MULTI-FACTOR AUTHENTICATION IS NOT IN VAIN!
As cybercriminals find ways to bypass MFA, you may find yourself asking “Why did we go to the trouble of setting up two-factor authentication if the bad guys blast through it?”
Note that they certainly don’t “blast” through anything: their insidious work takes time and multiple attempts for a less noticeable attack when they roll out the latest malware or phishing scheme. And you were right to implement MFA protocol which makes it harder for bad actors to pull off a heist in any size organization.
DART (Microsoft Detection and Response Team) is the group whose recent post about increasing token theft explains the latest MFA bypass cyber-tactic: “By compromising and replaying a token issued to an identity that has already completed multifactor authentication, the threat actor satisfies the validation of MFA and access is granted to organizational resources, accordingly.”
Here’s the way this phishing-based bypass works:
- An attacker sends a phishing email to a targeted group of users.
- When a user accesses the application, a cloned interface placed between users and the legitimate application they are trying to access captures both the users’ and session token’s credentials.
- The attacker replays the session stolen credentials and session cookies, completing MFA check.
- The connection between AiTM (adversary-in-the-middle) phishing site and the legitimate website is proxied for authentication and MFA.
- MFA check passes.
- Attacker gains access to the legitimate application and compromises both users and companies’ infrastructure and information assets.
Attackers keep uncovering new ways to bypass MFA and other well-placed safeguards, so it is critical IT teams learn what to watch for. Together with their cybersecurity partner who mentors them and grows the team’s cyber-capacities, they’ll be able to frustrate attackers so IT’s safeguards work as intended.
Here is a DART-inspired shortlist of ‘”preventive measures” for Cybersecurity Partners and the IT Teams they support:
- Maintain full visibility into how and where all users are authenticating.
- “Allowing only known devices that adhere to Microsoft’s recommended security baselines helps mitigate the risk of commodity credential theft malware being able to compromise end user devices,” warns DART.
- Reduce session lifetime to reduce length of time a given token is viable.
- For privileged users, implement phishing-resistant MFA solutions.
- Check any compromised user’s account for signs of persistence, such as added mailbox rules to forward or hide email, additional authentication methods added to MFA, additional device enrollment, and data exfiltration.
- Gain a full understanding of where security controls are enforced and treat identity providers that generate access tokens and their associated privileged identities as critical assets.
The surge in token theft since July of this year is a trend we’ll see in future cybercriminal techniques for bypassing MFA and other safeguards. Trust your cyber-security partner to keep you informed and collaborating, so together you’ll ensure company’s information assets remain impenetrable!
DataGuard365 is a MSSP firm headquartered in Chicago, Illinois with offices in Indianapolis, Atlanta, and other strategic locations across the globe. The company is a one-of-a-kind business partner whose people, processes, and technology provide hardened cybersecurity for a price point that pays for itself.
Data-Guard365.com / (317) 967-6767 / info@data-guard365.com
Back to Articles/Blog