In the real world and online, it is the same. We don't want to end as the "free lunch" by threat actors.
Each person/organization is an open game for the "predators" (persons/entities) with malevolent intent/actions who utilize cunning and deceit to lure their prey to the bait and capture them.
BACKGROUND
Thus, I got Yubico last year in action. Everything went fine for some months until the month of June 2022 something was really off.
When I decided to get to use my licensed Microsoft Word processing and Microsoft Excel spreadsheet applications installed on my desktop PC.
I am fully aware that the attack surface for "bad actors" expanded upon installing the above-mentioned applications.
To expand further the attack surface, I also used a well-known web-based communications application.
Now, the proof of the pudding is the eating, right?
Then out of nowhere one afternoon, a MITM (Man-In-the-Middle) attack took place.
Suddenly, I noticed I cannot use the word-processing and spreadsheet applications on my desktop PC.
It suddenly became "unlicensed".
What?
Furthermore, my licensed software was asking that I change my web Auth and not giving me access to my security key-Auth.
By the way, these applications (word/spreadsheet) are legitimate out-of-the-box licensed software applications, which were tied to my email account.
SOLUTION/MITIGATION:
I logged in my Microsoft Account using an alternate route/link.
Checked for changes.
Restore my mobile phone number.
Initiate additional restoration of email ...
(Threat actors cannot really save account information changes in real-time since they do not have access to the security key Auth/biometrics.)
I then updated all my browsers to the latest versions.
When I made my initial assessments, and this was real quick whilst this abnormality was happening in real-time, I shut off the web-based communications application/software, which are all tied to my email/online account.
At first, I thought it was the web browser (which was outdated) that was the alleged gateway for the application/account compromise.
Then I checked the status of my email account by invoking a *separate link which I discovered during implementing a solution by scanning and found one.
Guess what, the bad guys/actors have changed my phone number and entered two unknown phone numbers.
So, I acted like a ninja and summoned my powers on hand.
So, I immediately deleted the unwanted phone numbers.
Placed an alternate email recovery reference.
Get that verified and validated with another paid/licensed email provider account.
My email account I use for my Microsoft account was restored to its original secure state.
Also, Voodoo Shield popped up with a warning of attempts trying to run a Powershell script in my PC,
So, I blocked this with VoodShield switch. If you are the switch master, then tick OFF and that nails it for good.
Sealed. Powershell request for good.
Next, I did fast ninja moves and downloaded the latest installer of my web browser.
And also I resurrected and activated the built-in browser of my Operating System (OS), which I only now will use for emergency purposes.
I uninstalled the old web browser and installed the latest one. This one required a PC reboot which I did.
By the way, before rebooting, make sure to have open online accounts logged off and all cookies, cache, deleted.
I then disconnected my PC/LAN cable from my router.
Check and assess (simple forensics) the situation before going back online.
Plugged back my physical security MFA key.
Plugged back my PC/LAN cable and boot up my desktop PC.
So, the result of my post-attack event assessment was that the entry/portal was through the communications software which was a web-based log-on, and I used my physical key Auth to authenticate.
Unknowingly, the group chat was connected to an unsecured server (e.g., file server) which the MITM threat actor/s can snoop on incoming/outgoing traffic through the communications application/software.
So, I re-installed and configured the latest version of this communications software and upon physically touching my MFA key, I ran the PC desktop version, and I was able to log in to my communications app for desktop without any problems.
This time I invoked an option to log in with GitHub and use its MFA Auth to seal the ultimate security deal.
Thanks to GitHub requiring log-in/membership and enforcing it to be physical key-based MFA Auth and established a Fort Knox protection against MITM.
POST-ATTACK MONITORING
Again, back to post-attack event monitoring, and herewith are the results:
- Bitdefender warnings ceased/absence of malevolent warnings.
- Seamless log on to the communications software (desktop version) with GitHub Auth MFA;
- I was able to use my word processing and spreadsheet application software without reinstallation and/or license key activation.
Test!
Whilst I was already using the latest web browsers, Bitdefender still popped-up warnings.
Thus, I came to the conclusion and realized that the MITM spoofing of my MFA auth was originating from the Skype for Web and the account which I logged on earlier.
I exited from Skype for the web application.
I downloaded the Skype for desktop and installed the same.
Now, since the MITM relies on web access via Skype for intercept on log on.
I got Skype for Desktop to authenticate, this time with a third-party MFA Auth (GitHub) which I authorized before with my physical security key as one of their account membership musts.
FURTHER FORENSICS
I discovered also that my Wi-fi router modem info might have been intercepted when I sent the phot via unencrypted email (which was my bad).
I eventually ended up having my telco/internet service provider replace my old/outdated Wifi-router to a latest and up-to-date model for FREE. Yehey! (Two thumbs up for that.)
CONCLUSION
- Implement registry and group policy settings using U.S. Dept. of Defense-grade and security
Windows 10 Security Technical Implementation Guide
- Learn the Art of War
- Password 101
- Learn the attack methods via an installed "honeypot" desktop PC
Zero trust is a must especially, in logging in (for example, Skype group chats either private/public).
For this use case, key-based MFA auth combined with legitimate third-party MFA-auth is the key to enhanced MFA security.
Be sure to have your Skype get authenticated by a reputable and reliable highly secured MFA Auth implementing website like GitHub.
This is the first time in my many years of desktop computing that I encountered MITM spoofing via MFA auth credentials.
Powershell intercept application VoodShield ... cuts off the fulfillment of
Purchase, and use legitimate and licensed software/applications.
Update your PC/laptop BIOS, et cetera. and observe safe computer habits/practices.
Do install, configure and implement the latest Systems Monitor (SYSMON) from Systems Internals.
System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.
What's New (August 16, 2022)
This major update to Sysmon, an advanced host monitoring tool, adds a new event type, FileBlockExecutable that prevents processes from creating executable files in specified locations. It also includes several performance improvements and bug fixes.
A peaceful mind generates
