Hackers are finding ways around multi-factor authentication. Here's what to watch for

Hackers are finding ways around multi-factor authentication. Here's what to watch for
MFA provides a significant barrier against cyber attacks - but isn't infallible.

Apple told staff to return to the office. Its timing couldn't be worse

It's often said that the most important things you can do protect your accounts and wider network from hackers is to use multi-factor authentication (MFA). 

That's because one of the most common ways cyber criminals breach networks is by using phishing attacks to steal passwords or simply by guessing weak ones. Either way, so long as they are using a real password many systems will assume it's safe to give them Access.

MFA creates and additional barrier to attackers because it requires the user to additionally verify that the login attempt was really made by them. This verification can be via an SMS message, an authenticator app or even a physical security key. If the attacker has the password, but not the verification message or physical device, then the system won't let them in and they can't get any further.

Using MFA protects against the vast majority of attempted account takeovers, but recently there's been a surge in cyber attacks which aim to dodge past multi-factor authentication security. According to Microsoft, in just one campaign 10,000 organisations have been targeted in this way during the last year

One option to for hackers who want to get around MFA is to use so-called adversary-in-the-middle (AiTM) attack which combined a phishing attack with a proxy server between the victim and the website they're trying to login to. This allows the attackers to steal the password and session cookie which provides the additional level of authentication they can exploit - in this case to steal email. The user simply thinks they have logged into their account as usual.

"Note that this is not a vulnerability in MFA; since AiTM phishing steals the session cookie, the attacker gets authenticated to a session on the user's behalf, regardless of the sign-in method the latter uses," as Microsoft notes of that particular campaign.

That's because the attackers haven't broken the MFA themselves, they've managed to bypass it by stealing the cookies, and are now able to use the account as if they were the user, even if they go away and come back later. That means despite the presence of multi-factor authentication, it's unfortunately being made redundant in this situation – and that's bad for everyone. 

So while multi-factor authentication is a deterrent most of the time, these attacks show that it isn't infallible. 
"Even though security features such as multi-factor authentication (MFA) add an extra layer of security, they should not be considered as a silver bullet to protect against phishing attacks. With the use of advanced phishing kits (AiTM) and clever evasion techniques, threat actors can bypass both traditional as well as advanced security solutions," said security company ZScaler in its analysis of a similar attack.

And there are other scenarios which can be exploited to bypass multi-factor authentication too, because in many instances, a code is required, and a person needs to enter that code. And people can be tricked or manipulated even while the technology tries to protect us.

"At the end of the day, whether it's a number or it's a piece of information, as soon as the user sees it, it becomes something they know and if it's something that they know it's something the attacker can steal," says Etay Maor, senior director of security strategy at Cato Networks. 

It takes a little more effort from the attacker, but it's possible to grab these codes. For example, SMS verification is still a common method of MFA for many, particularly for things like bank accounts and phone contracts. In some cases, the user is required to read out a code over the phone or input it into a service. 

It's a potentially complex process, but it's possible for cyber criminals to spoof helplines and other services which ask for codes to devices – especially if people think they're talking to someone who is trying to help them. It's why many services will preface an SMS code with a warning that they'll never call you to ask for it. 

"It's not that surprising attackers prey on the human aspect, the people components of the system. People being busy, people being stressed, all sorts of things influence decisions we make," says Oz Alashe, CEO & Founder of CybSafe.

Another method cyber criminals can exploit to bypass MFA is by using malware which actively steals codes. For example, the hackers could gain access to an account by using trojan malware to watch a user gain access to their account, then use the access they have from the infected device to go about their business.  

There's also the potential for them to take control of devices without the victim knowing, using the authenticator app and using the code that's provided to remotely access the account they're after from another machine. 
As far as the network or account is concerned, because the authentication has been used correctly, it's the legitimate user using the service. But there are signs which networks and information security teams could be set up to watch for, signs something might not be right, even if the correct details are used. 

"The system itself should consider whether this person doesn't normally log in from here or at this time and, therefore, do we need to do another level, another layer of verification before we provide them access?" says Alashe.  

While it isn't totally infallible, using multi-factor authentication is still a must as it stops a significant amount of attempted account takeover attempts. But as cyber criminals get smarter they're increasingly going to go after it – and that requires extra levels of defence, particularly from those responsible for securing networks. 

"It's good it's recommended because you won't be the lower hanging fruit. But you definitely need to augment it with an additional layers of security because, just like just like any other siloed security solution, it can be circumvented and you can't think everything is secure, just because of one security layer," says Maor.  
And technology can only do so much, especially when attackers are explicitly attempting to manipulate people into making bad decisions. That needs to be taken into account too, especially as more of what we do shifts towards cloud and other online services. 

"This is a really important challenge for society right now as we increasingly digitize we've got an incredible opportunity to continue to put technology really good use. But we've also got to address these challenges when it comes to resilience and the human aspect," says Alashe. 

"People are wonderful, they want to be helpful, so they'll get tricked sometimes," he adds. 

Hackers are using this sneaky exploit to bypass Microsoft's multi-factor authentication
Attackers guessed the password of a dormant account and were able to apply their own MFA to it - providing access to the victim's network.

a-cyber-criminal-computer-hacker-using-a-laptop-and-a-smartphone
Cyber criminals are exploiting dormant Microsoft accounts to bypass multi-factor authentication (MFA) and gain access to cloud services and networks, researchers have warned.

The technique has been detailed by cybersecurity researchers at Mandiant, who says the exploit is being used in hacking campaigns by APT29 – also known as Cozy Bear – a hacking and espionage operation widely believed to be linked to Russia's Foreign Intelligence Service (SVR). Other offensive cyber-threat groups are thought to be using the same tactics.

Multi-factor authentication is a useful tool for organisations looking to prevent account takeovers and cyberattacks against cloud services and other parts of the network. However, while it's extremely effective at defending against intrusions, it's not infallible and cyber attackers are finding ways around it. security

According to Mandiant, cyber criminals are exploiting the self-enrollment process for applying MFA to Microsoft Azure Active Directory and other platforms to take control of Microsoft 365 and other accounts. 

When organisations first roll out MFA to users, many platforms allow users to enrol their MFA device – usually their smartphone – the next time they log in. This process is often followed because it's the most efficient way to provide as many users as possible with MFA to help secure their accounts. 

But as researchers point out, if there's no additional verification around the MFA enrollment process, anyone who knows the username and password of an account can apply multi-factor authentication to it, so long as they are the first person to do so – and hackers are using this to gain access to accounts. 

In one instance detailed by Mandiant, attackers attributed to APT29 gained access to a list of undisclosed mailboxes they obtained through unknown means and successfully managed to guess the password of an account that had been set up, but never used. 

The attacker prompted by Azure Active Directory to set up multi-factor authentication not only had control of the account, but was also able to tie MFA to a device they owned, exploiting MFA to provide them with access to the account rather than keeping them out. 

From here, the attackers were able to use the account to access the victim organisation's VPN infrastructure. The researchers don't disclose the victim or what the aim of this attack was – although APT29 is known to target US interests and those of NATO and partner countries. 

The incident shows that, even with MFA in place, it's possible for cyber criminals to bypass protection features to access and exploit dormant accounts – something that might go undetected for some time. 
To counter this, it's recommended that organisations ensure additional protections are put in place to verify that the user registering the account is legitimate.

"Organisations can restrict the registration of MFA devices to only trusted locations, such as the internal network, or trusted devices. Organizations can also choose to require MFA to enroll MFA," said Douglas Bienstock, incident response manager at Mandiant.  

"To avoid the chicken-and-egg situation this creates, help desk employees can issue Temporary Access Passes to employees when they first join or if they lose their MFA device. The pass can be used for a limited time to login, bypass MFA, and register a new MFA device," he added. 

Microsoft recently rolled out a feature that allows organisations to enforce controls around MFA device enrollment, which can help to prevent cyber criminals gaining access to accounts. ZDNET has contacted Microsoft for comment.

With dormant accounts the key targets of this particular campaign, it could also be useful for information security teams to be aware of which accounts have never been used, potentially even retiring them if they serve no useful purpose. 

It's also worth ensuring that these accounts aren't secured with default passwords, which can easily be beached by cyber attackers. 

Source - Danny Palmer – ZDNet – August 16 2022