Monthly Archives: April 2019

Office 365’s MFA is vulnerable to EvilGinx2

According to the latest Microsoft Security Intelligence Report, spear phishing remains the preferred attack method used by hackers. Microsoft detected a 250% increase in phishing messages between January and December 2018.

Figure 1 Page 21 of the Microsoft Security Intelligence Report Volume 24

Many organizations have deployed 2FA as a layer of defense to guard against phishing, so that if the user gives away the username and password, the attacker shouldn’t be able to logon to the user account. The purpose of this blog post is to raise awareness that Office 365 in particular is now vulnerable to “network session hijacking proxy theft” which allows an attacker to sign in regardless of the MFA solution (MSFT, Duo, RSA, SMS, etc). The authentication token is captured after the victim is tricked to going to a credential stealing website where they perform MFA through a proxy server. The token is then re-played by the attacker who can sign in as the user.

To see a demonstration of this, watch this Youtube video, https://www.youtube.com/watch?v=k4bq5A-icBw (Credit to @thehappydinoa)

Prior to this video, I haven’t been able to find any evidence of blog posts or videos demonstrating a successful bypass against Office 365’s 2FA capabilities. It’s worth noting that Office 365 is not unique – the same man-in-the-middle attack works against Google, LinkedIN, and other platforms as first demonstrated by Kevin Mitnick (KnowBe4) in May 2018 (original blog post (here). Since then other phishlets have been developed for Amazon, Github, Protonmail, Citrix, OKTA, Twitter, Instagram, Facebook, reddit, and consumer Outlook.com, and now Office 365.

The reason why this is important is because much of the security industry emphasizes MFA without raising awareness of this man-in-the-middle threat. For example, in my opinion one of the best presentations at the 2018 RSA conference was given by Booz | Allen | Hamilton which gave overwhelming evidence that 2FA would have stopped or reduced the impact of every one of the 159,700 total cyber incidents reported by the Online Threat Alliance in 2017. (Page 6, reference here). Now, the caveat has to be added that MFA would have stopped cyber incidents as long as victims were not tricked to going to proxy websites.

We have taken for granted that the very best anti-spam/anti-phish security solutions will not block 100% of the threats, and it is now time we accept the reality that MFA will not always prevent unauthorized authentication (much like how the SMS version of 2FA is no longer recommended or sufficient).

Roger Grimes of KnowBe4 gave a wildly popular presentation at the 2019 RSA Security Conference (requiring overflow seating) which listed 12 methods to bypass MFA (PDF download here). Some of these techniques require the attacker to invest a lot of time and sometimes money and risk (sim swapping) or be adept at social engineering (phone number porting). However, this all changed when Kuba Gretzky (@mrgretzky) released EvilGinx in 2017. Kuba showed how attackers can reduce their risk, cost, and effort through “network session hijacking proxy theft.” Grimes mentioned this technique among the 12 MFA bypass methods in his RSA presentation, and included a video showing how Kuba’s updated EvilGinx2, successfully bypasses the 2FA of Gmail and LinkedIN. At that time, there was no Office 365 phishlet available, but it was later added by @JamesCullum. 

In January at a Microsoft event, I asked Microsoft if Office 365 defended or detected network session hijacking proxy theft, specifically EvilGinx2. They stated that Office 365 would prevent this technique.

Enter Aidan Holland (@thehappydinoa), who recently verified that EvilGinx2 can successfully bypass Office 365’s 2FA. Aidan also solved a vexing problem for Troy Hunt, who was trying to get a list of the Fortune 500 for his security research. Read about his solution to solve that problem here.

Aidan’s video is the first showing a successful bypass of Office 365 MFA:

https://www.youtube.com/watch?v=k4bq5A-icBw

(Credit to @thehappydinoa)

It’s worth noting that the phishing link generated by EvilGinx2 is not blocked by MSFT EOP, Office ATP, Microsoft Defender ATP, or Windows Defender SmartScreen.

In the next blog post, I will discuss ways to protect against EvilGinx2.

Analysis of DNS Recon of the Fortune 500 (Part 1 of 3)

In this three-part blog series, I will be writing about interesting trends amongst the Fortune 500 using public DNS reconnaissance posted in open source github repositories. This first post is focused on the email security providers used by the Fortune 500. The other posts will analyze adoption trends in DMARC and IdP Federation.

One of the favorite people I follow on twitter is Daniel Streefkerk (@dstreefkerk) from Sydney, Australia. Daniel tweeted on February 11th about a script he published to github (here) that performs DNS reconnaissance He posted a graph (here) of which email security providers were used by the top 250 Australian Companies.

 

Then a few days later he posted (here) how he updated the script to check for federation information (ex: Does the domain federate with OKTA, ADFS, Ping, OneLogin, etc?) and other interesting things like whether Office 365 was detected, the tenant name discovered (typically it is publicly listed in the DKIM DNS record).

I was curious how his findings in Australia compared to companies in the United States, but I couldn’t think of a simple way of finding the fortune 500 email domain names. Turns out, I was not alone. One of Daniel’s fellow Auzzies, Troy Hunt, a Microsoft Regional Director (a title similar to an MVP) recently asked a similar question (here) on March 31st:

Everyone seemed to have ideas but Troy seemed frustrated at one point that there wasn’t a simple list available somewhere. That’s when Aidan Holland (@thehappydinoa) came to the rescue and wrote an elegant 152-line python script (here) to gather about 455 of the 500 from a JSON query against hifld data. He then took that data and queried virus total, threat crowd, crt.sh, and finally validated it was a valid DNS domain for email by querying the MX record in DNS. All in 152 lines of Python. Impressive.

His JSON query the initial data set came from ARCGIS.COM with this code:

FORTUNE_500_JSON
=
“https://opendata.arcgis.com/datasets/a4d813c396934fc09d0b801a0c491852_0.geojson”


Aidan published the resulting list of 455 domain names (here). Then using PowerShell, we can pipe that into Daniel’s DNS recon script, to produce a report showing the email filtering systems used by the Fortune 500.

Get-Content fortune_455_emails.txt | .\Invoke-EmailRecon.ps1 | Export-Csv 455.csv


Raw Table Results:

Email Security Vendor

Count

Proofpoint

141

Self-Hosted

91

Microsoft Exchange Online Protection (EOP)

83

Other/Undetermined

59

Symantec.Cloud

36

Cisco Email Security (Formerly IronPort Cloud)

27

Google

11

Forcepoint (Formerly Websense)

4

Trend Micro

2

FireEye Email Security Cloud

1

 

The results indicate that most are using ProofPoint, Exchange Online Protection, or they are self-hosting their own service of some type.

Comparing the results to Australia, we can see that the US Market is consolidated to a few big players, whereas Australia is reasonably diversified. The significance of this is that malware should theoretically spread slower in Australia, because malware authors would have to work significantly harder to find vulnerabilities across multiple email security solutions if they wanted to infect the majority of the top 250 companies in Australia, whereas in the USA the malware authors just need to find a flaw in ProofPoint and Exchange Online Protection to infect 50% of America’s Fortune 500.

What surprised me was to see ProofPoint has a 6% penetration into the Australian market, compared to 28% in the United States (no surprise since ProofPoint HQ is in the USA).

These results could also be helpful for smaller or mid-size businesses who sometimes look at the decisions made by members of the Fortune 500 as a standard, ex: “good enough for them, good enough for me.”

Universities, think tanks, and research firms like Gartner and Forrester can now take periodic snapshots of this data to determine trends of email security vendors (or IdP federation vendors). Companies could use this data to find out which markets to expand into. And unfortunately Malware authors have most likely already figured out that targeting flaws in ProofPoint and Exchange Online will net them 50% of the Fortune 500.

In the next blog post, I will examine DMARC and IdP adoption trends.