Urgent and Important Notice re Cyber Exposure
We have been advised by specialist cyber insurer CFC that it has become aware of a significant new security vulnerability that can be easily exploited to bypass multi-factor authentication (MFA). MFA is commonly used to protect against phishing attacks and compromised passwords, which are two of the most common root causes of cyber claims seen by their incident response team. Even worse, they have become aware of tools available on the dark web that exploit this vulnerability and expect substantial use of the tool to compromise previously protected environments.
How it works
A new penetration testing tool has been published by a security researcher that automates phishing attacks against multi-factor authentication protected websites. This tool, dubbed Modlishka, sits between a user and a target website such as Outlook 365 or Gmail.
The victim receives authentic content from the legitimate site but all traffic and all the victim’s interactions with the legitimate site pass through and are recorded on the Modlishka server. Any passwords a user may enter are automatically logged on this server, while the reverse proxy also prompts users for 2FA tokens when users have configured their accounts to request one.
If attackers are on hand to collect these tokens in real-time, they can use them to log into victims’ accounts and establish new and legitimate sessions. We have seen a similar method used to intercept other web services such as Citrix Web Access.
You can find more information here.
Steps to take
- Disable web access to email or remote desktop environments where possible
- Use hardware tokens as a means of multi-factor authentication (FIDO 2.0 and U2F)
- Implement phishing awareness and education:
- Do not click on links in emails, and instead type the address in your browser
- Avoid suspicious email attachments or links, and if necessary, verify the sender
- Never hand over your credentials such as passwords or sensitive information such as bank account numbers
- Check that the website address looks right and is spelled correctly
If we can be of any assistance please contact your Account Director or call the office on 0330 001 0949 or email firstname.lastname@example.org