Photo credit: www.csoonline.com
Multifactor authentication (MFA) is widely recognized for its security advantages, yet its application remains inconsistent, leading to frustration among business security managers and users alike. The added workflow burden often deters users, complicating the adoption of this essential security measure.
Recent incidents have highlighted vulnerabilities in MFA systems, such as a spear-phishing campaign by a North Korean state-sponsored group targeting Microsoft 365 accounts of small businesses. In 2022, Okta experienced severe breaches, including the theft of source code and user credentials through multiple attacks that compromised their support portal. These occurrences serve as a reminder of the challenges organizations face in implementing effective MFA solutions, often exacerbated by a lack of transparency from authentication vendors.
Nevertheless, the landscape for MFA is shifting positively. The rise of passwordless authentication methods offers a user-friendly alternative, spurred by the remote work transition post-pandemic, President Biden’s 2021 Executive Order on Improving the Nation’s Cybersecurity, and Google’s commitment to MFA for all staff. Microsoft has also made MFA mandatory for Azure sign-ins, reflecting a broader trend towards enhanced security measures. Reports indicate that approximately two-thirds of users employ MFA regularly, while 90% of administrators protect their logins with these methods.
A recent study conducted by KnowBe4 of 2,600 IT professionals reveals stark contrasts in MFA adoption rates, with only 38% of large organizations lacking MFA compared to 62% of small to mid-sized firms.
Notable MFA Threat Modalities
Before delving into specific hacking techniques, it is essential to recognize some notable recent failures of MFA, which generally fall into three primary threat categories:
MFA fatigue or push bombing refers to a tactic where attackers send a barrage of authorization requests via SMS until a user, overwhelmed, approves one. This technique was notably used against Uber in 2022. Strikingly, the more robust an organization’s MFA protocols, the higher the likelihood of falling victim to such fatigue attacks, as observed by Jennifer Golden of Cisco’s Duo in her 2022 blog post.
Attackers also combine social engineering and phishing attacks to disrupt the MFA process and trick users into divulging their tokens. Behavioral changes among users, particularly following remote transitions or during significant events like the Olympics, are often exploited, as noted by Arctic Wolf in their recent blog which warns about creating a false sense of security through misinformation.
Targeting non-MFA users and applications vulnerable with weak passwords remains another frequent strategy. Even as MFA adoption improves, gaps still exist, which attackers exploit. An example includes past incidents where Akira ransomware groups targeted organizations using Cisco VPNs lacking MFA, using brute-force techniques to access credentials. The 2021 Colonial Pipeline attack is a case in point, where the breach stemmed from a single compromised password for a legacy VPN without MFA protections. Ongoing vulnerabilities in Cisco network switches continue to be exploited despite longstanding warnings about their security issues dating back to 2017.
Common MFA Attack Methods
Understanding MFA weaknesses necessitates examining three general categories of attack methods:
Poor mobile security remains a critical issue since mobile devices serve as gateways to corporate networks. Attackers may utilize methods such as SIM swapping, where they falsely impersonate a legitimate user to gain access to authentication messages through SMS. Other risks include vulnerabilities within cellular provider networks themselves.
Compromised MFA workflows illustrate the complexity of modern authentication processes, which can involve multiple entry points, including web portals, apps, and APIs. This variability introduces potential supply chain vulnerabilities and increases the risk of man-in-the-middle or man-in-the-browser attacks that can capture MFA codes.
Compromised cookie attacks, such as pass-the-cookie and stolen session cookies, present another vulnerability. Many websites lack proper session inactivity limits, allowing attackers to exploit stolen cookies to bypass MFA measures. KnowBe4 has provided an extensive resource detailing various methods for exploiting these weaknesses.
Strategies to Stop MFA Attacks
Addressing these vulnerabilities requires meticulous attention to MFA implementation to ensure that it meets security objectives without sacrificing user experience. Here are some strategies to enhance your MFA approach:
Firstly, identify the key resources that need protection against compromise. “For instance, many cyber threat actors target systems like email, file servers, and remote accesses, aiming to compromise identity servers like Active Directory to create or hijack accounts,” warns a CISA fact sheet.
CISA suggests prioritizing systems that support FIDO protocols for early MFA implementation, advocating for the use of hardware keys for particularly sensitive applications. The FIDO Alliance has published papers to guide organizations on effective topic adaptations, which is also explored in detail by RSA.
Next, enforce risk-based authentications that dynamically adjust security requirements based on user activity. The outdated approach of applying a single access control method at login should be replaced with adaptive authentication linked to real-time behavior.
Regular assessments of access rights are essential. IT security teams must “limit data access to only what is necessary for each user’s role,” notes a blog post from Abnormal Security. Often, users are granted excessive access without appropriate auditing or adjustments thereafter.
A comprehensive analysis of overall MFA workflows is vital. As pointed out by Gerhard Giese from Akamai, MFA does not always thwart credential stuffing attacks. IT managers are encouraged to re-evaluate authentication workflows and login screens to prevent attackers from exploiting valid credentials and to implement robust bot management solutions.
Another critical yet commonly overlooked component is the password reset process, which is often a prime target for attacks. Many websites still lack an additional verification layer during the 2FA reset process or do not enforce MFA effectively, as noted in a April blog post by Mitnick Security.
Finally, organizations should identify users considered high-value targets. “Every organization has accounts with heightened privileges, making them especially appealing to cyber threat actors,” according to CISA. Targeting these users during the initial MFA rollout can enhance security measures from the start.
MFA technology must be integral to corporate security strategies. Recent hacking incidents and guidance from cybersecurity experts should invigorate organizations to implement more sophisticated and effective MFA solutions.
Source
www.csoonline.com