Introduction
A new PoisonSeed phishing campaign is exploiting the cross-device authentication feature in WebAuthn, managing to bypass FIDO2 security key protections. This tactic allows attackers to trick users into approving fraudulent login requests from replica corporate portals.
Key Details
- Who: Perpetrated by the PoisonSeed threat actor group.
- What: Abuse of legitimate cross-device authentication to circumvent FIDO2 protections.
- When: Recently observed by security analysts at Expel.
- Where: Targeting users of services like Okta and Microsoft 365.
- Why: To facilitate unauthorized access while maintaining the appearance of legitimate security measures.
- How: Victims enter credentials on a phishing site, while attackers leverage an adversary-in-the-middle (AiTM) backend to authenticate against real portals via cross-device methods.
Why It Matters
This tactic is significant for several reasons:
- Enterprise Security: Demonstrates vulnerabilities in modern authentication frameworks that rely on user actions.
- Hybrid Cloud Operations: Highlights the need for robust multi-factor authentication (MFA) protocols beyond just hardware keys.
- Compliance: Organizations must reconsider compliance standards as phishing techniques evolve.
Takeaway for IT Teams
Organizations should tighten their authentication protocols by:
- Restricting Access: Limit logins based on geographic locations and establish protocols for users traveling.
- Monitoring Registrations: Regularly inspect registrations for unknown FIDO keys.
- Enforcing Bluetooth Authentication: Consider mandating Bluetooth as a verification method for cross-device authentication to reduce phishing efficacy.
Call-to-Action
Stay ahead of emerging threats by implementing recommended security measures and visit TrendInfra.com for ongoing updates and best practices in IT infrastructure.
