Presented at
BSidesLV 2023,
Aug. 8, 2023, 10:30 a.m.
(45 minutes).
Over five years ago, evilnginx was released, demonstrating the ease of stealing authentication session tokens from MFA-enabled logon processes with a simple reverse proxy. Despite being a well-known technique, few of these attacks were seen in widespread use among cybercrime threat actors, until recently.
The advent of the EvilProxy and similar platforms has given attackers the ability to compromise targets with strong authentication without resorting to burdensome SIM swapping or noisy push fatigue attacks. With nascent adoption rates of phish-resistant MFA outside government-aligned sectors, organizations need to know how to detect and respond to these attacks.
In this talk, we will provide an in-depth look at the tactics, tools and procedures used in MFA-enabled account takeover. We'll demonstrate how the ingenuity of this attack has a fatal flaw at its core, allowing us to hunt, detect, mitigate and block this type of attack.
Presenters:
-
Chris Merkel
Chris Merkel, Senior Director, Cyberdefense - Northwestern Mutual
Chris Merkel leads Northwestern Mutual's Incident Response, Insider Risk and Detection Engineering functions. Beyond his current role, he has had a distinguished career in cybersecurity, leading global organizations and solving cutting-edge challenges in cloud security, appsec, product security, threat-informed defense strategies and automated assurance methodologies. Chris is passionate about professional development, organizing career villages, performing career counseling, mentoring and being actively involved in helping non-traditional students get their start in cybersecurity.
Links:
Similar Presentations: