All news with #adversary in the middle tag

🔒 Researchers at Sublime Security reported that the FlowerStorm phishing-as-a-service campaign has begun using KrakVM, an open-source browser-based JavaScript virtual machine, to conceal credential-stealing code inside HTML attachments. When victims open the attachments in a browser, encrypted bytecode is executed by the VM and launches a dynamic credential- and MFA-harvesting workflow. The kit supports real-time AiTM interception and adapts phishing pages to the victim’s provider and branding, complicating static analysis and many email defenses.

🔒 The web server in Siemens SENTRON 7KT PAC1261 Data Manager (versions before V2.1.0) contains a request smuggling vulnerability in the Go net/http package that can expose authorization tokens and permit administrative takeover. Siemens has released V2.1.0 to remediate the issue and recommends immediate updating. Mitigations include using encrypted protocols, restricting network exposure, and following vendor operational security guidance.

🔒 A phishing campaign abused Google sponsored search results to deliver a live adversary-in-the-middle (AitM) proxy that mimics ManageWP's sign-in page, placing the fake result above the legitimate one for the "managewp" query. Any credentials entered are exfiltrated to a Telegram channel and used in real time to bypass 2FA. Guardio Labs infiltrated the attackers' C2, observed an operator-driven phishing framework, and confirmed around 200 unique victims.

🔐 Microsoft Defender Research observed a large-scale, multi-stage phishing campaign that used polished code-of-conduct lures, staged CAPTCHAs, and intermediate pages to deliver an adversary-in-the-middle (AiTM) flow that captured authentication tokens. The campaign targeted over 35,000 users across 13,000+ organizations, mainly in the United States, and employed legitimate delivery services and attacker-controlled domains. Recommended defenses include Microsoft Defender for Office 365, Safe Links, Zero-hour auto purge (ZAP), SmartScreen-enabled browsers, and phishing-resistant MFA.

🛡️ AiTM phishing evades credential theft by intercepting session tokens after legitimate logins, rendering stronger passwords and many MFA approaches insufficient on their own. While FIDO2 and passkeys reduce exposure at the authentication step, session cookies remain bearer tokens that can be replayed. The article recommends three practical controls—bind sessions to managed devices, monitor post-authentication anomalies, and shorten high-value session lifetimes—combined with targeted user guidance to stop attackers from exploiting captured sessions.

🔒 Multiple Siemens analytics applications are affected by improper certificate validation in the Siemens Analytics Toolkit, which could allow an unauthenticated remote attacker to conduct man-in-the-middle (MITM) attacks. Affected products include Siemens Software Center, Simcenter 3D, Simcenter Femap, Simcenter STAR-CCM+, Solid Edge, and Tecnomatix Plant Simulation. Siemens has released vendor fixes; CISA and Siemens recommend applying the updates immediately, minimizing network exposure, and following operational security guidance to isolate control system networks and secure remote access.

🔒 The FBI Atlanta Field Office and Indonesian authorities dismantled the W3LL phishing platform and seized infrastructure, leading to the arrest of the alleged developer. The W3LL kit, sold for $500, enabled adversary-in-the-middle attacks to capture credentials, session cookies and one-time MFA tokens, allowing attackers to bypass multifactor protections. Its marketplace, W3LLSTORE, facilitated the sale of over 25,000 compromised accounts and contributed to attempts exceeding $20 million in fraud.

🔓 The AirSnitch research demonstrates that Wi‑Fi client isolation (guest network/device isolation) can be bypassed through a family of architectural flaws in access points, enabling traffic injection, redirection and even full MitM attacks. The methods exploit GTK handling, broadcast treatment and L2/L3 routing gaps, and affect many home and enterprise APs. Administrators should test equipment with the AirSnitch tooling and implement VLAN segmentation, per-client GTK, strong RADIUS/802.1X configs, and network-layer inspections.

🔒 Forest Blizzard, tracked as APT28, is compromising home and small-office routers to redirect traffic through attacker-controlled DNS servers and enable post-compromise adversary-in-the-middle (AiTM) attacks. Microsoft observed the actor likely using dnsmasq to answer DNS queries on port 53 and selectively spoof DNS responses to redirect users to malicious infrastructure. Targeted domains included Outlook on the web, where attackers presented invalid TLS certificates to intercept plaintext if users bypassed warnings. Microsoft reports more than 200 organizations and 5,000 consumer devices affected, with government, IT, telecom and energy sectors prioritized.

🔒 Security researchers say hackers linked to Russia’s GRU used known vulnerabilities in end-of-life routers to mass-harvest Microsoft Office authentication tokens. The actor, tracked as Forest Blizzard (aka APT28/Fancy Bear), altered DNS settings on mostly Mikrotik and TP-Link SOHO devices to route traffic through attacker-controlled DNS servers and perform adversary-in-the-middle (AiTM) interception of OAuth tokens and TLS sessions. Microsoft identified more than 200 affected organizations and about 5,000 consumer devices, while Black Lotus Labs observed the campaign touching over 18,000 routers at its December 2025 peak.

🔐 Lumen's Black Lotus Labs and Microsoft linked a campaign named FrostArmada to APT28 (aka Forest Blizzard), which compromised insecure MikroTik and TP‑Link SOHO routers to change DNS settings and route traffic to attacker-controlled resolvers. The actors used DNS hijacking to perform passive reconnaissance and attacker-in-the-middle (AitM) operations to harvest passwords, OAuth tokens, and other credentials without user interaction. The malicious infrastructure has been disrupted in a multi‑agency operation led by the U.S. Department of Justice and FBI with international partners.

🔒 An international law enforcement operation, supported by private researchers, disrupted FrostArmada, an APT28 campaign that hijacked DNS settings on compromised MikroTik and TP-Link routers to intercept Microsoft 365 authentication. The attackers redirected DNS to attacker-controlled VPS nodes acting as AitM proxies and captured logins and OAuth tokens. Microsoft, Lumen Black Lotus Labs, the FBI, the DOJ, and Polish authorities took the malicious infrastructure offline and published indicators and mitigations.

🔒 The UK’s National Cyber Security Centre (NCSC) warns that Russian-linked APT28 has been compromising vulnerable SOHO routers to redirect DNS traffic through attacker-controlled servers and harvest credentials. The actor has modified a list of VPS-hosted DNS servers since 2024 and exploited models including TP-Link (notably the WR841N via CVE-2023-50224) and MikroTik. The campaigns use DHCP DNS tampering and adversary-in-the-middle techniques; the NCSC and Microsoft advise firmware updates, multifactor authentication and network hardening.

🔒 Since at least August 2025, Microsoft Threat Intelligence reports that the Russian military-linked actor Forest Blizzard (and sub-group Storm-2754) has been exploiting insecure SOHO routers to reroute DNS queries to actor-controlled resolvers. The actor appears to use the legitimate dnsmasq service on thousands of devices to capture DNS traffic and, selectively, perform TLS adversary-in-the-middle (AiTM) attacks against Microsoft Outlook on the web and targeted government services. Microsoft identified over 200 affected organizations and more than 5,000 consumer devices and published mitigation, detection, and hunting guidance.

🕵️ GreyNoise analyzed 4 billion malicious sessions over three months and found residential proxies accounted for roughly 39% of traffic yet evaded IP reputation feeds in 78% of cases. Researchers say the short-lived, systematically rotated, or low-activity nature of these addresses prevents timely cataloging by reputation systems. They recommend moving from IP-based blocking to behavior-focused detection, such as spotting sequential probing and tracking device fingerprints that persist through IP rotation.

🔒 Push Security has observed a coordinated wave of Adversary-in-the-Middle (AiTM) phishing pages specifically targeting TikTok for Business accounts. The malicious domains were registered on March 24 in a rapid, nine-second window and are hosted behind Cloudflare using Nicenic International Group as registrar. Victims are redirected through legitimate Google Cloud Storage links, presented with TikTok- or Google-themed content, and ultimately confronted with a reverse-proxy AiTM login flow after completing an initial information form.

🔒 Push Security warns of an adversary-in-the-middle (AitM) phishing campaign that seizes control of TikTok for Business accounts by presenting victims with malicious credential-capture pages after a Cloudflare Turnstile check. Lures include lookalike TikTok for Business and fake Google Careers pages, sometimes offering scheduled calls to gain trust. The attackers host pages on multiple domains and use the Turnstile challenge to evade automated scanners. Separately, WatchGuard reported SVG attachments used to deliver a Go-based malware artifact linked to BianLian-style activity.

🔒 CISA warns of multiple high‑severity vulnerabilities in Automated Logic WebCTRL servers that could allow attackers to read, intercept, or modify BACnet communications. Known affected releases include versions earlier than v8.5, and WebCTRL 7 is end‑of‑life and unsupported. The advisory describes three CVEs — CVE-2026-25086 (port binding impersonation), CVE-2026-32666 (BACnet packet spoofing), and CVE-2026-24060 (cleartext transmission, CVSS 9.1) — and urges operators to upgrade to supported releases with BACnet/SC, implement TLS/mutual authentication where available, and apply network segmentation, access controls, and vendor secure configuration best practices to reduce exposure.

🔐 Modern phishing now uses adversary-in-the-middle proxies that capture entire authentication flows, including MFA prompts and session cookies. Employees can complete legitimate logins and still be compromised because attackers replay session tokens from a different machine. Organizations must move beyond traditional MFA and outdated awareness training and instead deploy phishing-resistant authentication, bind sessions to managed devices, and monitor post-authentication behavior.

⚠️AirSnitch exploits cross-layer identity desynchronization between Layers 1 and 2 to mount full, bidirectional machine-in-the-middle attacks. An attacker on the same SSID, a different SSID, or another segment tied to the same AP can intercept and modify link-layer traffic. The technique affects home, office, and enterprise Wi‑Fi and enables DNS poisoning, credential theft, and exploitation of unpatched flaws.