"It Got Weird, Didn't It?"
-Austin Powers: The Spy Who Shagged Me
I just attended the Huntress Security Event in NYC. It was at the Spy Museum on 8th Avenue (a cool place).
I returned from that event to the office very afraid for all of us - myself included.
For many tasks, AI is still more marketing than transformational technology. Most things claiming to be AI are really just better bots.
However, one area where AI is having a huge impact is in crafting targeted emails that are perfect in every way - language, graphics, grammar, color, etc.
If I can't tell, and you can't tell, your users certainly can't be expected to tell.
It was suggested that you should customize your logon screen. In Microsoft, you can do this. Simple, drive by attacks would be defeated. If you don't see the district logo, it has to be fake. The bad guys most likely won't have your logo on their logon page.
That sounds like a very good idea.
Enter the world of Evilginx.
Evilginx is a proxy front end that an attacker can wrap their "evil" page around your "valid" page. You see your real page - even with your custom logos on it! It is just when you type on that page, the data goes to the attackers *AND* to your logon page. You logon fine. So do the attackers.
One for you and one for them.
The result is the same - you are compromised.
If the attackers are close enough to you, they could also steal your MFA session token - negating MFA for their attack.
We still have to do all our due diligence safeguards and MFA and the like. However, the attackers are once again proving that "everything can be hacked" and the Evilginx free, open-source software is a pretty easy way for them to quickly take their shot against you.
So, what are mere humans that are already overworked and stressed out to do if you say after all the hard work that we have all done, and all the security awareness training we have done, they can just walk right in unopposed?
The answer is two-fold:
- Layers of protection - The reason we have layers is while an attacker may be able to easily defeat one layer of protection, hopefully another layer of protection will see them and stop them. Like in football, you have the defensive linemen rushing the passer, but you have safeties and linebackers that move around and hang back to prevent a breakout move. Security is not any different.
- Look for behaviors. Attackers want to steal your data. They need to look and categorize your data to find what they want. You need tools that are looking for behaviors such as:
- Impossible travel
- First time logons
- First time VPN usage
- Lateral movement
- Email Filtering Rules
- Unusual logon times
- Unusual data flow
That is a start but an incomplete list.
The way to get at this is to have cloud-based scanning of Google and/or M365. A number of M365 specific agents exist now. Our friends at Blackpoint Cyber have both M365 and Google agents to look for these things. Our friends at Huntress have a M365 specific agent.
Our friends at Huntress, SentinelOne and Blackpoint Cyber have SOCs to monitor their endpoints and their managed cloud instances and more to look for these behaviors and shut them down.
And then there are the full, remote SOCs like CSI's Managed XDR service powered by BlueShift Cyber which sees all traffic in and out with their advanced SOC team staffed with some of the finest SOC analysts in the world.
Our industry has to come up with a way to defend against these Evilginx-style attacks. And all of us have to adapt our defenses to the realization that these style attacks are now easy to do and very prevalent.
If this wasn't scary enough, next time we will talk about evil, Racoon attacks going on against your email.
Buckle up.
In the meantime, give us a call to discuss how to help you adapt your security strategy to meet this ever-changing threat landscape.
-Scott Quimby, CISSP
You must be logged in to post a comment.