A new phishing-as-a-service (PhaaS) operation called VoidProxy has been targeting Microsoft 365 and Google accounts to run business email compromises, financial fraud, data exfiltration, and lateral movement within victim networks.In a Sept. 11 blog post, Okta researchers said the PhaaS operation uses adversary-in-the-middle (AitM) techniques to intercept authentication flows and then capture credentials, MFA codes, and any session tokens established during a sign-in.James Maude, Field CTO at BeyondTrust, said VoidProxy is just the latest in a rising tide of PhaaS groups that use AitM tactics to target and compromise identities to exploit their privileges and access. Maude said the industry has seen many variations of tools like Evilginx and Mamba 2FA used successfully to compromise an identity and let attackers simply log in rather than hack in.
“The key thing for security teams is to reduce their identity attack surface, this means understanding all the paths to privilege that any given identity has in their environment either intentional or accidental and reducing that ‘blast radius’ as much as possible,” said Maude. “This reduces the risk in the event that an identity is compromised by ensuring it doesn’t have standing privileges or excessive access that could easily be exploited. It’s often complicated by modern hybrid environments where teams and governance is siloed creating gaps that quickly become gaping holes in identity security.”Lawrence Pingree, technical evangelist at Dispersive.io, added that proxies are being used more often because it’s much to grab a credential while it’s being used in context than to use the authorization the user has right away.“In essence, proxying is a method of being able to inspect all the identity interactions, including grabbing the cryptographic bits being used and tie it to a user,” said Pingree.BeyondTrust’s Maude also pointed out that identity-based attacks are far harder to detect and respond to than traditional exploits and malware, meaning security teams need to rethink their approach to security and take an identity-first approach.“If you are unable to answer questions like which identities hold the highest level of true privilege across all our systems, then attackers will be more than happy to find the answer for you,” said Maude.
“The key thing for security teams is to reduce their identity attack surface, this means understanding all the paths to privilege that any given identity has in their environment either intentional or accidental and reducing that ‘blast radius’ as much as possible,” said Maude. “This reduces the risk in the event that an identity is compromised by ensuring it doesn’t have standing privileges or excessive access that could easily be exploited. It’s often complicated by modern hybrid environments where teams and governance is siloed creating gaps that quickly become gaping holes in identity security.”Lawrence Pingree, technical evangelist at Dispersive.io, added that proxies are being used more often because it’s much to grab a credential while it’s being used in context than to use the authorization the user has right away.“In essence, proxying is a method of being able to inspect all the identity interactions, including grabbing the cryptographic bits being used and tie it to a user,” said Pingree.BeyondTrust’s Maude also pointed out that identity-based attacks are far harder to detect and respond to than traditional exploits and malware, meaning security teams need to rethink their approach to security and take an identity-first approach.“If you are unable to answer questions like which identities hold the highest level of true privilege across all our systems, then attackers will be more than happy to find the answer for you,” said Maude.
