Friday12 August 2022

noVNC Used by Clever Pentester to get Around MFA During Spearphishing Attack

Reading time is around minutes.

Most attacks, be they real or from a penetration test, begin with an attempt to compromise a single system, or user. The compromise of a device or user account gives the attacker a small foothold in an environment that they can use to pivot to other areas and begin their complete takeover of the targeted organization. Defenders use many techniques to try to prevent this including complex passwords, complex usernames and, of course multi-factor authentication (MFA). MFA, when done properly, reduces the risk of credential compromise from phishing and spearphshing significantly.

However, MFA is not the end all of protections and there are many methods an attacker can do to get around it. One is compromising the session token although that is not always easy to accomplish. This is because many cloud based services have added in features to block common methods of capture, like reverse proxies. A reverse proxy is a server that sits in front of a web server/service and forwards request from clients to the server in question. It can help increase security when used correctly. When used as part of an attack chain it is the same, a server that sits in from of a web server/service. This time it is used to intercept and capture the data that is submitted by the target. It is a form of man-in-the-middle attack.

So, with cloud services now detecting and blocking reverse proxies and either stopping the authentication attempt or disabling the account on successful login, what is an attacker to do? One pentester who goes by the name of mr.dox found a way. Instead of using the traditional reserve proxy he decided to use a web fronted version of VNC called noVNC. With noVNC there is no reason to use a VNC client, instead the user is presented with a web interface for the VNC session. Because of this an attacker can trick a user into thinking they are just being taken to the service they expect.

According to mr.dox he was able to build a session that present the user a browser in kiosk mode (full screen) so the VNC session inside the target’s browser just looked like the normal service authentication page (because it was). Using the VNC session the attacker could inject Java Script to capture user credentials and the session token for use in later activities. They could also simply keep the VNC session open after the original target exited and just use that session. It really is a rather clever way to compromise an account.

There are a few methods to protect against this including URL inspection. Cloud service monitoring (for unusual login locations and making sure that users are educated in what to look for in a valid email. If your cloud service supports it, you can enable machine trust and/or trusted locations (IP addresses etc.). With the noVNC method the login attempt takes place on the attacker’s server so it would not show up as the trusted machine and would not be from inside the trusted IP range or address. This last item may be much more complicated if you have a distributed workforce, but that will not exclude you from setting up the other mitigation methods.


Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.