Reverse Proxies Are Killing Your MFA
If you’re old enough to remember landlines (or have seen any 1980s or 90s movie about teens looking to put one over on their parents), chances are your parents pulled a real-world man-in-the-middle attack (MITM) on you. There you were as a sneaky teenager plotting with a friend over the phone about going to a party, concert, or other places you knew your parents would not allow you to go.
Unbeknownst to you, one of your parents has picked up a different phone connected to the same landline and is eavesdropping on your call. They now know your entire plan, what lies you plan to tell, and how you believe you will get away with it. They have all the information they need to thwart your plans while you have a false sense of security.
While that parent-induced MITM attack would result in some sort of punishment for you, an online MITM attack at your company launched by a threat actor would have far more extreme consequences but would work with the same spy-like behavior. Instead of being privy to your evening plans, they gain access to your login credentials, authentication cookies, and more – giving them free rein over your company’s infrastructure.
In recent months, there has been an uptick in the number of threat actors using reverse proxies for MITM attacks, and it’s being facilitated by a new platform called EvilProxy.
How reverse proxies work for good and evil
As a force for good (a.k.a. security), reverse proxy servers act as a man in the middle, sitting at network edges and authentication endpoints to receive HTTPS connection requests before the requests are forwarded to an origin server. This added layer of infrastructure provides a handful of functionality and security benefits.
Reverse proxies improve loading times by caching web content and load balancing, filtering incoming traffic to weed out malicious connection requests, and facilitating SSL encryption. The process they use masks web server IP addresses, providing DDoS attack protection and preventing hackers from discovering vulnerabilities since they can’t directly access the server.
On the evil side, threat actors exploit reverse proxy processes using phishing tactics but in a much more dangerous way than a typical phishing attack which uses a static clone of a popular website. In this situation, a hacker can quickly gain credentials, but if the company requires MFA, the hacker wouldn’t be able to enter the second authentication code when prompted (although we’ve recently seen attacks where MFA can be bypassed).
With a reverse proxy server, the hacker becomes the man in the middle, situated between the employee and company server. Instead of showing an employee a lookalike phishing site, the reverse proxy server presents the user with legitimate login and MFA fields and returns responses from the company server. However, as all requests go through the hacker’s reverse proxy server before being passed to the actual web server, the attacker can monitor all traffic and steal session cookies with authentication tokens. Threat actors can log in and bypass MFA requirements as easy as cutting through room temperature butter.
Attacks using reverse proxies are on the rise
Reverse proxy phishing attacks can now be carried out even by novice hackers thanks to the threat actors who launched EvilProxy, a fully suited Phishing-as-a-Service platform. As explained by Bleeping Computer, for a few hundred bucks (the cost varies depending on the website in question and the length of the attack campaign), users gain access to an easy-to-use interface, how-to instructional videos, and a variety of pre-cloned phishing pages. With a few clicks and little to no knowledge of reverse proxies, minor-league attackers can execute campaigns and steal all the credentials and cookies they need.
What makes EvilProxy different and particularly threatening is that it uses multiple tools like anti-analysis and anti-bot protection to filter out unwanted visitors. Alongside that, it uses the same aggregated data that CTI solutions use (known TOR exit nodes, VPN services, proxies, and other sources) to prevent security software from detecting the phishing kit code.
Hacking is a profitable business
As long as the payout continues to be high and the chances of getting caught remain low, hackers have no motivation to stop their behaviors. There is a steady stream of highly skilled hackers out there, and to capitalize on their skills further, they are turning their knowledge into profitable businesses.
Over the last few years, numerous end-to-end platforms have emerged, ready to transform low-skilled threat actors into pros in minutes. These platforms whittle down the process of launching attacks and come complete with tutorials, guides, and even live support. They are set up in the same way sophisticated businesses are, relying on single-use payments, subscription fees, or a structure that turns users into affiliates by taking a commission from the ransom payments they earn.
The reality is that hackers aren’t going to stop and even if big-time threat actors are arrested and prosecuted (like those involved in REvil), many more are there to take their place. As long as immoral people see a shortcut to getting what they want, they will take it. As more bad actors enter the scene and realize they can go from launching their own attacks to making money off a platform that enables hundreds to launch those same attacks, it will only worsen. And they will continue to come up with more inventive ways to attack.
Should organizations continue to use reverse proxies and MFA?
Absolutely. Both reverse proxies and MFA provide businesses with essential additional security layers, and the more layers you have, the better your defenses can be. That said, having an unmanageable security stack is equally as dangerous as having one that doesn’t offer comprehensive protection. When choosing your security tools, do so with care and follow best practices. The key is to find the sweet spot with a stack that offers the most protection and can be handled by your team so that if something slips through, it will be caught and mitigated before real damage is done.