New phishing technique bypasses MFA using noVNC screen-sharing

Overview

On 19 February 2022, researcher D0x published a new phishing technique allowing adversaries to bypass multi-factor authentication (MFA) using reverse proxy and noVNC.
D0x first set-up a phishing attack using the Evilginx2 attack framework that acts as a reverse proxy to steal credentials and MFA codes. Then, to overcome security measures that block logins or deactivate accounts when reverse proxies are detected, D0x used noVNC remote access software.

Attackers can use noVNC remote access software and browsers running in kiosk mode to display mail login prompts to victims. The login prompts are run on the attacker’s server but shown in the victim’s browser.

Threat actors can send out targeted phishing emails containing links which automatically launch the target’s browser and log into the attacker’s remote VNC server.

Other browser remote access tools such as Apache Guacamole, TeamViewer and Chrome Remote Desktop can also be used to carry out this attack.

Impact

This technique removes the MFA obstacle for attackers to carry out successful phishing attacks.

Can also be used to:

• Have JS injected into the browser
• Have a HTTP proxy connected to the browser that’s logging everything
• Close the VNC session when the user authenticates
• Grab the session token from the browser (Right Click > Inspect > Application > Cookies) after the user disconnects
• Have a keylogger running in the background

Affected Products

Any login platform that can be accessed from a browser.

Containment, Mitigations & Remediations

All the phishing advice remains the same: do not click on URLs from unknown senders, inspect embedded links for unusual domains, and treat all email as suspicious – especially when prompted login to an account.

In line with best practices, it is also advised to separate accounts with a high level of privilege, such as administrators, from day-to-day activity accounts and that privileged accounts do not have access to the internet or email.

To help mitigate this attack, implement conditional access policies to only allow logins from known/AAD joined devices, IP addresses, locations, etc. and raise awareness with your users to ensure that they stay vigilant.

Indicators of Compromise

• Emails from unknown senders
• Emails with unusual links
• Emails with login prompts

Threat Landscape

Phishing attacks are by far the most common form of cyber-attack due to an attacker’s capability to send high volumes of emails in a short space of time. While some phishing attacks contain malware or links to maldocs (malicious documents), the most common form of phishing is to harvest account credentials. To combat this, and improve security, many organisations have implemented multi-factor authentication (MFA). This set is just another in the evolution of attacks in order to bypass corporate and personal defences.

Mitre Methodologies

T1021/005 – Remote Services
T1566 – Phishing

Further Information

https://github.com/kgretzky/evilginx2
https://mrd0x.com/bypass-2fa-using-novnc/
https://cyber.vumetric.com/security-news/2022/02/22/devious-phishing-method-bypasses-mfa-using-remote-access-software/