the token Microsoft has not implemented this to my knowledge they have some token protection stuff but it doesn't quite go this far um but but frankly um there's no reason why you should be able to profer the same token between Chrome and Firefox even on your same machine because that that token is just sitting there in a cookie in the Lo local cookie store so

it should never be proferred from anywhere other than the first place but that's that's what they're doing I guess first first more of a comment I have heard Microsoft has something in beta that's exactly what you're talking about yeah they're work I know they're working on it U my question is Microsoft offend indicators passwordless authentication Microsoft claims its uh fishing resistance is it according to sisa yes I do believe it is thank you so if you're using the the the right configuration Windows hello for business um and Microsoft's authenticator um if you're using in the right configuration it's storing the uh the certificate in uh in an enrolled device uh whether it be your Windows

laptop things like that yes um there there are a lot of great great options there um I'm a Mac User in an Enterprise none of those are available to me um so so the so the problem is uh that's great if you're an all windows Fleet um it starts to break down when you have any type of BYOD Max situations things like that so I've gotten the stop sign I want to thank all of you for your time again and the Fantastic questions thank you very much