Fraud Management & Cybercrime , Multi-factor & Risk-based Authentication , Security Operations
Multifactor Authentication Bypass: Attackers Refine Tactics
Push Fatigue Attacks Succeed 5% of the Time, Surge in the Morning, Researchers FindUsing multifactor authentication wherever possible remains a must-have security defense, not least because it makes network penetration more time-consuming and difficult for attackers to achieve.
Even so, MFA isn't foolproof, and attackers have been refining their tactics for bypassing or defeating the security control to gain remote access to a victim's network.
Cisco Talos in a Tuesday blog post said that during the first quarter of this year, nearly half of all security incidents it helped investigate involved MFA. Specifically, 21% of the attacks it probed involved improperly implemented MFA, and 25% involved push-based attacks, in which attackers attempt to trick users into accepting a push notification sent to their MFA-enabled device.
Attackers resort to such tactics in part because of what MFA now blocks outright. This includes credential stuffing, when attackers reuse legitimate username and password pairs - oftentimes obtained via public data breach leaks - and log into other sites and services. Experts say the success of password spraying, when attackers use huge dictionaries of usernames and passwords to see if any work - has also declined thanks to more widespread use of MFA.
Many other attempts to bypass MFA, such as push fatigue, also still seem to fail. Reviewing 15,000 push-based attacks over the past 12 months cataloged by Duo, which is Cisco's two-factor authentication product, the Cisco Talos researchers found that 5% of push attacks succeeded. While some attackers bombarded targets with 20 or even 50 requests, the researchers found that the average attack involved between one and five push requests and that if those didn't succeed, attackers tended to move to their next target.
These push fatigue attacks appear to peak between 8:00 a.m. and 9:00 a.m. on any given workday, likely because attackers are attempting to hide the attacks during a time when most users will legitimately be attempting to first log in and hoping they accidentally accept the request, Cisco Talos said.
As a defense, "consider implementing number-matching in MFA applications," which will require a user to input a number generated by the legitimate two-factor authentication software being used inside their organization, which they must then type into their authenticator app to authorize any request, the researchers said.
Whatever controls might be in place, social engineering still remains a widely used tactic for bypassing MFA. The Scattered Spider cybercrime group took down MGM Resorts, Caesars Entertainment and Clorox by first socially engineering the target's help desk (see: Spanish Police Bust Alleged Leader of Scattered Spider).
The Cisco Talos researchers said some social engineering cases involve attackers getting one of their own devices added to a target's account, after which the attacker can accept the push request themselves. In other cases, attackers gain remote access to a victim's PC, find a way to escalate privileges and then deactivate MFA.
As a defense, the firm recommends setting alerts that will warn the security operations center whenever MFA is deactivated on an endpoint.
Sometimes, attackers phone a victim, posing as the help desk, and tell them to accept a push notification they're about to receive. The researchers said that's how it fell victim to an MFA bypass attack in 2022, when an attacker "conducted a series of sophisticated voice phishing attacks under the guise of various trusted organizations, attempting to convince the victim to accept multifactor authentication push notifications initiated by the attacker" (see: Cisco Hacked: Firm Traces Intrusion to Initial Access Broker).
Another tactic attackers use is SIM swapping, when they have a victim's mobile telephone number reassigned to themselves so they can use it to intercept legitimate one-time codes.
Attackers also use phishing, to steal not just a target's username and password but also a one-time code. In April, cyber insurer Coalition said the most prevalent type of MFA bypass attack targeting its policyholders was one-time-password interception. Typically, attackers trick a victim into visiting a look-alike login page that steals their username and credential and then asks them to enter the one-time code generated by their authenticator app or sent via email or SMS. With those details, attackers can gain access to the victim's account.
Attackers continue to refine this concept to steal not just an OTP but a session token or cookie, which they can then replay to log into a site or service. Inexpensive tools can also offer this capability as a service.
Cisco Talos said the Tycoon 2FA phishing-as-a-platform tool "has now incorporated the prompt of an MFA request" and that if a user accepts the software, it steals their session cookies. "Stolen cookies then allow attackers to replay a session and therefore bypass the MFA, even if credentials have been changed in between," the researchers said.
As that shows, no organization is immune to MFA bypass attacks.
"MFA is really good and important, and everyone should be using it," Joe Toomey, head of security engineering at Coalition, recently told me (see: Multifactor Authentication Bypass Attacks: Top Defenses).
At the same time, don't expect attackers to sit still. "If we put a prevention in place, if we put a protection in place, they will adapt to try and get around that, and we have seen them doing that in a number of different ways - things that are novel and newsworthy," he said.
Experts recommend layering different types of defenses to help. Beyond the defenses listed above, user education remains key for helping employees learn to beware MFA trickery new and old.
Hardware security keys can also help. Distributed denial-of-service mitigation firm Cloudflare stopped an MFA bypass attack that snared other organizations - even after Cloudflare employees fell for phishing messages that led to their username and password being stolen - thanks to its use of physical security keys it issued to every employee. After attackers entered legitimate usernames and passwords but their logins failed the hardware security key check - because they didn't physically possess the required key - alarms started going off inside Cloudflare's security operations center, the company said in an attack postmortem. Its security operations team was then able to investigate, change the stolen credentials and wipe the endpoints that the hackers accessed.
As is so often the case in cybersecurity, good logging and monitoring remain essential, Coalition's Toomey said, not least to assist incident responders if attackers still manage to bypass MFA, despite whatever defenses might be in place.