Today Amnesty Tech’s Security Lab is publishing a new short report about targeted malware and phishing attacks against activists and journalists in Uzbekistan:

https://www.amnesty.org/en/latest/research/2020/03/targeted-surveillance-attacks-in-uzbekistan-an-old-threat-with-new-techniques/

In this report we detail some renewed tactics by a threat actor that we had been monitoring for a while. This actor appears to be based in Uzbekistan and targets primarily domestic activists and academics, as well as governmental and diplomatic figures from neighbouring countries. It is worth noting that Kaspersky already disclosed last year the existence of a threat actor labelled “SandCat” which they attribute to Uzbekistan’s State Security Service[1].

Today we disclose some details and the accompanying technical indicators of attacks we’ve observed throughout 2019 consisting of phishing, as well as custom developed spyware for Windows and Android.

Of particular interest is the fact that this campaign represents the first time we observed the use of “reverse proxies” in targeted phishing against activists and journalists. This technique, sometimes referred to as “session riding” or “session hijacking”, relies on the deployment of a malicious server that simply relays the requests between the targeted individual and the original service, such as Google. The attackers will then register a credible domain (in this case, for example, mail-auth[.]online, acccountsgoog1e[.]com, account-mail[.]info, among others) and lure the target to visit the malicious server.

This reverse proxy sits in the middle of the communication and monitors everything, and when the target has successfully authenticated with the Google service it is relaying, the attackers have automatically grabbed cookies and session keys that allow them to authenticate to the compromised account.

This technique has been demonstrated before, and various open source security tools have made it available to the information security community. Attackers have adopted reverse proxies too because they are very effective, they do not require crafting any off-looking HTML templates mimicking the original service, and also they allow to bypass most forms of two-factor authentication.

Hardware security keys, such as Yubikeys or Solo keys, are the only effective mitigation users can adopt against these forms of phishing attacks. Looking back at all the campaigns our team has investigated and responded to in the last year, there hasn’t been one which wasn’t equipped with the capability to bypass at least some forms of two-factor authentication. Because of this, we need to advocate targeted communities to equip with security keys, and demand service providers which do not yet support it, to implement WebAuthn/U2F soon.