September 11, 2022

TSD #006: 2FA Isn't The Perfect Solution.

Hello friend 👋

Welcome to another Sunday Download. I've had an incredibly full week! Lots going on in the cyber landscape at the moment and I'd like to highlight something notable to you.

You're probably well aware of what 2FA/MFA is. Those little 6-digit codes you have to enter after putting your username and password in. They're amazing. Even if you don't follow best practices with unique & strong passwords, 2FA can really save the day.

But.

I want to put two things in front of you today that'll make you rethink that strategy. Last month, a company called Twilio was breached and hackers also compromised more than 130 of Twilio's customer organisations, grabbing the credentials (username and password) of around 10,000 employees.

A cyber intelligence provider, Group-IB, reported in a blog post that the hackers mimicked the Okta (2FA/MFA) login page of each organisation and then essentially phished out their credentials, including 2FA/MFA tokens.

Source: Group-IB

That's part one of the story.

Part two: let's meet EvilProxy.

EvilProxy is a new Phishing-as-a-Service tool that says it can steal authentication tokens to bypass 2FA for Apple, Google, Microsoft, GoDaddy, Facebook, Twitter, GitHub, PyPI and more. You can see a video of it in action on the Hacker News website.

If you don't know how to set up the infrastructure to steal 2FA tokens, you can just sign up for this service and it's all done for you. As easy as subscribing to Netflix. No more having to configure tools like evilginx2 or Modlishka.

There's plenty here for you to dive into and learn more about. Hopefully, this highlights some of the recent advancements in attack techniques and tactics to attempt to bypass modern cyber-security controls. We need to stay sharp. Take nothing for granted. Use strong passwords and 2FA everywhere you can and be careful what you click on!

If there is something you’d like me to write about or make a video on, let me know by simply replying to this email.

Until next week,

Gary ✌️

Fun Things This Week

📽 My New Video

11 Tips for Passing OSCP First Time: The OSCP is a beast of an exam. I was fortunate enough to pass the first time. If you're sitting the OSCP, or any long-form technical exam really, these tips will definitely be of use.

📕 Book Review

The Billion Dollar Spy by David E. Hoffman.

Do you even think about the damage a single disgruntled employee can do to a company or a government? It's something that crosses my mind often. Especially after reading David's book. In the 1970s, a disgruntled Soviet engineer risked it all to send Soviet radar designs to the CIA. Codenamed SPHERE by his handlers, his leaks cost the Soviet Union over a billion dollars in today's money and ultimately led to the USA dominating Iraq in Gulf War 1. I made a video about the story too, you'll find that in the review below. Read my full review.

🎙Podcasts

I listen to more non-cyber podcasts than I do cyber ones. I get more than enough cyber in a week's work! The one I'm recommending to you today is called 99% Invisible. It's about the hidden design all around us that we've just stopped noticing and it's from award-winning producer Roman Mars (the man has a dreamy voice). This week's episode is particularly fascinating as it explains how North Korea's state-run design studio has long been a prolific maker of statues around the world.

👾 Cool Tools

evilginx2 is a man-in-the-middle attack framework used for phishing login credentials along with session cookies, which in turn allows bypassing 2-factor authentication protection.

ForceAdmin is a c# payload builder, creating infinite UAC pop-ups until the user allows the program to be run. The inputted commands are run via Powershell calling cmd.exe and should be using the batch syntax. Why use? Well, some users have UAC set to always show, so UAC bypass techniques are not possible. However - this attack will force them to run as admin. Pretty cool and worth testing on a virtual machine.

P.S. Some of the links in this newsletter are affiliate links and help support my content. Thank you for your support! ✌️

More Articles
Subscribe to The Sunday Download

Receive weekly news and insights in your inbox. Don't miss out!

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.