PoisonSeed Exploits FIDO Cross-Device Sign-In to Bypass MFA

A recent threat campaign observed by Expel’s SOC reveals a disturbing method to bypass hardware-based multifactor authentication (MFA) using FIDO keys. The attackers manipulate the cross-device sign-in feature by initiating adversary-in-the-middle (AitM) phishing attacks and tricking users into scanning QR codes. This technique significantly undermines the robust protection FIDO keys are known for.

Severity Level: High

Threat Summary

• Threat Actor: PoisonSeed, Known for Large-scale phishing campaigns, primarily targeting cryptocurrency wallets. TTPs: Email phishing, spoofed login pages, abuse of authentication features.
• Technique: Downgrading FIDO authentication via AitM and QR phishing.
• Impact: Full account compromise, including access to sensitive apps and data.
• Vulnerability: Not a vulnerability in FIDO itself, but a creative abuse of legitimate features.

Attack Flow

1. Phishing Email Sent:

• The attacker sends a crafted phishing email to targeted employees.
• The email contains a malicious link to a spoofed login page resembling a legitimate identity provider (e.g., Okta).
• The phishing domain used (okta[.]login-request[.]com) appears convincing and is hosted via Cloudflare to add trust and evade suspicion.

2. User Visits Fake Login Page:

• The user clicks the link and is presented with a fake authentication page.
• The page mimics the design of the organization’s legitimate SSO portal (with logos, fields, etc.)

3. Credential Harvesting:

• The user enters their valid username and password.
• These credentials are immediately forwarded from the phishing site to the real authentication server via an attacker-controlled back-end script.

4. Trigger Cross-Device FIDO Sign-In:

• The attacker initiates a cross-device sign-in request to the legitimate portal using the stolen credentials.
• The authentication system recognizes the credentials and generates a QR code for multi-device FIDO authentication (a legitimate feature).

5. QR Code Relayed to Victim:

• The phishing site captures the QR code displayed by the real login page.
• It then renders this QR code back on the fake login site, tricking the victim into believing it’s part of the standard MFA process.

6. Victim Scans QR Code:

• The user scans the QR code with their MFA authenticator app on their mobile device.
• This cross-device action authenticates the session, assuming the user is logging in from another legitimate device.

7. Session Granted to Attacker:

• Because the QR code ties to the attacker’s active session, the legitimate authentication server grants access to the attacker.
• The victim unwittingly authenticates the attacker.

8. Account Compromise:

• The attacker gains full access to the user’s account, including:
  • Applications
  • Email
  • Cloud services
  • Internal tools
• No malware is dropped; it’s a pure AitM (Adversary-in-the-Middle) session hijack using social engineering and protocol abuse.

Recommendations

1. Limit geographic locations from which users are allowed to log in and establish a registration process for individuals traveling.
2. Routinely check for the registration of unknown FIDO keys from unknown locations and uncommon security key brands.
3. Organizations can consider enforcing Bluetooth-based authentication as a requirement for cross-device authentication, which significantly reduces the effectiveness of remote phishing attacks.
4. Train users not to scan QR codes on untrusted login pages
5. Raise awareness of QR-based phishing and device-verification spoofing
6. Mandate single FIDO key per account where possible
7. Create policies for secure FIDO key registration and approval workflows

Source:

• https://www.bleepingcomputer.com/news/security/threat-actors-downgrade-fido2-mfa-auth-in-poisonseed-phishing-attack/
• https://expel.com/blog/poisonseed-downgrading-fido-key-authentications-to-fetch-user-accounts/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.