Increased adoption of multi-factor authentication (MFA) is helping companies and individuals to secure their data more effectively; however, threat actors have been quick to adapt in the constantly evolving security arms race. Steve Russell CISSP CITP MBCS explores the rising trend in MFA bypass techniques, and how to mitigate against them.

The shortcoming of traditional user ID and password (single factor) logins is that passwords can be easily compromised. Threat actors can use automated password cracking tools to guess various combinations of usernames and passwords until they find the right sequence.

Multi-factor authentication (MFA), alternately referred to as two-factor authentication (2FA), is an electronic authentication method which protects user data from being accessed by an unauthorised third party. If one factor is compromised or broken, the attacker still has at least one or more barriers to breach before successfully breaking into the target.

A user is only granted access to a website or application after successfully presenting two or more of the following factors to an authentication mechanism:

  • Something the user has: a physical object in the possession of the user, such as a USB security token, swipe card, a key or smartphone.
  • Something the user knows: information known to the user, such as a username, password, PIN or answer to a security question (‘mother’s maiden name’ or ‘name of first pet’ are common).
  • Something the user is: a physical characteristic of the user, such as a fingerprint, eye iris, voice, typing speed, pattern in key press intervals or other biometric.
  • Somewhere the user is: connection to a specific computing network or using a GPS signal to identify the location.

Older, weaker forms of MFA include one-time passwords (OTPs) sent via SMS, or push prompts sent to a mobile device application. When someone is logging in with a valid password, they must also enter the OTP into a field on the sign-in screen, or push a button displayed on the screen of their phone. Both of these methods can be easily exploited if not paired with further mitigations.

The strongest forms of MFA are based on a framework called Fast IDentity Online (FIDO)2, which was developed by a consortium of companies to balance security and simplicity of use. FIDO2 forms of MFA are relatively new, so have yet to be widely adopted by consumers and large organisations.

Some enterprises provide single sign-on (SSO) access to corporate portals via employee personal devices. This allows access to services and applications such as email accounts, training portals and numerous administrative tools that contain personal identifiable information (PII) on wage slips, expense claims and travel requests.

Users accessing corporate portals from personal devices are often required to use a second factor for authentication. During enrolment to such platforms, the user will usually have the choice of three MFA options:

  • SMS: a six-digit OTP is sent to the user’s chosen mobile device via text message.
  • Email: an email token is sent to the user’s chosen email address.
  • Authentication app: a code is obtained from an app downloaded from the appropriate app store. Such apps include Google Authenticator, Open OTP, Authy and Microsoft Authenticator.

Upon authenticating with their chosen MFA method, the user may have the option to tick a box to ‘remember me on this device for X number of days’, usually between 14 and 90, with the current Microsoft 365 default setting being 90 days. This provides convenience, allowing the user to skip MFA during subsequent logins. When they successfully authenticate and select this option, two ‘tokens’ are stored in their browser for secure, persistent access to corporate services:

  • Access token: effectively a session cookie which expires after a short period of time, sometimes as quickly as 30 seconds, but often up to one hour.
  • Refresh token: this is used during subsequent logins to obtain a new access token if the initial authentication via username and password is still valid. The refresh token is initially valid for anything between 24 hours and 14 days, but if the corporate portal is continually accessed during this period it can last between 14 and 90 days. This period will likely be defined by the enterprise risk appetite.

If the account password is reset, a new device is used to access the account or the user clears existing cookies from their browser, then both tokens will immediately expire and the user will be required to reauthenticate with MFA at the next login.

Methods of compromise

Browser pivoting is an attack that can be achieved via legitimate security tools such as Cobalt Strike and Metasploit, though most modern browsers have sufficient mitigation mechanisms in place, such as running individual tabs and sessions in separate processes. The attack involves hijacking authenticated web sessions via a proxy server, which injects additional processes. An attacker browsing through this proxy server can inherit cookies, authenticated HTTP sessions, and client SSL/TLS certificates, using these to bypass weak MFA mechanisms.

Stolen cookies and stealer malware are also used by criminals to compromise networks. Session cookies allow users to be recognised within a website so any page changes or item or data selection you do is remembered from page to page. The most common example of this functionality is the shopping cart feature of any ecommerce site. Credentials offering access to corporate portals have subsequently been seen for sale on popular dark web marketplaces such as Genesis and Russian Market. Credentials for sale can include session cookies, besides usernames and passwords.

IT teams can configure browsers and apps to shorten the allowable timeframe that cookies, access tokens and refresh tokens remain valid; however, this requires users to re-authenticate more often. IT teams need to strike a balance between security and convenience.

Session cookies can be stolen via deployment of info-stealer malware such as Erbium, Redline or Raccoon Stealer in victim browsers. Modern info-stealers are usually parts of botnets, and sometimes the target of attack and related events are configured remotely from a command and control (C2) server.

Next, we have social engineering, which can come in two forms, sometimes used together:

  • Voice phishing (vishing): calling the user, pretending to be from a support organisation that they know and trust. The user is convinced to accept an MFA request under a deceptive premise, such as resetting a password following a breach.
  • MFA fatigue (aka MFA bombing): an attacker in possession of a username and password sends a high volume of push requests to the user’s mobile device. The user accepts, either accidentally or simply to silence the repeated push notifications they are receiving.

Security practitioners also need to be aware of legacy authentication hijacking. In instances where enterprises have recently mandated MFA, it has been possible for threat actors to gain unauthorised access to dormant accounts via legacy authentication methods. After accessing via stolen or guessed credentials, the attackers are able to self-enrol on MFA and take control of these accounts.

Finally, it is relatively easy for an attacker to intercept an OTP sent via unencrypted communications such as SMS. The attacker can then use this OTP to authenticate to a service, in many cases before the legitimate user is even aware that an MFA request has been sent.

Recent attacks

Lapsus$ Group (also tracked as DEV-0537, UNC3661 or SLIPPY SPIDER) have been active since December 2021, initially targeting South American companies. They branched out in February and March 2022 to demand ransoms from higher profile companies such as Vodafone, Nvidia, Okta, Samsung, Electronic Arts (EA) and Microsoft. Attacks on Uber and Rockstar Games in September 2022 were also attributed to the group in media reporting.

Lapsus$ are assessed by several threat intelligence vendors to be a low level threat group who are financially motivated. They do not employ ransomware to achieve their aims, instead relying on social engineering tactics and threatening to leak data.

In the specific case of EA, it was reported that initial access was gained following the purchase of a stolen session cookie from the Genesis marketplace, giving the attacker access to EAs Slack instance. This allowed them to spoof the existing login of an EA employee and deceive a member of EA’s IT support team into providing network access.

Large scale phishing campaigns are also a common attack vector deployed by criminals. On 12 July 2022, the Microsoft Threat Intelligence Center (MSTIC) reported details of a phishing campaign which had targeted more than 10,000 organisations since September 2021. In most cases, attackers lured victims to a phishing site masquerading as Outlook Online, allowing them to intercept the victim password and session cookie.

After a compromised account signed into the phishing site for the first time, the attacker used the stolen session cookie to authenticate to the genuine Outlook portal. In multiple cases, the cookies had an MFA claim, which means that even if the organisation had an MFA policy in place, the attacker used the session cookie to gain access on behalf of the compromised account.

In the days following the cookie theft, the threat actors accessed employee email accounts and looked for messages to use in business email compromise scams, which tricked targets into wiring large sums of money to accounts they believed belonged to co-workers or business partners.

APT29 take over dormant Microsoft accounts to set up MFA

On 18 August 2022, Mandiant published a report sharing details of a new tactic by APT29 (aka Cozy Bear, aka Nobelium) and other threat actors that involves taking advantage of the self-enrolment process for MFA in Azure Active Directory and other platforms. APT29 have previously been implicated in the attack on the US Democrat Party ahead of the 2016 presidential election, and the far-reaching SUNBURST campaign of 2020 that saw updates of Solarwinds security software Trojanised with remote access tools.

In this instance, APT29 conducted a password guessing attack against a list of mailboxes they had obtained through unknown means. The threat actor successfully guessed the password to an account that had been set up, but never used. Because the account was dormant, Azure AD prompted APT29 to enrol in MFA. Once enrolled, APT29 was able to use the account to access the organisation’s VPN infrastructure that was using Azure AD for authentication and MFA.

Cisco Systems breach

On 10 August 2022, Cisco Systems confirmed they had been breached, with initial access achieved with the compromise of an employee’s personal Google account. While a compromised personal account is generally not an issue, in this case, the employee was signed into Chrome and used the password syncing feature to store his Cisco credentials.

For you

Be part of something bigger, join the Chartered Institute for IT.

Even though the attacker had valid access credentials, they still needed to authenticate to the Cisco VPN. They conducted a series of voice phishing (‘vishing’) attacks attempting to social engineer the victim into accepting MFA push notifications initiated by the attacker. Upon successfully gaining MFA approval and authentication, the attacker enrolled new devices under their control to ensure future MFA use.

Once connected to Cisco’s internal network via their VPN, the threat actor used stolen credentials to connect to internal systems and were able to install several tools to maintain remote access and persistence. On 11 September 2022, proprietary Cisco data obtained during this breach was published on the dark web.

Uber breach

On 15 September 2022, Uber discovered a significant data breach that reportedly stemmed from compromise of hardcoded administrative credentials, and sparse MFA enforcement. An employee with a compromised password was spammed with MFA authentication requests, one of which was finally approved after the hacker posed as an Uber IT person and contacted the employee over WhatsApp. Uber stated that it is likely that the hacker obtained the contractor’s Uber corporate password by purchasing it on a dark web marketplace.

The attacker subsequently gained access to the corporate network, using highly privileged credentials found on network file shares to access production systems, the corporate endpoint detection and response (EDR) console, and Uber’s Slack management interface. The hacker also reconfigured Uber’s OpenDNS to display a graphic image to employees on internal sites.

Mitigation techniques

MFA remains an important integral part of zero trust architectures; however, enterprises should avoid simple MFA methods such as push notifications, or OTPs sent via unencrypted means such as SMS.

Where possible, number matching and additional context in notifications should be employed together for push notifications via authenticator apps:

  • Number matching: when a user responds to an MFA push notification via an authenticator app, they are presented with a number which they need to type into the authenticator app to complete the approval.
  • Additional context: when a user receives a push notification in the authenticator app, they are informed of the identity, sign-in location and application requesting access. This should prompt them to either confirm or deny access based on the validity of the information they are presented with.

When an authenticator application is not available, a secure communication channel such as encrypted email or a bespoke encrypted messaging application should be used to send OTPs. For access to particularly sensitive data, an approved physical token such as an FIDO2 security key should be used for authentication.

Enterprises have no agency over how often a user clears cookies and other authentication information from browsers on personal devices. There are, however, factors which can be controlled. Session cookies should be set to expire in as short a time as possible, as should the validity period of access tokens and refresh tokens. Additionally, limiting repeated login and authentication attempts can diminish the potential impact of MFA fatigue and bombing attacks.

It is likely that financially motivated threat actors will continue to develop novel techniques to bypass MFA methods to profit from selling initial access. Additionally, there is a risk that PII gleaned from unauthorised access to corporate web portals could be used for further opportunist attacks.