Input Capture: Перехват данных на внешних веб-порталах
Other sub-techniques of Input Capture (4)
Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service. This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through External Remote Services and Valid Accounts or as part of the initial compromise by exploitation of the externally facing web service.(Citation: Volexity Virtual Private Keylogging)
Примеры процедур |
|
Название | Описание |
---|---|
Winter Vivern |
Winter Vivern registered and hosted domains to allow for creation of web pages mimicking legitimate government email logon sites to collect logon information.(Citation: SentinelOne WinterVivern 2023) |
In the Triton Safety Instrumented System Attack, TEMP.Veles captured credentials as they were being changed by redirecting text-based login codes to websites they controlled.(Citation: Triton-EENews-2017) |
|
WARPWIRE |
WARPWIRE can capture credentials submitted during the web logon process in order to access layer seven applications such as RDP.(Citation: Mandiant Cutting Edge January 2024) |
IceApple |
The IceApple OWA credential logger can monitor for OWA authentication requests and log the credentials.(Citation: CrowdStrike IceApple May 2022) |
During Cutting Edge, threat actors modified the JavaScript loaded by the Ivanti Connect Secure login page to capture credentials entered.(Citation: Volexity Ivanti Zero-Day Exploitation January 2024) |
Контрмеры |
|
Контрмера | Описание |
---|---|
Privileged Account Management |
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root. |
Обнаружение
File monitoring may be used to detect changes to files in the Web directory for organization login pages that do not match with authorized updates to the Web server's content.
Ссылки
- Adair, S. (2015, October 7). Virtual Private Keylogging: Cisco Web VPNs Leveraged for Access and Persistence. Retrieved March 20, 2017.
- Tom Hegel. (2023, March 16). Winter Vivern | Uncovering a Wave of Global Espionage. Retrieved July 29, 2024.
- Blake Sobczak. (2019, March 7). The inside story of the world’s most dangerous malware. Retrieved March 25, 2024.
- McLellan, T. et al. (2024, January 12). Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation. Retrieved February 27, 2024.
- CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022.
- Meltzer, M. et al. (2024, January 10). Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN. Retrieved February 27, 2024.
Связанные риски
Риск | Связи | |
---|---|---|
Закрепление злоумышленника в ОС
из-за
возможности установки веб-оболочки (Web Shell)
в веб-сервере
Повышение привилегий
НСД
|
|
|
Раскрытие ключей (паролей) доступа
из-за
возможности внедрения кода в текст программы на интерпретируемом языке
в веб-сайте
Конфиденциальность
Повышение привилегий
Раскрытие информации
Подмена пользователя
|
|
|
Закрепление злоумышленника в ОС
из-за
возможности внедрения кода в текст программы на интерпретируемом языке
в веб-сайте
Повышение привилегий
НСД
|
|
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.