TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

F5 Labs

2023 Identity Threat Report: The Unpatchables

2023-11-01 · Read original ↗

ATT&CK techniques detected

58 predictions
T1555.003Credentials from Web Browsers
97%
“etc., and the values are hashes of a large number of signals per category. matching colors represent matched browser characteristics. this attacker set up programmatic switching of browser properties in order to generate greater diversity in observed browsers. in all, 30 unique c…”
T1566.002Spearphishing Link
97%
“has observed significant smishing campaigns against f5 stakeholders for several years. our guess as to this disparity is that f5 has already observed state - sponsored actors targeting f5 for multiple reasons, and that this apparent overrepresentation of smishing is an indicator …”
T1566.002Spearphishing Link
94%
“figure 31. advertisement for detection evasion capabilities that are effective against google safe browsing. to implement antired, customers insert the javascript code into the < head > element of their landing pages. antired states that it is effective for mobile as well as web …”
T1556.006Multi-Factor Authentication
94%
“. sim swaps in this kind of attack, a threat actor obtains a sim card for a mobile account that they want to compromise, allowing them to assume control of the device and collect mfa codes, otps, or confirm a push - style mfa prompt. there are several variations on this approach.…”
T1566.002Spearphishing Link
94%
“are phishing kits, which run on established infrastructure under the vendor ’ s control, and have often already been used by other clients. the line between phaas and phishing kits can be fuzzy, depending on the level of interaction the threat actor has with the system. dark web …”
T1556.006Multi-Factor Authentication
93%
“mfa process, but as the only factor. this is why the fido alliance has recommended the terms “ synced passkeys ” for what we ’ re calling passkeys and “ device - bound passkeys ” for the mfa tokens we were discussing earlier. both types of passkeys require the idp to issue random…”
T1078.004Cloud Accounts
92%
“position to observe attacker techniques for tactics such as lateral movement and privilege escalation. the distributed cloud aip soc has generally observed less emphasis on privilege escalation and root permissions and specifically less emphasis on administrator credentials over …”
T1566.002Spearphishing Link
88%
“from bing ads. this actor proposes a 50 - 50 split of profits with the eventual consumer of the stolen credentials. finally, the attacker community has a niche for those who exclusively rent out hosting services for phishing. figure 27 shows a dark web ad by a well - known phishi…”
T1566.002Spearphishing Link
88%
“##ginx but the author, babadookservices, “ removed all headers from evilginx which cause detection. ” babadookservices is, in all likelihood, referring to google ’ s recaptcha v3, which evaluates requests for automation without any user input such as solving a puzzle. 11 this ad …”
T1621Multi-Factor Authentication Request Generation
85%
“of a threat actor offering an automated phone system to harvest mfa / otp codes. one important prerequisite is that this approach requires the attacker to have obtained and tested the individual victim ’ s credentials via another method. this credential testing is a good scenario…”
T1598Phishing for Information
85%
“as difficult to tell which organizations are being phished as it is to quantify phishing. probably the safest bet is to assume attractiveness as a phishing target is based on two things : quick access to money, or quick access to other credentials / accounts. organizations that s…”
T1110.004Credential Stuffing
85%
“engineers from f5 distributed cloud app infrastructure protection ( aip ), as well as malware reverse engineers from the security research team. [ back to top ] credential stuffing credential stuffing is one of the two primary threat vectors we ’ ll discuss in this report ; it is…”
T1556.006Multi-Factor Authentication
84%
“or other session tokens post - authentication, which can potentially defeat pki - based mfa capabilities. as a result, malware - based mfa bypass techniques have some advantages over reverse proxy phishing for attackers targeting users with pki - based mfa ( which is admittedly a…”
T1621Multi-Factor Authentication Request Generation
83%
“s. - based mobile companies are common on dark web forums. figure 37 shows a post from an alleged insider at an italian telecommunications firm. figure 37. dark web post by an insider threat at a telecommunications company, offering sim swaps for a 50 % cut of profits. finally, t…”
T1556.006Multi-Factor Authentication
82%
“approaches are largely driven by the details of what attackers are trying to accomplish and whom they are attacking, but they have also clarified significant differences between multi - factor authentication approaches, as we ’ ll see below. [ back to top ] mfa bypass via phishin…”
T1556.006Multi-Factor Authentication
80%
“is probably the second most common approach, while various social engineering strategies are probably the least frequent, given that they require the attacker to already control the username and password, unlike the other two techniques. the added pressure on mfa is probably an i…”
T1621Multi-Factor Authentication Request Generation
78%
“or other session tokens post - authentication, which can potentially defeat pki - based mfa capabilities. as a result, malware - based mfa bypass techniques have some advantages over reverse proxy phishing for attackers targeting users with pki - based mfa ( which is admittedly a…”
T1598Phishing for Information
78%
“, the impact of a successful phishing trip can land primarily on the user ( as in the case of bank fraud ), solely on the organization ( as in the case of compromised employee credentials ), or somewhere in the middle. figure 25 shows the top targeted organizations in phishing at…”
T1566.002Spearphishing Link
77%
“as difficult to tell which organizations are being phished as it is to quantify phishing. probably the safest bet is to assume attractiveness as a phishing target is based on two things : quick access to money, or quick access to other credentials / accounts. organizations that s…”
T1110.004Credential Stuffing
76%
“publicly compromised password will work on another single web property is still small. making credential stuffing profitable is all about maximizing the number of attempts, and that means it is also all about automation. distributed cloud bot defense is, strictly speaking, an ant…”
T1078.004Cloud Accounts
75%
“web for the dissemination of compromised credentials ( either directly or via a vendor ), and while this is inefficient, it is still better than no visibility at all. the data above indicates that either greater effort or a new approach is warranted in detecting stolen credential…”
T1110.004Credential Stuffing
72%
“##ted attack. the orange bars represent simple credential stuffing traffic coming from a single ip address. this campaign was flagged because these requests failed to pass even the most basic of challenges, but even without an anti - bot tool, this could have been detected in log…”
T1584.005Botnet
69%
“early march 2022 to late april 2023, and the dataset contains a total of 320 billion transactions, of which roughly 60 billion were evaluated as malicious automation. we also need to briefly discuss some potential biases that could come along with this source : - selection bias :…”
T1556.006Multi-Factor Authentication
69%
“importance of proper implementation. it is possible to implement simple mfa approaches like otps such that the otp is required at the same time as the other credentials, either appended to the password or transmitted separately. the important aspect here is that the attacker does…”
T1557Adversary-in-the-Middle
69%
“movements and keystrokes. - aggregators, which play a significant role in several industries such as finance, can be both a source of noise in terms of detecting malicious automation, as well as a vector in their own right for attackers. - many organizations use authentication su…”
T1589.001Credentials
67%
“the most data - rich source we have for this report and will serve as the primary source for our analysis of credential stuffing. f5 leaked credential check data f5 also offers a service called leaked credential check that checks credentials submitted to protected sites against s…”
T1566.002Spearphishing Link
64%
“today. another example of the same approach is visible in figure 30, which shows another phishing kit built from scratch that offers high capabilities for comparatively high costs : mfa bypass, full cookie dump, and user fingerprints are all within this kit ’ s capabilities. figu…”
T1621Multi-Factor Authentication Request Generation
62%
“approaches are largely driven by the details of what attackers are trying to accomplish and whom they are attacking, but they have also clarified significant differences between multi - factor authentication approaches, as we ’ ll see below. [ back to top ] mfa bypass via phishin…”
T1584.005Botnet
61%
“organizations as possible, we can overcome any bias that would result from existing controls in customer environments. [ back to top ] prevalence quantifying the prevalence of credential stuffing across multiple different organizations is difficult because credential stuffing att…”
T1556.006Multi-Factor Authentication
59%
“s. - based mobile companies are common on dark web forums. figure 37 shows a post from an alleged insider at an italian telecommunications firm. figure 37. dark web post by an insider threat at a telecommunications company, offering sim swaps for a 50 % cut of profits. finally, t…”
T1556.006Multi-Factor Authentication
58%
“that are able to harvest post - authentication session cookies, such as the malware approach just below, can potentially defeat fido2 - based mfa. [ back to top ] mfa bypass via malware in mid - 2022, f5 malware researchers published an analysis of a new strain of android malware…”
T1111Multi-Factor Authentication Interception
57%
“of a threat actor offering an automated phone system to harvest mfa / otp codes. one important prerequisite is that this approach requires the attacker to have obtained and tested the individual victim ’ s credentials via another method. this credential testing is a good scenario…”
T1556.006Multi-Factor Authentication
57%
“the best known are evilginx and modlishka. while they are not new ( evilginx was first released in 2017 and modlishka was introduced in early 2019 ), the reverse proxy approach to phishing is so effective that this approach has become the new standard for phishing technology. thi…”
T1566.002Spearphishing Link
55%
“pandemic. 9 outside of ransomware, phishing has been categorized by the verizon 2023 data breach investigation report as one of the top three breach vectors, along with the use of stolen credentials and ransomware. 10 furthermore, when f5 ’ s global cyber threat intelligence and …”
T1111Multi-Factor Authentication Interception
53%
“the best known are evilginx and modlishka. while they are not new ( evilginx was first released in 2017 and modlishka was introduced in early 2019 ), the reverse proxy approach to phishing is so effective that this approach has become the new standard for phishing technology. thi…”
T1566Phishing
53%
“today. another example of the same approach is visible in figure 30, which shows another phishing kit built from scratch that offers high capabilities for comparatively high costs : mfa bypass, full cookie dump, and user fingerprints are all within this kit ’ s capabilities. figu…”
T1110.004Credential Stuffing
53%
“accounts is something we hope to study in greater depth soon. in the meantime, suffice it to say that administrator credentials are still enormously sensitive, so they are still important to protect — it ’ s just that now we also have service accounts to manage. as a form of digi…”
T1586.002Email Accounts
50%
“types of fraud on all accounts created and authenticated using that compromised email address. in the following report we will look into three extant threats to digital identities : credential stuffing, phishing, and multi - factor authentication ( mfa ) bypass. this is clearly n…”
T1556.006Multi-Factor Authentication
50%
“signs with their private key. the randomness prevents a replay attack, the private key is not transferred through the proxy for the attacker to harvest, and the same - origin policy prevents a signed challenge generated for one site — such as the reverse proxy posing as a real si…”
T1539Steal Web Session Cookie
50%
“##ntial stuffing the most advanced techniques not only rotate through infrastructure, but also rotate through a library of simulated human behaviors and browser / device characteristics to avoid detection through repetition. an account validation campaign was observed in late 202…”
T1566.002Spearphishing Link
50%
“movements and keystrokes. - aggregators, which play a significant role in several industries such as finance, can be both a source of noise in terms of detecting malicious automation, as well as a vector in their own right for attackers. - many organizations use authentication su…”
T1621Multi-Factor Authentication Request Generation
49%
“the best known are evilginx and modlishka. while they are not new ( evilginx was first released in 2017 and modlishka was introduced in early 2019 ), the reverse proxy approach to phishing is so effective that this approach has become the new standard for phishing technology. thi…”
T1566.002Spearphishing Link
48%
“, the impact of a successful phishing trip can land primarily on the user ( as in the case of bank fraud ), solely on the organization ( as in the case of compromised employee credentials ), or somewhere in the middle. figure 25 shows the top targeted organizations in phishing at…”
T1111Multi-Factor Authentication Interception
48%
“approaches are largely driven by the details of what attackers are trying to accomplish and whom they are attacking, but they have also clarified significant differences between multi - factor authentication approaches, as we ’ ll see below. [ back to top ] mfa bypass via phishin…”
T1555.005Password Managers
48%
“, password managers have been a staple in the list of recommendations from most security people for several years, so we should not be surprised by the compromise of several password managers in the recent past. these compromises include the data breach of lastpass in the second …”
T1498.001Direct Network Flood
46%
“not reveal strong relationships between a target ’ s industry and how attackers go after it. our guess is that attackers chose targets based on more organization - centric criteria such as their individual security posture and the exact type of data available for extraction. atta…”
T1556.006Multi-Factor Authentication
46%
“of a threat actor offering an automated phone system to harvest mfa / otp codes. one important prerequisite is that this approach requires the attacker to have obtained and tested the individual victim ’ s credentials via another method. this credential testing is a good scenario…”
T1566Phishing
46%
“##shing emails go undetected, but also result in a high rate of false positives. we recently spoke to a security operations employee responsible for managing a commercial, off - the - shelf email phishing filter who said that their tool has a 95 % false positive rate for phishing…”
T1556.006Multi-Factor Authentication
39%
“then using mfa bypass techniques to go the final step. - for identity providers who do not implement passkeys, end users with sensitive data should adopt password managers and protect that identity with pki - based mfa. - identity providers in high - impact scenarios such as fina…”
T1566.002Spearphishing Link
37%
“only by denial of service ( dos ) attacks in being fundamentally different from other kinds of attacks. it is an attack on digital identity, to be sure, but since it usually relies on a social engineering foothold, it is even more difficult to detect or prevent than credential st…”
T1584.005Botnet
36%
“problems, they do skew our data somewhat. [ back to top ] tactics, techniques, and procedures now let ’ s examine attackers ’ approaches and toolsets, starting with the question of attacker sophistication. in the context of credential stuffing, we can take for granted that the tr…”
T1566Phishing
34%
“as difficult to tell which organizations are being phished as it is to quantify phishing. probably the safest bet is to assume attractiveness as a phishing target is based on two things : quick access to money, or quick access to other credentials / accounts. organizations that s…”
T1566.002Spearphishing Link
34%
“the best known are evilginx and modlishka. while they are not new ( evilginx was first released in 2017 and modlishka was introduced in early 2019 ), the reverse proxy approach to phishing is so effective that this approach has become the new standard for phishing technology. thi…”
T1078.004Cloud Accounts
33%
“types of fraud on all accounts created and authenticated using that compromised email address. in the following report we will look into three extant threats to digital identities : credential stuffing, phishing, and multi - factor authentication ( mfa ) bypass. this is clearly n…”
T1111Multi-Factor Authentication Interception
33%
“s. - based mobile companies are common on dark web forums. figure 37 shows a post from an alleged insider at an italian telecommunications firm. figure 37. dark web post by an insider threat at a telecommunications company, offering sim swaps for a 50 % cut of profits. finally, t…”
T1078.004Cloud Accounts
32%
“common, with successful strategies based on malware, phishing, and other social engineering vectors observed. - multi - factor authentication technologies based on public key cryptography ( such as the fido2 suite of protocols ) are significantly more resistant to observed mfa by…”
T1498Network Denial of Service
32%
“not reveal strong relationships between a target ’ s industry and how attackers go after it. our guess is that attackers chose targets based on more organization - centric criteria such as their individual security posture and the exact type of data available for extraction. atta…”
T1621Multi-Factor Authentication Request Generation
31%
“is probably the second most common approach, while various social engineering strategies are probably the least frequent, given that they require the attacker to already control the username and password, unlike the other two techniques. the added pressure on mfa is probably an i…”

Summary

We are excited to announce a new report covering threats to digital identities. This report goes into detail on credential stuffing, phishing, and multifactor authentication bypass techniques.