Any reader of any cyber security blog or article will have come across the recommendation to implement some form of multi-factor authentication (MFA) to help prevent attacks. For the uninitiated in the world of cyber security and all the acronyms that come with it, MFA will mean very little. In this regard, it is wise to start at the beginning with what MFA is, and importantly what it isn’t.
Amazon defines MFA as, “Multi-factor authentication (MFA) is a multi-step account login process that requires users to enter more information than just a password. For example, along with the password, users might be asked to enter a code sent to their email, answer a secret question, or scan a fingerprint. A second form of authentication can help prevent unauthorized account access if a system password has been compromised.”
MFA as a concept was developed in response to weaknesses that had become apparent by just using passwords to secure critical data and infrastructure. Weak passwords can be brute forced, even the strongest password can be stolen by relatively low-tech phishing scams. MFA acts as an additional layer of security to prevent unauthorized users from accessing these accounts when the password has been stolen or brute forced, the term given to using malware to guess the password by using commonly used passwords. Businesses and government institutions are using MFA to validate user identities and provide quick and convenient access to authorized users. This helps keep the assigning of high privileges kept to a minimum, effectively reducing the attack surface.
What MFA isn’t is a magic bullet that will immediately secure your digital assets. In recent years we have seen threat actors actively hack multi-factor authentication methods. Before we go any further, it is important to state that this article is not intended to debunk MFA, but rather to show that it can be bypassed. In the next part of this series, we’ll look at best practices regarding MFA, to make sure that this vital component of any security policy is not vulnerable to attack.
Hacking MFA
As mentioned above, the last couple of years has revealed several interesting case studies of how hackers have been able to hack or even bypass MFA technology. The first of which rose to significant prominence, that being SMS-based man-in-the-middle attacks.
SMS-Based Man-in-the-Middle Attacks
At the most basic level, this is when a threat actor gains access to the one-time pin (OTP) code sent via SMS to the victim’s phone. Very low down the tech tree scammers can phone potential victims and ask them to give their pin on some pretext that they are with some institution helping prevent banking fraud. In these cases often the person’s bank card has been compromised but the use of OTP verification for purchases is preventing fraudulent transactions from occurring and the scammer needs to overcome this hurdle.
Higher up the tech tree, malware developers created info-stealing malware that is capable of incepting and stealing the codes. Between malware and scam artists, some simply bribe cellphone store employees to perform a sim swap, assigning the victim’s number to a new sim card, and temporarily allowing the hacker access to any messages coming in on the victim’s number. In another instance, a report showed that a hacker could access all their texts for the low sum of $16. Whether low-tech or high tech this method has proven successful too many times to count.
Supply Chain Attacks
This is dreaded for good reason. The most well-known attack in recent memory is the SolarWinds attack where Russia’s Cozy Bear advanced persistent threat (APT) group gained access to the US government IT infrastructure and other systems through a compromised update to SolarWinds’ Orion software. Sadly, most organizations aren’t prepared for this sort of software supply chain attack.
The attack involved the threat actors compromising the infrastructure of SolarWinds, a company, and then using that access to produce and distribute trojanized updates to the software’s users. As these trojans were pushed from a legitimate source they would have bypassed MFA policies in many cases. In 2021 Kasey Panetta wrote alluding to MFA being used as an attack vector in compromising SolarWinds’ infrastructure,
“Keep in mind that the SolarWinds attack was discovered by an alert security operator wondering why an employee wanted a second phone registered for multifactor authentication. This would imply that the attacker was aiming to leverage identity, and specifically MFA as an attack vector.”
Compromised MFA Authenticators
Along with SMSes, the use of dedicated software authenticators rose to fill the gaps institutions were experiencing when looking to implement MFA. Unfortunately, as is the rule with software created by us humans, it may have flaws hackers look to exploit. This happened regarding a discovered vulnerability in the MFA module in Liferay DXP v7.3. The flaw allows any registered user to authenticate by modifying users’ one-time passwords, thus resulting in locking the targeted user out. Not only was MFA software bypassed but the attack would result in denial of service for the victim.
Server-Side Forgeries
This type of attack is often not catorgorised as one directly impacting MFA but can be used to completely bypass any type of extra authentication that may be placed. The Hafnium attacks on Microsoft Exchange Server vulnerabilities are a great example of this. Microsoft summarised the incident as follows,
“Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.”
The result of the attack was that threat actors managed to nullify any authentication measures in place via a combination of server-side forgery and an arbitrary file write vulnerability.
Concluding Remarks
Again, this article is intended not to convince readers that MFA is useful at best and a liability at worst. Rather, it is important to know the types of attacks out in the wild so better defenses can be put in place, be they policy changes or beefing up existing security software. In the next part, we will take a look at why MFA is an asset, and the best practices associated with its adoption.