Learn Information Security
A place to share links and articles that i have found helpful. This blog tends to be more offensive security minded. Basically it is a collection of notes that I will update periodically. None of this is set in stone, and I could very well be wrong on most of it. Just saying.
identity rambles....
Teams Phishing
Security controls like Sender Policy Framework (SPF) that can
prevent direct spoofing of domains and email security gateways that can
flag suspicious domains. Those security controls don’t exist for IM, so
we have new options for spoofing.
Slack Phishing
https://pushsecurity.com/blog/
Security controls like Sender Policy Framework (SPF) that can prevent
direct spoofing of domains and email security gateways that can flag
suspicious domains. Those security controls don’t exist for IM, so we
have new options for spoofing.
Chameleon attack
A particularly
interesting external attack capability is that an attacker can act as a
chameleon and change their identity over time. This could be
particularly dangerous in CEO fraud attacks. An attacker could forge
connections with finance employees ahead of time for seemingly
legitimate and innocuous means and then later use those to send Slack
messages spoofing the CEO.
Link preview spoofing
HTML allows a variety of ways to specify hyperlinks. Secure email gateways will often alert or block commonly abused types, such as forging a different URL as the link display text to what the underlying link points to. On IM applications, however, this same standard of link analysis is not always present and the widespread introduction of link unfurling/previewing has also given additional options for spoofing links to hide their true source and increase social engineering success.
Phishing is Evolving Quickly
It’s not just application-level lateral movement and persistence to worry about, though. It’s possible the attacker can start moving laterally across other user accounts. If they have selected their targets well, they might even find they have admin access to some downstream SaaS application that has been configured for SAML logins using Okta.
For example, maybe they compromise a finance employee who has admin access to their business expenses SaaS application. Then the attacker might be able to use a new technique like SAMLjacking to start attacking other users in a watering hole attack to achieve lateral movement.
There are many options for lateral movement and persistence after an account compromise, so simple containment actions like password resets for SSO credentials are not nearly enough to contain a knowledgeable attacker.
Update IR playbooks to to deal with SSO account compromise, factoring in lateral movement and persistence across cloud apps. This really necessitates that you understand what business apps your organization is using, how they are accessed (e.g. SSO or username and password) and what functionality exists that could be abused by an attacker.
Tools :: no vnc :: EvilnoVNC :: Modlishka
Read More ::
- from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud
- 6-months-tracking-aitm-campaigns
- https://blog.thinkst.com/2024/01/defending-against-the-attack-of-the-cloned-websites.html
- https://zolder.io/using-honeytokens-to-detect-aitm-phishing-attacks-on-your-microsoft-365-tenant/