Skip links

When MFA fails, defense in depth is key

Paid feature There are no silver bullets in cyber security. Vendors would like to create hacker-proof defenses, but attackers always find a sneaky way through.

Multi-factor authentication (MFA), also known as 2FA, is a case in point. In some forms, it is excellent at preventing attacks, but it isn’t foolproof. Just ask the 6,000 customers who lost cryptocurrency when their accounts were hacked thanks to a flaw in Coinbase’s MFA system last year.

This is why companies can’t rely on a single form of defense to protect themselves. Instead, they need layered measures.

Cybersecurity company Darktrace uses AI to look for attacks across an organization. It warns companies to layer those defenses thickly, giving them ample opportunity to spot and mitigate an attack. If one doesn’t stop an attack, another will.

From phishing to MFA bypass

As in the Coinbase incident, many MFA bypass attacks begin with a phishing attack. Attackers need the basic authentication factor – the user’s email address and password – to even attempt an account hijack.

Phishing those details through fake emails and websites is a growing attack vector. It was a component in 36 percent of breaches during the last year according to Verizon’s Data Breach Investigations Report (DBIR), up from 25 percent the year before.

Organizations use MFA to protect users against these attacks. With MFA in place, stealing a password isn’t enough. It requires another factor – something you own (like a smartphone or hardware token) or something you are (biometrics) to confirm your identity before letting you in. In theory, an attacker would have to get at that asset before hijacking your account.

In practice, attackers have found many ways around MFA. One of them is to gather the MFA details during the phishing process. If a phishing site is convincing enough to dupe a victim into entering their details, then they’ll probably approve any MFA messages that it sends too.

This is a manipulator-in-the-middle (MITM) attack. The malicious site impersonates a legitimate one and lures the victim to submit their credentials, which it then uses to access the real site. The legitimate site sends an MFA request in return, which the phishing site passes to the victim. When the victim approves it using their second factor, the attacker then steals the user’s session cookie using a tool like Evilgenix before passing the 2FA code onto the legitimate site.

Evilgenix is just one tool used to automate phishing and MFA bypass attacks. Mariana is a transparent reverse proxy that captures credentials and session cookies. It then delivers these to Necroses, which uses them to impersonate victims using container-based Chrome browsers that keeps the stolen sessions active.

Attacks on SMS MFA

While MITM attacks place themselves in front of the user, another approach is to replace the victim altogether. This is how SIM swapping works. It relies on a flaw in the out-of-band SMS channel used to send a secret key to your smartphone.

A SIM is like a digital key that you use to access a cellular network. SIM swappers will switch a key from the victim’s SIM to their own. At this point, their phone replaces the victim’s phone on the network, telephone number and all.

SIM swapping criminals make this change using social engineering calls to the carrier or through insiders working for the telco that want to earn a quick profit.

Increasingly, organized groups will send teens to raid carriers’ stores, snatching a manager’s tablet and then giving it to an accomplice who will use it to switch as many SIMs as possible before the carrier freezes the manager’s access. They’ll take orders for these SIM swaps in live forums. Darknet Diaries has an excellent breakdown of the process.

The attack surface on text messaging is difficult to manage. In the past, researchers have also found ways to co-opt SMS-based MFA using flaws in the SS7 cellular routing protocol. Yet even though NIST warned against using SMS for authentication over five years ago, people keep doing it.

The FBI warned about this problem in September 2019 via a private industry notification. It warned that it had seen MFA circumvention in the wild. It reported several SIM swapping cases, including one in 2016 where US banking customers were hit.

The perpetrator stole victims’ numbers and then used them to call the bank and ask for a wire transfer. The bank, recognising the number as the customer’s, skipped the security questions and sent a one-time pass code – via SMS. The attacker also changed the customers’ PIN and passwords, and attached their credit card numbers to a mobile payment application.

Vulnerable infrastructure

That private notice also highlighted another common problem for MFA: vulnerabilities in websites. It described a 2019 incident where an attacker logged into a US bank with stolen customer credentials. When the website asked for a PIN, the perpetrator changed the website URL parameters to identify their computer as one recognized on the account. The website waved them through without forcing them to enter the PIN.

Other vulnerabilities lie in the protocols and tools used to authenticate users. In 2020, researchers found hackers abusing Microsoft 365 accounts using WS-Trust, an OASIS standard protocol for managing security tokens. Attackers could use this protocol to circumvent MFA entirely by manipulating the request header to spoof their IP address. They could also change the user-agent header to convince the identity provider that they were using Microsoft’s Modern Authentication, a protocol that uses MFA and digital tokens for authentication. Microsoft removed support for WS-Trust in February 2020.

Occasionally, other software flaws render components of an MFA solution vulnerable. We saw this with enterprise single sign-on and ID management company Okta in December, which warned that the Log4j vulnerability affected its RADIUS Server Agent and On-Prem MFA Agent.

Relying on admin error and malicious users

Sometimes, there doesn’t need to be a code vulnerability at all; simple misconfiguration will do the trick. That’s what happened in 2021, when state-sponsored Russian hackers gained access to an MFA-protected NGO.

They got in by brute-forcing a victim’s password, which turned out to be predictable, making it vulnerable to a dictionary attack. The account should have been protected by the NGO’s MFA system but the user hadn’t accessed it for a long time.

The NGO un-enrolled the unused account, even though it was still active. The MFA system’s default configuration allowed the attackers to enroll their own device for the MFA service, giving them access to the NGO’s network. The whole event was significant enough to prompt another government warning.

Other techniques include simply paying someone with trusted access to help the attacker log in with their MFA account. That was one technique that the Lapsu$ group used to access MFA-protected systems, according to Microsoft’s analysis.

Lapsu$ also used stolen passwords to spam individual targets with continued requests for MFA approval. Some MFA services simply ping an individual’s device asking them to approve a login. Do it often enough, and a distracted user might just approve the request, not suspecting an attack, to make the annoying messages go away.

Deeper defense

What happens when someone pierces a trusted line of defense like MFA? Hopefully, other protective layers kick in. Darktrace says that early detection is important so that the security team can respond quickly.

Attackers co-opting or bypassing MFA do their best to fly under the radar, looking normal so that admins won’t spot any red flags.

This is where rules-based systems fall down, the company suggests. If you’re looking for specific, known signs of intrusion then an attacker that has successfully used MFA and keeps their head down will be difficult to spot.

Rather than searching for specific indicators of compromise, Darktrace assumes that an impostor will eventually do something unusual. They must, because their goal is to use the account for illicit activity.

The company adopts a different approach to spot deviation from normal behavior. Instead of looking for known signs of malice, it takes a broad view, surveying thousands of everyday data points.

Its technology uses machine learning to create a statistical model of this telemetry. It then compares new activity against this model to find pattern deviations.

In this sense, the AI isn’t just one layer of extra protection, but an intricate blend of sensors that watches for suspect activity across multiple domains.

This helped save one of Darktrace’s clients from a phishing attack last year that bypassed its MFA. The attacker, targeting a financial client’s Microsoft 365 account, used phished credentials but somehow changed the victim’s registered phone number. That enabled the attacker to receive Microsoft’s MFA text authentication message.

After gaining access to the account, the attacker changed its email rules and shared several inboxes. They also accessed multiple mails from the user’s email history and deleted several to cover their tracks.

Darktrace offers a product called Cyber AI Analyst, which spots anomalous behavior and automatically analyzes the threat. The product, which also scans SaaS accounts like Microsoft 365, built a natural language summary of the incident and sent it to a human analyst. That enabled the customer to take action.

As attackers grow more wily, defenders will need more protective layers in place to spot and neutralize intrusions. MFA will help, but it isn’t 100 percent hacker-proof – and with barely one in five enterprises using it anyway, the more integrated protection we have, the better off we’ll be.

Sponsored by Darktrace.