A recent threat campaign observed by Expel’s SOC reveals a disturbing method to bypass hardware-based multifactor authentication (MFA) using FIDO keys. The attackers manipulate the cross-device sign-in feature by initiating adversary-in-the-middle (AitM) phishing attacks and tricking users into scanning QR codes. This technique significantly undermines the robust protection FIDO keys are known for.
Severity Level: High
Threat Summary
- Threat Actor: PoisonSeed, Known for Large-scale phishing campaigns, primarily targeting cryptocurrency wallets. TTPs: Email phishing, spoofed login pages, abuse of authentication features.
- Technique: Downgrading FIDO authentication via AitM and QR phishing.
- Impact: Full account compromise, including access to sensitive apps and data.
- Vulnerability: Not a vulnerability in FIDO itself, but a creative abuse of legitimate features.
Attack Flow
1. Phishing Email Sent:
- The attacker sends a crafted phishing email to targeted employees.
- The email contains a malicious link to a spoofed login page resembling a legitimate identity provider (e.g., Okta).
- The phishing domain used (okta[.]login-request[.]com) appears convincing and is hosted via Cloudflare to add trust and evade suspicion.
2. User Visits Fake Login Page:
- The user clicks the link and is presented with a fake authentication page.
- The page mimics the design of the organization’s legitimate SSO portal (with logos, fields, etc.)
3. Credential Harvesting:
- The user enters their valid username and password.
- These credentials are immediately forwarded from the phishing site to the real authentication server via an attacker-controlled back-end script.
4. Trigger Cross-Device FIDO Sign-In:
- The attacker initiates a cross-device sign-in request to the legitimate portal using the stolen credentials.
- The authentication system recognizes the credentials and generates a QR code for multi-device FIDO authentication (a legitimate feature).
5. QR Code Relayed to Victim:
- The phishing site captures the QR code displayed by the real login page.
- It then renders this QR code back on the fake login site, tricking the victim into believing it’s part of the standard MFA process.
6. Victim Scans QR Code:
- The user scans the QR code with their MFA authenticator app on their mobile device.
- This cross-device action authenticates the session, assuming the user is logging in from another legitimate device.
7. Session Granted to Attacker:
- Because the QR code ties to the attacker’s active session, the legitimate authentication server grants access to the attacker.
- The victim unwittingly authenticates the attacker.
8. Account Compromise:
- The attacker gains full access to the user’s account, including:
- Applications
- Cloud services
- Internal tools
- No malware is dropped; it’s a pure AitM (Adversary-in-the-Middle) session hijack using social engineering and protocol abuse.
Recommendations
- Limit geographic locations from which users are allowed to log in and establish a registration process for individuals traveling.
- Routinely check for the registration of unknown FIDO keys from unknown locations and uncommon security key brands.
- Organizations can consider enforcing Bluetooth-based authentication as a requirement for cross-device authentication, which significantly reduces the effectiveness of remote phishing attacks.
- Train users not to scan QR codes on untrusted login pages
- Raise awareness of QR-based phishing and device-verification spoofing
- Mandate single FIDO key per account where possible
- Create policies for secure FIDO key registration and approval workflows
Source:
- https://www.bleepingcomputer.com/news/security/threat-actors-downgrade-fido2-mfa-auth-in-poisonseed-phishing-attack/
- https://expel.com/blog/poisonseed-downgrading-fido-key-authentications-to-fetch-user-accounts/
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.