CybserSecurity News

Tag: MFA Bypass

  • The MFA Killer: How One Programmer’s Tool Became a $100M Cybercrime Weapon

    Kuba Gretzky originally sought to make the internet a safer place — yet his creation achieved the opposite. In 2017, the Polish programmer developed Evilginx, a tool designed to help Red Team professionals study phishing techniques and understand how attackers steal credentials. The idea was simple: to demonstrate how easily even multi-factor authentication could be bypassed, encouraging companies to fortify their defenses before real adversaries exploited the same weaknesses. However, once the source code was released publicly, it quickly escaped his control.

    Evilginx functioned as a transparent proxy server, intercepting network traffic between a user and a targeted website. Through this mechanism, it could capture an active session token — the very element that allows one to bypass authentication codes. In effect, anyone operating such a proxy could gain unauthorized access to another person’s account, even if the victim had two-factor protection enabled. For Gretzky, it was an educational project; for criminals, it was a ready-made weapon.

    Over time, the tool became precisely that — a weapon. By 2023, it had been adopted by cybercriminal groups, including Scattered Spider — the same collective responsible for the MGM Resorts breach, which disrupted casino key cards and slot machines and caused more than $100 million in damages. Analysts have also documented Evilginx’s use in attacks against non-governmental organizations and defense contractors connected to Ukraine.

    Recognizing the scale of the problem, Gretzky released a stripped-down public version of Evilginx on GitHub, removing its most dangerous features and embedding digital watermarks that allow researchers to identify its presence across the web. The full edition, now called Evilginx Pro, is sold only to vetted companies, with the developer personally reviewing each buyer. Still, the free version remains accessible — and Gretzky himself admits to feeling torn between a desire to aid the security community and the knowledge that his code is being misused by malicious actors.

    Paradoxically, Evilginx’s existence helped strengthen the cybersecurity industry. After the source code’s release, engineers from Google reached out to Gretzky to discuss improvements to authentication mechanisms. He remains convinced that the openness of such tools fosters greater awareness of real-world threats — for hidden dangers will always find a way to surface. To him, security is not the burden of a single individual but a chain of shared responsibility, stretching from developers to the everyday user who clicks a link.

    Evilginx endures as a living paradox — proof of how thin the line between research and exploitation can be, and how noble intentions may inadvertently spawn new perils. Seven years later, the project continues to balance precariously between innovation and threat, reminding us that in the digital realm, any knowledge can fall into the wrong hands.

  • Storm-2657 Hackers Steal University Salaries by Hijacking Workday HR Accounts

    According to a new report from Microsoft Threat Intelligence, the financially motivated group Storm-2657 is conducting large-scale attacks against universities and private companies, using stolen employee credentials to redirect payroll funds into their own accounts. Experts have dubbed this type of operation “payroll piracy.” During the campaign, the attackers sought access to cloud-based HR platforms such as Workday in order to modify victims’ payment details.

    Microsoft’s investigation revealed that the campaign has been active since the first half of 2025. The attackers employed carefully crafted phishing emails designed to steal multi-factor authentication (MFA) codes through adversary-in-the-middle (AitM) techniques. Once in possession of login data, they infiltrated employee mailboxes and corporate HR systems, where they altered salary-payment settings. To conceal their activity, Storm-2657 configured Outlook rules that automatically deleted Workday notifications about any profile changes.

    Microsoft recorded at least 11 successful account compromises across three universities. From these accounts, thousands of phishing emails were distributed to other campuses — roughly 6,000 potential victims spanning 25 institutions. Some messages masqueraded as health or incident alerts on campus, bearing subject lines such as “COVID-like case reported — check your contact status” or “Faculty misconduct report.” Others mimicked HR communications and contained links to purported official documents on payroll or compensation. To enhance credibility, the attackers frequently leveraged Google Docs, a familiar tool in academic environments, making detection especially difficult.

    Once inside, the attackers modified victim profiles — most often replacing bank-account numbers used for payroll deposits. In certain instances, they also added their own phone numbers as MFA devices, enabling persistent control without the user’s knowledge. Such operations appeared in Workday logs under events like “Change My Account” or “Manage Payment Elections,” but the related alerts never reached users due to the mail filters the attackers had created.

    Microsoft emphasized that the attacks did not exploit vulnerabilities within Workday itself. The underlying issue was the absence or weakness of multi-factor authentication. Consequently, Microsoft urges organizations to adopt phishing-resistant authentication methods such as FIDO2 keys, Windows Hello for Business, and Microsoft Authenticator. Administrators are advised to enforce these measures in Entra ID and implement passwordless sign-in.

    In its publication, Microsoft provided detection queries for identifying signs of compromise — from suspicious mail rules to payment-detail alterations and newly registered MFA devices. The company also confirmed that it has contacted affected institutions, supplying details of the attackers’ TTPs (tactics, techniques, and procedures) and offering guidance for restoring security posture.

  • FIDO2 Bypass Uncovered: Hackers Exploit Cross-Device Authentication with QR Code Phishing

    Cybercriminals affiliated with the group PoisonSeed have devised a method to circumvent FIDO2 protection—not by breaching the technology itself, but by cleverly exploiting one of its legitimate features: cross-device authentication. Through this technique, attackers trick victims into approving access themselves, under the false impression that they are logging into a corporate system.

    As revealed by the cybersecurity firm Expel, the phishing campaign involves attackers crafting counterfeit login pages that mimic corporate portals such as Microsoft 365 or Okta. When a user enters their credentials, the adversary’s system simultaneously uses them to authenticate in real time on the legitimate site. The next step in the process should be a FIDO2 key-based confirmation—but instead, the attackers pivot to the cross-device login feature.

    This functionality enables users to authorize access on one device using another—typically a smartphone—without needing to physically insert a key. The request is transmitted via Bluetooth or presented as a QR code. It is precisely this QR code that becomes the vector of exploitation. The spoofed portal displays a legitimate code generated by the actual service, which the unsuspecting victim scans with their phone, thereby unknowingly approving the attacker’s access attempt.

    In effect, the protection offered by the physical key is nullified. While the FIDO2 system itself remains uncompromised, its architectural flexibility inadvertently allows this legitimate feature to be repurposed as a vector for abuse.

    Experts recommend restricting login attempts to specific geographic regions, closely monitoring the registration of new keys, and, wherever possible, enforcing Bluetooth-based authentication for cross-device logins—measures that significantly reduce the likelihood of a successful breach. In one documented instance, an attacker even managed to register their own FIDO key following a password reset, gaining unfettered access without any further involvement from the victim.

    This incident serves as a sobering reminder that even the most advanced security technologies can be bypassed—not through technical exploits, but via psychological manipulation and precise anticipation of user behavior. As cybersecurity professionals emphasize, multi-factor authentication is essential—but no longer sufficient—to safeguard against the sophisticated threats of today.

  • DeviceCodePhishing: A New Automated Tool Bypasses MFA & FIDO for Azure Entra Users

    DeviceCodePhishing

    This is a novel technique that leverages the well-known Device Code phishing approach. It dynamically initiates the flow as soon as the victim opens the phishing link and instantly redirects them to the authentication page. A headless browser automates this by directly entering the generated Device Code into the webpage behind the scenes. This defeats the 10-minute token validity limitation and eliminates the need for the victim to manually perform these steps, elevating the efficiency of the attack to a new level.

    What makes Device Code phishing especially dangerous is that no authentication method, not even FIDO, is able to protect against this type of attack. Additionally, the victim interacts with the original website they expect, making it impossible to detect the attack based on a suspicious URL.

    Description

    Device Code Phishing

    DeviceCodePhishing is an advanced phishing tool, which leverages the Device Code Flow. It can be used for phishing access-tokens, which in turn allows to bypass two-factor authentication protection, including accounts that exclusively use FIDO for authentication.

    While other tools exist to automate device code phishing attacks, they often come with certain limitations, such as requiring the attacker to convince the victim to open the URL and enter the code within a strict 10-minute time frame. The goal of this tool is to overcomes those limitations by automating the process with a headless browser, which initiates the attack as soon as the victim clicks on the phishing link.

    This attack technique is even more dangerous than attacker-in-the-middle (AitM) proxies, because the user enters their credentials on the original webpage, making it nearly impossible to detect the phishing attempt based on a suspicious URL. Additionally, the victim might not need to authenticate interactively because a session is still active. Therefore, the victim has almost no time to realize that this is not legitimate. And not to forget that Device Code Flow is undermining FIDO’s phishing resistance!

    Currently, this tool is limited to targeting Microsoft Azure Entra users, but the underlying technique is not restricted to any specific vendor.

    For more details, check out the blog post: Phishing despite FIDO, leveraging a novel technique based on the Device Code Flow

    How it works

    1. The attacker sends a URL to the victim
    2. The victim opens that URL
    3. When the URL is opened, a headless browser is started, performing the following automated steps:
      • Starts the Device Code Flow with <tenant> and <clientId>
      • Opens the device-code webpage and enters the corresponding user-code
      • The device-code webpage forwards to the URL for interactive authentication (By clicking on “Can’t access your account” and immediately navigating back by clicking the cancel button, see here)
      • Returns the URL for interactive authentication as a redirect to the victim
    4. The victim is redirected to the authentication URL
    5. The victim completes the authentication
    6. The attacker is authenticated

    Install & Use

  • Urgent Citrix Bleed 2 (CVE-2025-5777, CVSS 9.3) Actively Exploited: MFA Bypass & Session Hijacking Threaten Enterprises

    Security researchers have unveiled functional exploits targeting a critical vulnerability in Citrix NetScaler ADC and Gateway devices. Designated CVE-2025-5777, the flaw has been informally dubbed CitrixBleed2 — a pointed reference to the similarly severe 2023 vulnerability that was widely exploited in ransomware campaigns and attacks on government entities. This latest issue allows threat actors to extract data directly from device memory, including active user session tokens.

    CitrixBleed2 is triggered during the login process via specially crafted POST requests. The attack hinges on omitting the equal sign and value for the login parameter in the request body. As a result, NetScaler inadvertently returns a fragment of memory—up to the first null byte—within an XML <InitialValue> element. This behavior stems from a misuse of the snprintf function with the %.*s format string, which leads the system to return up to 127 bytes of uninitialized stack memory upon each request to the vulnerable endpoint.

    The team at watchTowr was the first to publish a technical breakdown of the bug, noting that during their own testing, they were unable to extract sensitive data. However, researchers at Horizon3 successfully reproduced the exploit and confirmed that session tokens could indeed be obtained. Moreover, they found the vulnerability extends to administrative configuration utilities.

    Despite the existence of working exploits and video demonstrations of successful attacks, Citrix maintains that CVE-2025-5777 is not being actively exploited in the wild. The company references its official blog, which claims there have been no confirmed incidents of compromise via this flaw.

    Contrary to Citrix’s assertion, a report from ReliaQuest indicates a surge in session hijack attempts. The nature of the attacks points to active exploitation of this very vulnerability. Independent security researcher Kevin Beaumont echoes this concern, having identified telltale indicators in NetScaler logs—namely, repeated POST requests to doAuthentication, each yielding a consistent 126-byte memory leak. Additionally, log entries revealed usernames containing the # symbol, suggesting that leaked memory was being misrouted into improper fields—strong evidence of unauthorized access.

    Beaumont stresses that such insights would have remained hidden were it not for the disclosures by watchTowr and Horizon3. Without their research, detecting active exploitation would have been significantly more difficult, especially given Citrix’s reluctance to share indicators of compromise—a behavior reminiscent of the company’s response during the original CitrixBleed incident in 2023.

    To mitigate the threat, Citrix has issued firmware updates that patch the vulnerability. Administrators are also advised to manually terminate all active ICA and PCoIP sessions—ideally after inspecting them for suspicious activity. If anomalies are detected in session logs or tokens, a full restart of the authentication infrastructure may be warranted.

  • FBI Warns: Scattered Spider Unleashes Social Engineering & Ransomware on Aviation Sector

    The United States Federal Bureau of Investigation has issued an official warning regarding the escalating operations of the hacker collective known as Scattered Spider, which has now begun actively targeting the aviation sector. According to federal authorities, the group employs sophisticated social engineering techniques to infiltrate the infrastructure of airlines and their contractors.

    FBI representatives explain that the attackers skillfully impersonate employees or contractors, deceiving technical support personnel into granting them access to privileged accounts. This often results in the addition of unauthorized devices for Multi-Factor Authentication (MFA), allowing the threat actors to bypass standard security measures.

    Particularly alarming are Scattered Spider’s attacks conducted through third-party vendors and external IT firms. By exploiting trusted relationships with these organizations, the group gains a foothold in the networks of major enterprises, leading to data theft, extortion, or the deployment of ransomware.

    Cybersecurity experts at Palo Alto Networks Unit 42 have confirmed the group’s intensified focus on the aviation industry and urge companies to exercise heightened vigilance. They recommend extra scrutiny around MFA reset requests and more rigorous procedures for account recovery.

    Mandiant has also noted a surge in Scattered Spider’s activity within the aviation and transportation sectors. Their research indicates that the attackers are following familiar playbooks, combining social engineering with technical intrusions.

    Analysts stress that Scattered Spider prioritizes human manipulation over technical exploits. The group demonstrates an acute understanding of corporate workflows and deftly manipulates helpdesk personnel, particularly in high-pressure, time-sensitive scenarios.

    The group operates under numerous aliases, including Muddled Libra, Octo Tempest, Oktapus, Scatter Swine, Star Fraud, and UNC3944. Initially infamous for SIM-swapping attacks, the group has since expanded its toolkit to include phishing, helpdesk deception, and insider infiltration.

    According to Halcyon, Scattered Spider represents a significant evolution in the ransomware threat landscape. Their operations blend social engineering, technical sophistication, and rapid execution of dual extortion tactics, often transitioning from breach to encryption and data theft within mere hours.

    What distinguishes this group is its seamless fusion of meticulous planning and aggressive escalation. Adversaries invest time in collecting detailed information about their targets, leveraging social media and data leaks to impersonate employees with alarming precision.

    This strategy enables them to embed themselves within hybrid infrastructures undetected until the moment of maximum impact. Scattered Spider also maintains close ties to the broader Com cybercriminal ecosystem, which includes the notorious LAPSUS$ group among others.

    Their origins trace back to platforms such as Discord and Telegram, where members—despite varied backgrounds and motives—converged into a loosely organized network. It is precisely this decentralized structure and lack of hierarchy that render the group exceptionally elusive to law enforcement.

    A recent incident documented by ReliaQuest illustrates the group’s chilling level of preparation and technical acumen. In late June, they successfully breached the infrastructure of an unnamed organization by targeting its Chief Financial Officer (CFO).

    Armed with personal details—birth date and the last digits of the CFO’s Social Security number—the attackers convincingly impersonated the executive during a support call, navigating multi-layered authentication procedures with ease.

    With these credentials, they deceived the IT team, reset MFA, and gained access to corporate systems. The group then performed a comprehensive reconnaissance of the infrastructure, including Entra ID and SharePoint, identifying vulnerable entry points.

    They breached virtual desktop environments, compromised VPN systems, and revived decommissioned virtual machines to reach VMware vCenter servers and domain controller data. During this phase, they exfiltrated sensitive content including the NTDS.dit database and unlocked the CyberArk vault, extracting over 1,400 secrets.

    Using legitimate tools such as ngrok, they established persistent remote access. Upon discovery, Scattered Spider resorted to a scorched-earth strategy, deleting critical Azure security policies and disrupting infrastructure. According to ReliaQuest, the battle over Entra ID account control escalated into a full-fledged standoff between incident responders and attackers, which only ended after Microsoft’s direct intervention.

    This incident underscores the alarming evolution of modern social engineering tactics. Today’s campaigns go far beyond phishing—they are calculated, multi-stage operations, executed with military precision to circumvent even the most robust defenses.

    Experts emphasize that reinforcing internal verification protocols and helpdesk procedures must now be a top priority. The greater the reliance on human interaction for authentication, the higher the likelihood of compromise in the face of such sophisticated adversaries.