Threat actors are ramping up their game by deploying Phishing as a Service (PhaaS) to code and package managers (such as GitHub, PyPI, Ruby, NPM). This tactic circumvents Multi-Factor Authentication (MFA) mechanisms leading to session cookie hijacks and account takeovers. As we’ve learned in recent years, account takeovers of these applications lead to supply chain attacks which massively impact our community. Because of this, we strongly encourage our readers to implement security controls in their codebase, build, and runtime environments. Ultimately, using Cloud Native Application Protection Platforms (CNAPP) provide the most robust end-to-end solutions against security attacks.
A Brief History of Phishing Attacks
The vast majority of online accounts are protected by password authentication, but often that’s not enough. People tend to use easy-to-remember passwords or even reuse them. Additionally, the human factor is always the weakest link in cybersecurity, and often threat actors trick their victims into rendering their credentials and tokens willingly.
Threat actors target passwords by mainly trying to guess or “brute force” them, hijack them with malware, or build phishing sites, websites that mimic the original site to steal passwords. Over the past few years, phishing has been the most prevalent type of cyberattack in magnitude. In the first half of 2022 phishing attacks reached an all-time high with more than one million reports.
Defenders have become more vigilant against this and are implementing different flavors of Multi-Factor Authentication (MFA) as a safeguard. Some use personal questions (such as what is the name of your first pet?), tokenizers (a personal device or online website that generates a one-time password), or alternate channels of authentication (such as a token that is sent to your email or mobile phone).
Over the years, however, threat actors have discovered various ways of circumventing these authentication channels. Through acts of deception, threat actors deploy malware onto their victims’ machines, hooking to the browser and taking control of the authentication flow in order to steal session cookies and the MFA tokens. In other cases, attackers trick end users into downloading remote access tools such as team viewer or hidden VNC tools, which allow them to gain backdoor access to a compromised personal computer and stealthily commandeer authenticated sessions.
Another technique threat actors use is a more advanced phishing kit that allows them to dynamically mimic an entire authentication flow by setting up a phishing site. From there, the stolen data is sent to the attacker’s C2 server.
A New Phishing Campaign by EvilProxy
Recently, researchers at ‘Resecurity’ discovered EvilProxy, or Moloch, a new Phishing as a Service (PhaaS). This service uses a reverse proxy to display a phishing site to the victim. Though it may appear to connect to the legitimate service, a hidden middle server in fact connects the victim’s machine with the legitimate web server, controlling the communication. Unaware they have actually opened a phishing site in their browser, the victim is duped into entering their credentials. From there, requests are forwarded to the legitimate site. If MFA tokens are needed, they are displayed in the phishing site then forwarded to the legitimate site. Once the authenticated session is established, the cookie is hijacked and the victim is redirected to another website. At this point, threat actors can easily hijack the account.
Google, Facebook, Instagram, Microsoft, Apple, Twitter, Yahoo, and Yandex are among the services said to be targeted. Threat actors will target email services to gain control over email accounts and social media applications and take over those accounts. They then sell access to them through the black market to “cash out” on the attack.
But these were not the only services said to be targeted. We deliberately formulated the list below since these services are far more valuable and if attacked would pose an undeniable threat to our community.
GitHub, PyPI, rubygems, and npmjs are also services said to be targeted. These code and package managers may lead to a far greater impact than the ones mentioned above. Typically, threat actors look to hijack personal accounts or sensitive data in order to sell this information underground. Often, sensitive financial data is used in order “cash out” the attack by targeting online payments, credit cards, or online banking applications. Although hijacking a personal email or an online banking account may be a devastating experience for an individual target, it would not affect an entire community. However, attacks against codebase or package managers could be devastating to everyone.
Possible Impact of this Attack (Based on Actual Events)
Over the past few months, there have been many supply chain attack incidents that started following account takeovers. Below are some examples:
- In May, 2022, we learned that that the email account of the owner of the popular Python package ctx was hijacked and was used to insert a malicious update into the package which was then downloaded 27,000 times. The malicious code was designed to steal environment variables which can lead to account takeover of various other services such as SaaS or PaaS or Cloud accounts.
- Aqua Nautilus recently found that the log data of free tier users of Travis CI is readily available online, including secrets and tokens that are printed in the logs. Various applications such as GitHub, Docker Hub, SaaS, and PaaS were actively at risk.
- On April 15, 2022, GitHub issued a severe warning stating that an attacker was able to gain access to certain repositories with stolen OAuth tokens issued to Travis CI and Heroku. In most cases, they found that the attacker only listed all the user’s organizations. Then, the attacker selectively chose targets and listed the private repositories for user accounts of interest. Ultimately, the attacker proceeded to clone some of those private repositories.
So, What Can We Do?
With elevating levels of risk in every stage of cloud development, we highly recommend using Cloud Native Application Protection Platforms which can offer solutions for the various stages of a build. Aqua Security offers various open-source software (OSS) and commercial solutions. You can audit your Software Supply Chain for CIS Compliance with Chain-bench, or scan your containers, cloud account, Kubernetes clusters, and codebase with Aqua Trivy. In runtime you can use another OSS – Aqua Tracee – which is designed to be a runtime security and forensics tool for Linux, built to address common Linux security issues. Lastly, Aqua’s CNAPP solution is designed to empower security teams to detect and prevent cyberattacks in the various stages of development with strong tools such as drift prevention to prevent downloading and running malicious elements, and Cloud Native Detection and Response (CNDR), an eBPF based tool designed to detect malicious behavior in runtime.