Focus Mode
Threat Research

On the CaseDetecting and mitigating adversary-in-the-middle phishing attacks with Darktrace ServicesbyJustin Torres

DarkTrace
On the CaseDetecting and mitigating adversary-in-the-middle phishing attacks with Darktrace ServicesbyJustin Torres
Adversary-in-the-Middle (AiTM) phishing kits, particularly the Mamba 2FA, represent a significant evolution in phishing tactics, enabling attackers to intercept and manipulate communications in real-time. These kits create convincing decoy pages that mimic legitimate services, allowing for the harvesting of sensitive information, including multi-factor authentication tokens. The rise of Phishing-as-a-Service (PhaaS) platforms has made these sophisticated attacks more accessible to cybercriminals. Affected: Microsoft 365, SharePoint, OneDrive

Keypoints :

  • PhaaS platforms lower barriers for cybercriminals, facilitating sophisticated phishing attacks.
  • AiTM phishing kits allow real-time interception and manipulation of communications.
  • Mamba 2FA targets Microsoft 365 and employs tactics to bypass multi-factor authentication.
  • Phishing pages closely mimic legitimate services to deceive users.
  • Real-time communication is facilitated through the Socket.IO JavaScript library.
  • Attackers capture MFA tokens immediately after user input, undermining security measures.
  • Infrastructure includes link domains and relay servers designed to evade detection.
  • Darktrace has detected unusual login activities linked to Mamba 2FA phishing campaigns.
  • Attackers often create unusual email rules to conceal malicious activities.
  • Darktrace’s Autonomous Response actions have been crucial in mitigating these threats.

MITRE Techniques :

  • Initial Access – Phishing: Attackers use deceptive emails and links to gain access.
  • CREDENTIAL ACCESS – Steal Web Session Cookie: Attackers capture session cookies during phishing.
  • PERSISTENCE – Account Manipulation: Attackers create email rules to maintain access.
  • PERSISTENCE – Outlook Rules: Unusual email rules are established to forward sensitive information.
  • DEFENSE EVASION – Dynamic URL Generation: URLs are frequently changed to avoid blacklisting.
  • RESOURCE DEVELOPMENT – Compromise Accounts: Attackers utilize compromised accounts for further access.
  • DISCOVERY – Cloud Service Dashboard: Attackers monitor cloud services for vulnerabilities.
  • PRIVILEGE ESCALATION – Cloud Accounts: Attackers escalate privileges within compromised accounts.

Indicator of Compromise :

  • [ip address] 2607:5500:3000:fea[::]2
  • [ip address] 2607:5500:3000:1cab[:]2
  • [ip address] 45.133.172[.]86
  • [ip address] 102.68.111[.]240
  • Check the article for all found IoCs.

Full Research: https://darktrace.com/blog/detecting-and-mitigating-adversary-in-the-middle-phishing-attacks-with-darktrace-services

Tags: CREDENTIAL, PRIVILEGE, DEFENSE EVASION, TOOL, DISCOVERY, PERSISTENCE, PROXY, SOC