多因素身份验证拦截是攻击者通过技术手段窃取或绕过二次认证凭证的攻击技术,主要针对智能卡、软硬件令牌、短信验证码等MFA机制。传统防御手段依赖检测异常认证请求、分析键盘记录行为或监控短信网关异常,但难以应对新型隐蔽攻击。建议通过硬件令牌行为指纹分析、输入路径完整性验证、电信信令审计等多维度检测机制进行防护。
为规避传统检测机制,攻击者发展出硬件接口劫持、上下文感知窃密、通信协议滥用等高阶匿迹技术,通过将攻击链分解至协议栈底层、融合正常业务流程、利用基础设施漏洞等手段,实现认证凭证的隐蔽窃取与冒用。
现有MFA拦截匿迹技术的核心逻辑在于攻击行为的协议合规化重构与上下文环境深度适配。硬件令牌代理劫持通过劫持系统级驱动接口,将恶意操作封装为标准认证协议交互,规避进程行为异常检测;键盘记录隐蔽传输采用上下文触发机制与白进程信道复用,实现精准数据捕获与隐蔽外传;SIM卡服务劫持中继利用电信网络协议缺陷,将攻击链嵌入运营商基础设施,实现无终端痕迹的验证码拦截;中间人动态伪装则通过实时页面生成与双向协议隧道,构建完美仿真的交互环境。这些技术的共性在于突破传统应用层对抗模式,通过协议栈底层渗透、基础设施寄生、动态环境适配等手法,使攻击行为获得合法业务流程的"数字伪装"。
匿迹技术的演进导致传统基于行为特征规则或单点日志分析的防御体系逐步失效,需构建覆盖协议栈多层、通信全链路、多实体关联的持续认证监测体系,结合硬件级可信执行环境与电信网络异常信令检测,实现针对隐蔽MFA拦截攻击的纵深防御。
| 效应类型 | 是否存在 |
|---|---|
| 特征伪装 | ✅ |
| 行为透明 | ✅ |
| 数据遮蔽 | ✅ |
| 时空释痕 | ❌ |
攻击者通过协议模拟与界面克隆,将恶意交互伪装成合法认证流程。例如伪造MFA认证页面模仿目标组织的视觉风格与交互逻辑,或劫持硬件令牌的标准通信协议,使攻击流量在协议特征层面与正常认证行为完全一致,规避基于界面元素检测或协议合规性分析的防御机制。
在SIM卡服务劫持等场景中,攻击者利用电信网络协议漏洞实施无终端入侵的凭证窃取,其攻击链完全运行于运营商基础设施层面,传统基于终端行为监控或恶意软件检测的防御体系无法感知攻击过程,形成"透明化"攻击效果。
采用多层加密与隐蔽信道技术对窃取的认证数据进行处理,如将验证码信息分割加密后嵌入DNS查询负载,或通过HTTPS隧道混合传输恶意数据与合法业务流量,使得传统基于内容检测或流量特征分析的防御手段难以有效识别。
| ID | Name | Description |
|---|---|---|
| G0114 | Chimera |
Chimera has registered alternate phone numbers for compromised users to intercept 2FA codes sent via SMS.[1] |
| G0094 | Kimsuky |
Kimsuky has used a proprietary tool to intercept one time passwords required for two-factor authentication.[2] |
| G1004 | LAPSUS$ |
LAPSUS$ has replayed stolen session token and passwords to trigger simple-approval MFA prompts in hope of the legitimate user will grant necessary approval.[3] |
| C0014 | Operation Wocao |
During Operation Wocao, threat actors used a custom collection method to intercept two-factor authentication soft tokens.[4] |
| S1104 | SLOWPULSE |
SLOWPULSE can log credentials on compromised Pulse Secure VPNs during the |
| S0018 | Sykipot |
Sykipot is known to contain functionality that enables targeting of smart card technologies to proxy authentication for connections to restricted network resources using detected hardware tokens.[6] |
| ID | Mitigation | Description |
|---|---|---|
| M1017 | User Training |
Remove smart cards when not in use. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0027 | Driver | Driver Load |
Monitor for use of proxied smart card connections by an adversary may be difficult because it requires the token to be inserted into a system; thus it is more likely to be in use by a legitimate user and blend in with other network behavior. Similar to Input Capture, keylogging activity can take various forms but can may be detected via installation of a driver. Analytic 1 - Unexpected kernel driver installations.
|
| DS0009 | Process | OS API Execution |
Monitor for API calls associated with polling to intercept keystrokes. |
| DS0024 | Windows Registry | Windows Registry Key Modification |
Monitor for changes to windows registry keys or values that may target multi-factor authentication mechanisms, such as smart cards, to gain access to credentials that can be used to access systems, services, and network resources. Analytic 1 - Unauthorized registry changes related to MFA settings.
|