Daily News Cyber Crime & Forensic Identity & Access Threat Detection & Defense

AitM Attacks Rise: New Phishing Sophistication Bypasses MFA, Targeting Businesses

Izzat Najmi Abdullah February 22, 2024

3 minutes read

ESET researchers recently unearthed a complex cyber espionage campaign orchestrated by a previously unknown Advanced Persistent Threat (APT) group dubbed “Blackwood.” This group believed to have been active since at least 2018, employed a cunning multi-stage implant called NSPX30 to target individuals and organisations in China, Japan, and even the UK.

NSPX30, delivered through a technique called “Adversary-in-the-Middle” (AitM), exploited vulnerabilities in legitimate software updates for applications like Tencent QQ, WPS Office, and Sogou Pinyin. This method allowed Blackwood to intercept victim traffic and mask their command-and-control servers, making them harder to track. Notably, NSPX30 could even bypass certain Chinese anti-malware solutions, further enhancing its stealth.

The implant itself has evolved since its 2005 roots when it was known as “Project Wood” and primarily focused on data collection. Now, NSPX30 is a multi-faceted weapon with various components, including a dropper, an installer, and a backdoor with customisable plugins. It even has packet interception capabilities, further aiding in Blackwood’s cloak-and-dagger operations.

ESET’s investigation revealed a surge in Blackwood’s activity in 2020, primarily targeting entities in China. Victims included individuals, a public research university network in the UK, a manufacturing company, and even the Chinese office of a Japanese engineering corporation.

The report highlights how NSPX30 leverages unencrypted HTTP connections during software updates to embed itself into victims’ systems. Blackwood managed to remain hidden for quite some time by exploiting these vulnerabilities and utilising AitM techniques.

It Has Always Been There

AitM is not something new. Remember Microsoft’s warning regarding an advisory attack from last year? They sounded the alarm about sophisticated AitM techniques used to steal user credentials and session cookies, even bypassing Multi-Factor Authentication (MFA). This chilling foreshadowing aligns perfectly with the NSPX30 implant employed by Blackwood, which leverages AitM to intercept software updates and hide its malicious operations.

Both incidents reveal a disturbing evolution in AitM attacks. Gone are the days of simple phishing tactics; these new campaigns employ cunning methods like:

Reverse Proxy Servers: In this scenario, the phishing page acts as a middleman between the user and the legitimate website. Login credentials, session cookies, and even 2FA codes are intercepted without raising suspicion. This “invisible hand” method can bypass traditional security measures.
Synchronous Relay Servers: Unlike standard phishing, which directs users to fake websites, AitM uses a cloned “impersonated” sign-in page. While the user interacts with this false page, the real login process happens concurrently in the background. Once submitted, information is relayed back to the attackers, who gain access without the user’s knowledge.

The goal of these attacks is straightforward: Steal session cookies. These act as digital keys, allowing unauthorised access to privileged systems and bypassing the need for further authentication. This makes AitM particularly dangerous, as it exploits a critical security layer.

Furthermore, AitM’s ability to bypass MFA adds another layer of concern. Traditional phishing often stumbles at this hurdle, but AitM’s sophisticated techniques render existing security measures less effective.
The advisory is not just a theoretical warning; it reflects a growing trend. Multiple threat groups are already weaponising AitM, specifically targeting financial institutions and leveraging trusted vendor relationships.

One notorious example is Storm-1167, whose AitM phishing kit has become a popular tool for attackers. (Side note: Instead of assigning permanent names right away, Microsoft uses “Storm-####” designations as temporary tracking numbers for newly discovered cybercriminal groups. These numbers work like placeholders until Microsoft gathers enough evidence to confidently identify the real actors behind the activities.) Recent campaigns using this kit employed mass email blasts and even SMS-based 2FA tactics to bypass detection.

These developments underline the undeniably urgent need for organisations to bolster their cybersecurity defences. Traditional phishing countermeasures may no longer be sufficient thus, implementing stronger authentication protocols, educating employees on AitM tactics, and investing in advanced security solutions are the next crucial steps in staying ahead of these evolving threats.

The rise of AitM attacks is a depiction that cybercriminals are constantly innovating. The question now is, are you prepared enough?