Unmasking Fancy Bear's Tactics: Bypassing Two-Factor Authentication in Webmail Systems
Armed forces' provision vendors in Ukraine face digital infiltration threats - Cybercriminals Launch Assault on Ukrainian Weapons Vendors
Get the lowdown on how the notorious Russian hacker group, Fancy Bear, pulls off their slick moves to bypass two-factor authentication (2FA) in webmail systems.
Ukraine under Siege, a Target Rich EnvironmentFancy Bear, famously known as Sednit or APT28, has been waging cyber-attacks against arms companies supplying weapons to Ukraine. A study by the Slovak security firm Eset reveals that the attacks are primarily targeting manufacturers of Soviet-era weaponry in countries like Bulgaria, Romania, and Ukraine. However, arms factories in Africa and South America are also on their radar.
Operation RoundPress: A Sophisticated Cyberespionage CampaignIn a recent espionage campaign known as "Operation RoundPress," Fancy Bear has exploited vulnerabilities in widely-used webmail software such as Roundcube, Zimbra, Horde, and MDaemon. These vulnerabilities, in many cases, could have been avoided through proper software maintenance.
Spearphishing: A Social Engineering TechniqueWith a stealthy spearphishing approach, Fancy Bear uses seemingly legitimate sources like the Kyiv Post or the Bulgarian news portal News.bg for disguise. Upon opening an email in the browser, hidden malware is triggered bypassing spam filters.
Bypassing 2FA: Fancy Bear's MasterstrokeResearchers have identified malware named "SpyPress.MDAEMON" in the attacks, which is capable of reading login credentials, tracking emails, and even bypassing 2FA. The hackers managed to bypass 2FA in several cases and gain permanent access to mailboxes using application passwords.
Fancy Bear's Playbook for Bypassing 2FAHere's a closer look at the three primary methods Fancy Bear uses to outsmart 2FA:
- Exploiting Webmail Client Vulnerabilities with JavaScript Payloads: Fancy Bear exploits vulnerabilities in webmail platforms and injects malicious JavaScript code for stealing credentials, email data, and even bypassing 2FA mechanisms.
- Spearphishing and Credential Harvesting: Classic phishing techniques masquerade as urgent security warnings, tricking users into revealing their login credentials and potentially one-time codes.
- Indirect 2FA Bypass via Account Recovery Weaknesses: Attackers exploit weaknesses in account recovery processes that often do not enforce the second factor. By intercepting or manipulating password reset tokens, they can gain access without needing the 2FA code.
Armed with this knowledge, it's essential to stay vigilant against Fancy Bear's cunning tactics and prioritize cybersecurity measures to safeguard your digital assets.
- Despite being based in EC countries like Bulgaria and Romania, arms manufacturers supplying weapons to Ukraine are prime targets for Fancy Bear's cyber-attacks, according to a study by Eset.
- The use of technology, such as JavaScript payloads, allows Fancy Bear to exploit vulnerabilities in webmail systems like Roundcube, Zimbra, Horde, and MDaemon for spying purposes or bypassing employment policy-based two-factor authentication (2FA) mechanisms.
- In the realm of politics and general news, Fancy Bear's attacks against arms factories in Africa and South America show that their cyberespionage campaigns extend beyond conflicts in war-and-conflicts zones, like Ukraine.
