When discussing access security, one recommendation stands out; multi-factor authentication (MFA). With passwords alone being simple work for hackers, MFA provides an essential layer of protection against breaches. It is important to remember that MFA still is not foolproof. It can be bypassed. If a password is compromised, several options are available to hackers looking to circumvent the added protection of MFA. The following are four social engineering tactics hackers successfully use to breach MFA and emphasize the importance of having a solid password as part of a layered defense.[1]
- Adversary-in-the-middle (AITM) attacks
AITM attacks involve deceiving users into believing they are logging into a genuine network, application, or website. But really, they are giving up their information to a fraudulent lookalike. This allows hackers to intercept passwords and manipulate security measures, including MFA prompts. A spear-phishing email may arrive in an employee's inbox, posing as a trusted source. Clicking on the embedded link directs them to a counterfeit website where hackers collect their login credentials.
While MFA should ideally prevent these attacks by requiring an additional authentication factor, hackers can use a technique known as '2FA pass-on.' Once the victim enters their credentials on the fake site, the attacker promptly enters the exact details on the legitimate site. This triggers a legitimate MFA request, which the victim anticipates and readily approves, unwittingly granting the attacker complete access.
This is a common tactic for threat groups such as Storm-1167, known for crafting fake Microsoft authentication pages to harvest credentials. They also create a second phishing page miming the MFA step of the Microsoft login process, prompting the victim to enter their MFA code and grant the attacker access. From there, they gain access to a legitimate email account and can use it as a platform for a multi-stage phishing attack.
- MFA prompt bombing
This tactic takes advantage of the push notification feature in modern authentication apps. After compromising a password, attackers attempt to log in, which sends an MFA prompt to the legitimate user's device. They rely on the user mistaking it for a genuine prompt, accepting it or becoming frustrated with continuous prompts, and accepting one to stop the notifications. This technique, known as MFA prompt bombing, poses a significant threat.
In a notable incident, hackers from the 0ktapus group compromised an Uber contractor's login credentials through SMS phishing, then continued with the authentication process from a machine they controlled and immediately requested a multi-factor authentication (MFA) code. They then impersonated an Uber security team member on Slack, convincing the contractor to accept the MFA push notification on their phone.
- Service desk attacks
Attackers deceive helpdesks into bypassing MFA by feigning password forgetfulness and gaining access through phone calls. Service desk agents may unknowingly grant hackers an initial entry point into their organization's environment if they fail to enforce proper verification procedures. A recent example was the MGM Resorts attack, where the Scattered Spider hacker group fraudulently contacted the service desk for a password reset, giving them a foothold to log in and launch a ransomware attack.
Hackers also try to exploit recovery settings and backup procedures by manipulating service desks to circumvent MFA. 0ktapus have been known to target an organization's service desk if their MFA prompt bombing proves unsuccessful. They will contact service desks claiming their phone is inoperable or lost, then request to enroll in a new, attacker-controlled MFA authentication device. They can then exploit the organization's recovery or backup process by getting a password reset link sent to the compromised device.
- SIM swapping
Cybercriminals understand MFA often relies on cell phones as a means of authentication. They can exploit this with a technique called a 'SIM swap', where hackers deceive service providers into transferring a target's services to a SIM card under their control. They can then effectively take over the target's cell service and phone number, letting them intercept MFA prompts and gain unauthorized access to accounts.
After an incident in 2022, Microsoft published a report detailing the tactics the threat group LAPSUS$ employed. The report explained how LAPSUS$ dedicates extensive social engineering campaigns to gaining initial footholds in target organizations. One of their favored techniques is targeting users with SIM-swapping attacks, along with MFA prompt bombing and resetting a target's credentials through help desk social engineering.
The above list was not an exclusive list of ways to bypass MFA. Several other ways include compromising endpoints, exporting generated tokens, exploiting SSO, and finding unpatched technical deficiencies. It's clear that setting up MFA does not mean organizations can forget about securing passwords altogether.
Account compromise still often starts with weak or compromised passwords. Once an attacker obtains a valid password, they can shift their focus towards bypassing the MFA mechanism. Even a strong password cannot protect users if it's been compromised through a breach or password reuse. And for most organizations, going fully passwordless will not be a practical option.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
[1] https://thehackernews.com/2024/02/4-ways-hackers-use-social-engineering.html
Comments