Researcher Mr.dox discovered a way to steal credentials and bypass 2FA by giving users remote access to your server via an HTML5 VNC client with a browser running in kiosk mode. Knowing that companies such as Google & LinkedIn now detect the use of reverse proxies commonly used in MiTM attacks, this method was no longer useful to attackers, so he came up with a clever work-around using the noVNC program. Excerpts:
Essentially, noVNC allows the web browser to act as a VNC client to remotely access a machine.
So how do we use noVNC to steal credentials & bypass 2FA? Setup a server with noVNC, run Firefox (or any other browser) in kiosk mode and head to the website you’d like the user to authenticate to (e.g. accounts.google.com). Send the link to the target user and when the user clicks the URL they’ll be accessing the VNC session without realizing. And because you’ve already setup Firefox in kiosk mode all the user will see is a web page, as expected.
The ways that this can be abused are endless:
Have JS injected into the browser
Have a HTTP proxy connected to the browser that’s logging everything
Close the VNC session when the user authenticates
Grab the session token from the browser (Right Click > Inspect > Application > Cookies) after the user disconnects
Have a keylogger running in the background
The key takeaway is the 2FA is not the cure all. There is no question that 2FA helps in securing against many hacks – especially the mass credential dumps and usage of these stolen credentials. But for targets under APT attack, CIs, Health Care, Energy, Financials, security admins must assume that their front walls will be breached and take a zero trust approach to the rest of the infrastructure. A vigilant monitoring of identities, their roles, their permissions and their changes is required to ensure the Principle of Least Privilege (PR.AC-6).