Cyberattackers Double Down on Bypassing MFA

  /     /     /  
Publicated : 23/11/2024   Category : security


Cyberattackers Double Down on Bypassing MFA


As companies increasingly adopt MFA, cybercriminals are developing a variety of strategies to steal credentials and gain access to high-value accounts anyway.



As companies increasingly require stronger versions of security for their employees and customers, attackers are getting better at bypassing multifactor authentication (MFA), resulting in a steady stream of compromises, such as this weeks announcement of a data leak at cybersecurity firm LastPass and the announced breach at social media service Reddit earlier in February. 
While multiple ways exist to bypass the flawed security of two-factor authentication (2FA) that uses one-time passwords (OTPs) sent through short message service (SMS) texts, systems protected by push notifications or using
hardware tokens
are considered much harder to compromise. Yet attackers have landed on a trio of techniques to get around the additional security: MFA flooding, proxy attacks, and session hijacking — focused on the user, the network, and the browser, respectively. 
Most of the time, attackers are getting around weaker forms of MFA, especially those that use SMS, [but] there are plenty of techniques attackers use to circumvent MFA, including MFA flooding, SIM-swapping, and attacker-in-the-middle attacks, says Matt Caulfield, CEO of Oort, an identity-security provider.
The first target for attackers is often the human behind the keyboard. Overall, 82% of breaches involved the human element, and more than 80% of Web application breaches are attributed to the use of stolen credentials, according to
Verizons 2022 Data Breach Investigations Report (DBIR)

MFA flooding, where an attacker will repeatedly attempt to log in using stolen credentials to create a deluge of push notifications, aims at
taking advantage of users fatigue
for security warnings. Push notifications are a step up from SMS, but are susceptible to MFA flooding and MFA fatigue attacks, bombarding the victim with notifications in the hope they will click Allow on one of them, Caulfield says. 
Another popular tactic — the account reset attack — aims to fool tech support into giving attackers control of a targeted account, an approach that led to the
successful compromise of the developer Slack channel
for Take-Two Interactives Rockstar Games, the maker of the Grand Theft Auto franchise.
An attacker will compromise a user’s credentials, and then pose as a vendor or IT employee and ask the user for a verification code or to approve an MFA prompt on their phone, says Jordan LaRose, practice director for infrastructure security at NCC Group. Attackers will often use the information they’ve already compromised as part of the social engineering attack to lull users into a false sense of security.
After a worker logs in to an online account or cloud service, a session cookie containing the user’s authentication credentials is typically set and remains active until the user ends the session by logging out. A common post-compromise tactic is for the attacker to harvest every cookie in the browser cache for potential use as
a session hijack or pass-the-cookie attack
. Malware such as Emotet has this functionality as a regular feature.
Other variants of this attack use cross-site scripting or malicious browser extensions to take control of a users session after they pass the MFA barrier, says NCC Groups LaRose.
The ultimate goal of this technique is to attack the user’s session indirectly, and therefore not interact with the stronger security controls in the login flow, he says.
Finally, attackers can try to compromise infrastructure between the users device and a cloud service or online site. Using a compromised or malicious server to intercept requests from the user and destination server, a proxy attack — or adversary-in-the-middle (AitM) attack — allows cyberattackers to harvest the authentication mechanism in real time.
This allows the attackers to bypass most available methods of MFA, since the user is providing the site, and the hacker, with both the username and password and additional authentication, Drew Trumbull, incident response team lead with the Information Security Office at the University of North Carolina,
said in a review of the technique
.
The technique may have contributed to the breach at LastPass, where the threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA,
according to the companys statement
.
To defend against the latest attacks, companies should deploy
phishing-resistant MFA
, which consists of something you own, such as a hardware key, and something you are, such as a biometric. Common hardware key solutions, such as Yubikey, have made phishing-resistant MFA more easy to deploy, says NCC Groups LaRose.
Unfortunately, there are still hurdles for companies in adopting hardware keys, making it difficult to attain complete coverage, says Oorts Caulfield.
Just the logistics of shipping hardware-based security keys to every employee and managing the process when they lose them can be a nightmare, he says. Shipping laptops and security keys to contractors is even harder.
And with the increased overhead to manage the devices comes another in-road for attackers — resetting an account following a lost or stolen device. By pretending to be the victim, an attacker can claim to have lost a device, allowing them to enroll a new factor upon sign-in or act during a reset grace period, says Oorts Caulfield. 
MFA resets are a massive challenge, he says. It’s likely we’ll see attackers shifting from the factor as a weakness to the registration and reset process.
And indeed, rather than use a hardware token, workers and consumers are far more likely to subscribe to a security question or use a time-based OTP (TOTP) received through email or SMS. Nearly 80% of users polled at identity-provider Okta, for example, use email as a second factor — and nearly 40% have a TOTP pushed to them through an application — while only about 5% use a token or Yubikey, according to
Oorts 2023 State of Identity Security report
. Users of Azure AD and Duo Security show similar preferences, the report noted, with security questions and SMS passcodes dominating enrollment numbers.

Last News

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Cyberattackers Double Down on Bypassing MFA