Multi-factor authentication (MFA) is becoming a crucial component of cybersecurity for organizations and individual users. The weakness of password-only authentication methods are increasingly recognized, with compromised login credentials the most common method used by cyber-criminals to breach organizations.
Verizon’s 2022 Data Breach Investigations Report found that over half of cyber-attacks in 2021 resulted from stolen credentials.
MFA methods, ranging from codes delivered by SMS message to fingerprint scans, offer an invaluable layer of security in the event a user’s credentials are compromised. Experts believe that widespread use of MFA will prevent preventing a significant proportion of cyber-attacks from occurring.
However, in light of the growing use of MFA, cyber-criminals are finding new and innovative ways of bypassing these methods, aiming to turn this security strength into a weakness. In one example, in July 2022, Microsoft detailed a large scale phishing campaign that was able to bypass MFA.
Kevin Dunn, senior vice president, head of professional services at NCC Group, told Infosecurity: “As with many things, as defenses increase, attackers adapt to overcome. MFA bypass is becoming a common theme in attack chains to overcome initial authentication barriers and compromise a system or identity perimeter.”
Common MFA Bypass Techniques
It is clear that cyber-threat actors have developed multiple techniques for bypassing MFA systems. Matt Cooke, director, cybersecurity strategy, EMEA at Proofpoint, noted that MFA phishing kits are being observed for sale on cybercrime websites, with many of these able to be purchased “for less than a cup of coffee.”
These tools are often adapting similar approaches found in “traditional kits” that steal only usernames and passwords. They are often installed on a dedicated server owned by the threat actor or covertly installed on a compromised server owned by an unlucky individual.
These kits typically target human weaknesses to steal tokens. “Attackers often rely on notification fatigue, bombarding an employee with approval requests until they finally relent,” said Cooke.
In a June 18 report, Cisco Talos observed that the majority of fraudulent MFA pushes were sent between 10:00 and 16:00 UTC, which is slightly ahead of US working hours.
"This indicates that attackers are sending push notifications as people are logging on in the morning, or during actual work hours – presumably hoping that the notifications are in context of their usual working day, and therefore less likely to be flagged.," Cisco's Hazel Burton wrote.
The use of social engineering tactics to steal MFA codes are also commonly observed by Dunn. This includes push notification attacks, whereby an attacker attempts to convince a user to hit ‘yes’ to a push notification access request through social engineering, or what he terms ‘push notification fatigue.’
“This is where a user is so overwhelmed by either the frequency of requests or the hectic nature of their day-to-day lives that they simply hit yes without thinking. While this might seem unlikely, it happens a lot,” he explained.
“Attackers often rely on notification fatigue, bombarding an employee with approval requests"
In addition, Cooke said he had observed an increase tools that use a transparent reverse proxy to present the actual website to the victim. This enables so-called man-in-the-middle (MitM) attacks – essentially the deployment of a proxy server between a target user and an impersonated website, allowing threat actors to capture the usernames, passwords and session cookie in real time.
The growth of SIM swapping attacks is another technique observed in this space, which specifically compromises MFA codes sent via SMS. This normally involves a fraudster socially engineering a mobile carrier operative to switch the victim’s mobile number to a SIM card in their possession, leading to the victim’s calls, texts and other data being diverted to the criminal’s device.
Jason Steer, CISO at Recorded Future, also highlighted the growing prevalence of infostealer malware to bypass MFA.
“These malware families, once installed on a victim's computer, look for credentials in browsers and for hard coded authentication tokens that store the zero trust information inside a file. Essentially the ownership of the file allows the new 'owner' to log into Slack, Teams and other business critical systems without any additional authentication requirement,” he explained.
A less common and particularly sophisticated technique sometimes used is the targeting of the cryptographic components behind the MFA process itself, allowing attackers to create a backdoor or mint their own authentication tokens.
“This is a rather sophisticated attack and requires a previous method of compromise, but it did rear its head during the SolarWinds incident,” commented Dunn.
Case Study: Discovering MFA Vulnerabilities
Sometimes, cyber-criminals find MFA bypass opportunities presented to them, by exploiting flaws and mistakes within organizations’ systems. Therefore, it is increasingly important that security teams are consistently checking for vulnerabilities in their MFA systems that can potentially lead to a bypass.
In a recent example, a vulnerability was discovered on the member login portal of the website of cybersecurity certification body (ISC)2 by security researcher Jacob Hill, CEO at GRC Academy. The vulnerability was found by accident when he tried logging into his member account.
After entering his username and password, Hill was prompted to provide an MFA, of which (ISC)2 offers several options. As he wasn’t able to access his choice of Google authenticator code, he clicked the option to ‘try another method.’
One of these methods was an SMS code, and this allowed Hill to register any phone number to enable SMS authentication method during the login flow. This code was sent to his phone and allowed him to access his account.
Therefore, he essentially bypassed his own MFA – although this can only occur if the users’ password and username were already compromised and SMS wasn’t already set up as their MFA method. Hill revealed that he reported the issue to (ISC)2 on October 25, 2022, and three days later the certification body confirmed it had understood the report.
"If MFA is available to you, you should employ it"
On December 13, 2022 (ISC)2 informed Hill that the problem had been resolved, but the exact date of the fix has not been confirmed.
Speaking to Infosecurity, (ISC)2’s CEO Clar Rosso, said that the organization’s security team had shut the issue down by the end of October. Thankfully, “in the work we’ve done since there’s no evidence of any kind of compromise that happened as a result.”
In his blog detailing his findings, Hill suggested the flaw may have been caused by an SSO upgrade that (ISC)2 made on its website on 27 July 2022. Rosso confirmed to Infosecurity that the issue arose from a human implementation error, which provided learning opportunities for the body. “That allowed us to look at our security processes to see how we can avoid these kinds of problems on the front end in the first place,” she said.
Rosso added that this analysis needs to continue on an ongoing basis and that (ISC)2 welcomes input from external security researchers.
In terms of advice for other organizations based on this recent experience, Rosso said security teams should always be aware of the wider impact and collateral damage a mistake can have on their IT system. “You need to test and retest your business processes to ensure they’re working in the way they’re supposed to,” she noted.
Securing MFA
There are a number of steps that organizations should be taking to reduce the risk of MFA bypass. One of which is constantly testing their systems, as mentioned by Rosso.
NCC Group’s Dunn also emphasized that some forms of MFA are more secure than others. He argued that SMS, email, push notifications and even on-time codes are particularly susceptible to compromise and should not be used by employees with high levels of privilege and access. Instead, for these staff, he urged the use of FIDO-compliant MFA methods, which are far harder to compromise. For example, FIDO USF security keys ensure the user login is bound to the origin, meaning only a real site can authenticate with the key.
Dunn advised: “For the riskiest users (but ideally for everyone), FIDO U2F is the gold standard. Several sites and applications now support it, such as Okta, Duo, Google Workspace, AWS and Microsoft 365. Despite this, I see very few companies making the switch.”
Recorded Future’s Steer concurred, stating: “Look for alternate stronger MFA options such as Yubikey and other FIDO compliant tools to strengthen secondary MFA channels.”
Finally, close monitoring and auditing of authentication events remain crucial to enable a rapid response when malicious actors have compromised a user’s password and MFA, which can never be completely infallible.
“By understanding how the attacks work and how they manifest in terms of indicators of activity or indicators of compromise, an organization can setup a monitoring strategy that has a good chance of spotting suspicious activities before they become problems,” said Dunn.
Continued Use of MFA
The experts Infosecurity spoke to emphasized that MFA remains vital in spite of the growing risk and should be employed in every possible circumstance.
“We as an organization take the posture that MFA is good practice – the same as government agencies across the world. If MFA is available to you, you should employ it,” commented Rosso.
However, it is not infallible, and should be considered one aspect of a more rounded security strategy.
Proofpoint’s Cooke said: “The days of the MFA “silver bullet” for credential phishing are gone. A majority of leading organizations implemented MFA and have largely been able to discount credential phishing for several years. Those organizations need to now assess their ability to detect account compromise, not just prevent it.”
Strong MFA should therefore be developed in conjunction with effective detection technologies and processes.
This article was updated on June 19, 2024 to add findings from a Cisco Talos report.