For years, cyber defenders have touted multifactor authentication (MFA) as a so-called ‘silver bullet’ against account takeover. As cyber-criminals continually ramped up their social engineering efforts, MFA quickly became the barrier of choice between a tricked user and a successful credential phishing attack. However, as security professionals are all too aware, nothing stops opportunistic threat actors in their tracks for long.
We are now seeing the beginnings of a shift in the threat landscape driven by the wide adoption of MFA. Cyber-criminals are pivoting to exploit MFA weaknesses – from simply inundating users with authentication request alerts to more sophisticated phishing kits that compromise authentication tokens.
Threat actors now realize it’s more effective (and cheaper) to steal credentials and log in than trying to hack through technical controls. Once they have siphoned access details from just one employee, they move laterally, stealing even more credentials, compromising servers and endpoints, and downloading sensitive organizational data – it’s now far too easy for an attacker to turn one compromised identity into an organization-wide ransomware incident or data breach.
While MFA remains an important preventative control for account takeover, organizations must realize that simply implementing this additional layer of authentication is no longer enough. Security teams need to consider the detective controls they have in place to spot compromised users before too much damage is done.
Authentic Delivery
MFA can help reduce organizations’ attack surfaces by adding another layer of account security. It supplements the username and password model with another factor only the user possesses, such as their mobile phone. Yet, as the new vulnerabilities show, MFA does not provide enough security on its own. Two key aspects to consider are how the user obtains the secondary authentication method and how easy it is to be siphoned by the attacker.
Email is one option for delivering the authentication code to the user – but this option is arguably the least secure, leaving the user vulnerable should their email accounts get compromised too, which is more likely if the attacker already has their credentials.
One-time codes sent by SMS is another option. While this is better than no additional authentication, it’s relatively unreliable – and text messages can be easily intercepted and spoofed. Malicious actors also use ‘sim hijacking,’ where they impersonate and get control of a user’s phone number. With your phone number, hackers can intercept any two-factor authentication codes sent by text message.
Using authenticators installed on the user’s device is a better option. Authenticators display PINs that users can input into the authentication system, which serves as the secondary step. However, this can still be bypassed using social engineering. For example, attackers targeting specific individuals may call them after stealing credentials to convince the targeted user to provide the MFA token too.
Social Engineering Overload
As with the majority of cyber-attacks, social engineering is at the center of the successful siphoning of users’ MFA tokens. Cyber-criminals are exploiting not just technology but also human weaknesses. Below, we take a look at the tactics threat actors are using to bypass MFA:
MFA Alert Fatigue
You may wonder how a cyber-criminal can effectively obtain a user’s MFA token if it’s on a mobile device or within an app. Well, with many MFA providers allowing users to accept a phone app push notification or to receive a phone call and press a key as a second factor, cyber-criminals are taking advantage of this.
We are now seeing malicious attackers targeting users with a wave of ‘MFA fatigue attacks,’ where they bombard victims with MFA push notifications – at an unprecedented rate – to trick them into authenticating their login attempts. This tactic is relatively simple – spam a user in quick succession so that they end up approving the login attempt to stop the alerts.
MFA Phishing Kits
It’s important to note that while many users are unaware of this threat, it’s nothing new. Proofpoint’s threat researchers verified vulnerabilities bypassing MFA two years ago, but threat actors are now demonstrating more sophisticated approaches.
We now see designated tools used by cyber-criminals to execute MFA bypass attacks. For example, our security researchers have found phishing kits designed to circumvent MFA by stealing session cookies are increasingly popular on the cybercrime underground. While MFA phishing kits have been around for several years, what is concerning today is the rapid adoption and spread of these MFA phishing kits.
Blocking the Bypass
Even though cyber-criminals are increasing their attempts to bypass this technology, MFA will remain an important preventative control for account takeover. Most leading organizations have implemented MFA and have largely been able to discount credential phishing for several years.
To continue reaping the rewards of MFA, organizations must assess their ability to detect account compromise, not just prevent it. While MFA bypass feels like a relatively new security challenge, the attack chain we are seeing is tried and tested. Cyber-criminals are targeting people, with most of these attacks starting with an email, aiming to trick a user into handing over credentials and granting organizational access.
Organizations must recognize the need for strong email security – as most attacks start here. A critical first step in ensuring the success of MFA controls is to first block the threats from reaching users in the first instance with modern email security that can detect malicious URLs.
Next, organizations need to implement technology to identify and respond to compromised users and remove what attackers need to complete their crime: privileged account access. A unique approach to identity threat detection and response (ITDR) will help organizations remediate privileged identity risks and understand the potential ramifications of compromise, such as access to critical data and intellectual property.
Finally, organizations must protect data with next-generation data loss prevention (DLP) solutions that prevent data from getting into the wrong hands.
By implementing robust technical controls, organizations can remove guesswork from employees – a lot of technology would need to go wrong here for a user to make a mistake. However, as with all threats, a combination of people, process and technology is crucial, so security teams should ensure they are raising awareness among their workforce of the dangers of MFA bypass to help their users identify illegitimate alerts.