Cybersecurity researchers have revealed a new attack technique that allows threat actors to bypass key protections of Fast Identity (FIDO) by deceiving users to approve authentication requests from the spoofed company login portal.
A FIDO key is a hardware or software-based authenticator designed to eliminate phishing by combining logins to a specific domain using public-private key encryption. In this case, the attacker will misuse legitimate features (cross-device sign-in) to trick the victim into a malicious session that unconsciously authenticates the victim.
The activity observed by Expel as part of a wild phishing campaign is attributed to a threat actor named Poisonseed. It was recently flagged to send SPAM messages containing cryptocurrency seed phrases and Drain victims, leveraging compromised credentials related to customer relationship management (CRM) tools and bulk email providers.
“Attacks do this by utilizing the cross-device sign-in feature available with a FIDO key,” said researchers Ben Nahorney and Brandon Overstreet. “But the bad actors in this case use this feature in their mid-stream attack (AITM) attacks.”
This technique does not work in all scenarios. In particular, it targets users who authenticate via cross-device flows that do not enforce strict proximity checks, such as Bluetooth or local device proofs. If your environment requires a hardware security key that is directly connected to the login device, or if you use a platform-bound authenticator (such as a Face ID tied to the browser’s context), the attack chain will be corrupted.
Cross-device sign-in allows users to sign in to devices that do not have PassKey using a second device, such as a mobile phone, that holds an encryption key.
The attack chain documented by Expel begins with a phishing email inviting recipients to log in to a fake sign-in page that mimics the Enterprise OKTA portal. Once the victim enters their credentials, the sign-in information is secretly relayed to the real login page by the fake site.
The phishing site will instruct legitimate login pages to use hybrid shipping methods for authentication. This will provide the page with a QR code, then sent back to the phishing site and presented to the victim.
If a user scans a QR code on a mobile device using the Authenticator app, the attacker can gain unauthorized access to the victim’s account.
“In this attack, the bad actor entered the correct username and password and asked to sign in on the cross-device,” Expel said.
“The login portal displays a QR code, which is immediately captured by the phishing site and relayed to the user on the fake site. The user is communicating with the MFA authenticator, login portal, and MFA authenticator, and the attacker is taking part.”
What is noteworthy about attacks is that they bypass the protection provided by the FIDO key, allowing threat actors to gain access to the user’s account. The compromise method does not exploit flaws in FIDO implementation. Rather, it abuses legitimate capabilities that downgrade the certification process.
Although FIDO2 is designed to resist phishing, if proximity verification like Bluetooth is not implemented, cross-device login flows known as hybrid transport can be misused. In this flow, users can log in to their desktop by scanning the QR code using a mobile device that holds the passkey.
However, attackers can intercept and relay their QR codes in real time via phishing sites, and suppress them to authorize authentication in domains spoofed to users. This will turn the safe feature into a phishing loophole. There are no defects in the protocol, but for flexible implementation.
Expel also said it observed another incident in which threat actors registered their own FIDO key after breaching their accounts via phishing emails and resetting their users’ passwords.
To better protect user accounts, organizations must use FIDO2 authentication to pair with checks to verify which devices are being used. If possible, login should occur on the same device that holds the PassKey. This limits the risk of phishing. Security teams should be aware of unusual QR code logins or new PassKey registrations. Account recovery options require you to use a phishing-resistant method, and the login screen helps users find suspicious activity by displaying helpful details such as location, device type, or clear warnings, especially when signing in with a cross-device.
If anything, the findings highlight the need to adopt phishing-resistant authentication at every step of the account lifecycle, including the recovery stage, as using phishing-prone authentication methods can undermine the entire identity infrastructure.
“AITM attacks are the latest in a long time instance where bad actors and defenders raise ante in the fight to compromise/protect user accounts,” the researchers added.
Source link
