Multi-factor authentication (MFA) is one of the most useful measures that companies can use to defend against the increase in credential attacks, but attackers are adapting, as evidenced by the various bypasses that allow them to penetrate the network—even those affected by MFA Protected network.
In an analysis of recent attacks, identity and access management company CyberArk found that attackers (including its red team) can bypass MFA in at least four ways or at least greatly reduce their revenue. In a recent example, the attackers behind the SolarWinds Orion attack stole the private keys of many companies’ single sign-on (SSO) infrastructures and then used these keys to bypass MFA checks.
Shay Nahari, vice president of CyberArk Red Team Services, said that companies must model these threats and ensure that their MFA infrastructure does not have the same weaknesses.
“In the past year, we have seen a surge in the number of companies that use MFA as part of their security controls-which is always good-but we have also seen some MFA-based activities in the post-invasion activities of our customers. Attack,” he said. “They all use it during initial access, and we see attackers gain access in other ways, and then turn to more sensitive access.”
Businesses and consumers worried about the increase in account leaks have adopted MFA. In 2019, a semi-annual report tracking the adoption of two-factor authentication found that 53% of respondents used it to protect important accounts, up from 28% in 2017. Another study funded by Microsoft found that 85% of executives expect MFA to be implemented by the end of 2020.
The benefits are obvious: Microsoft insists that accounts using MFA are 99.9% less likely to be compromised.
“The point is-your password is not important if it is compromised-unless it is more than 12 characters and has never been used before-which means it was generated by a password manager,” Security Director Alex Kswenat is at Microsoft, and he wrote in his 2019 analysis of MFA. “This is useful for some people, but forbidden for others…or you can just enable MFA.”
With the increasing popularity of MFA, especially to help protect remote workers during a pandemic, attackers are looking for ways to bypass the technology. Sometimes they found it.
Companies that use MFA with SSO portals may have architectural design flaws. CyberArk analysis pointed out that in one case, once users are authenticated at the infrastructure level, they will not use MFA for verification when accessing key assets. This weakness may result in a single low-level machine or worker being threatened and then trusted throughout the network. An attacker who compromised the machine and possessed more privileged user credentials could gain access to more sensitive assets.
“The structure of the MFA is incorrect,” Nahari said. “The weakness is that it is not based on identity. There is no zero trust.”
Another company created a weakness in attracting new users. They sent an email with a link that users must open on their phone so that the corporate MFA system can pair with their software token application. Unfortunately, the link containing the encrypted seed used to generate the token was only protected with a four-digit PIN, which the red team quickly used forcibly. Nahari said that any attacker who can access a user’s email can copy an employee’s MFA token.
“The onboarding was done in an unsafe way,” he said. “Your idea of crossing channels is a basic taboo. You need to decouple channels, so the distribution of seeds should be done on different channels.”
Other companies need MFA to access the server remotely, but do not need other ports or applications on the server, making the machine vulnerable to credential leaks on other channels. This can give the attacker access to the entire machine.
Organizations should review their MFA infrastructure to determine how it might be bypassed. In addition, they should design threat models to understand how attackers might try to bypass their access security, Nahari said.
“MFA should not be the only thing, it should be part of a larger approach,” he said. “Every attack we show is not an attack on MFA, but a way to circumvent it.”
A senior technical reporter for more than 20 years. Former research engineer. Contributed to more than two dozen publications, including CNET News.com, Dark Reading, MIT Technology Review, Popular Science, and Wired News.Five journalism awards, including the best deadline… View full bio