Threat actors are circumventing MFA. Here's how
It’s not surprising that more and more organizations each year choose to implement multi-factor authentication (MFA). It protects against a large number of threats (like data breaches and password-based attacks) and it’s relatively affordable to implement organization-wide. However, threat actors have adapted their attack strategies to circumvent controls (like MFA) that are meant to protect an organization.
The cyber team at Kroll found that in 90% of their business email compromise investigations, MFA had been in place at the time of the attack. Corvus has also begun to see an increase in MFA bypass techniques used in attacks against our policyholders.
This highlights an important truth to security — there is no silver bullet to reduce all risk. Attackers are constantly revisiting their playbooks and adapting to changing defense techniques. It’s on us to keep up.
What is MFA Bypass?
MFA bypass is a method that attackers use to circumvent multiple authentication methods to access an account. While attack methods vary, they all have the same goal: gain unauthorized access to a target account. At a high level, there are two key tactics used by attackers to get around the second authentication layer provided by MFA (SMS, email, app based) on top of the standard username and password.
The first tactic relies on social engineering, which aims to trick an unsuspecting user into granting them access. The second tactic is a bit more comprehensive, which involves a more “technical” bypass to circumvent weak links within the operational MFA flow.
Methods of MFA Bypass
Session cookies are stored in your browser and save information as you use the web. They act as a ‘badge’ that a user's browser presents to a web server to prove their identity. This allows users to stay signed in to an application, instead of constantly having to re-login. While they do simplify the user experience, they have an obvious flaw. If somebody were to extract the session cookie (aka badge), they could authenticate as the user in a separate web browser session on another system. Through infostealer malware or a proxy server mirroring a real website (which sits between the victim and website), attackers can steal a user’s session cookie. With the session cookie in hand, the threat actor can now access the account from a device or browser they control, and take over the user's session.
Social engineering at the helpdesk
Cybercriminals appear to have endless creativity when it comes to creating new social engineering tactics to access credentials and circumvent MFA. This can range from fake websites crafted to save your login credentials (normally linked through phishing emails) to “vishing” (voice phishing) attempts to IT helpdesks where threat actors will pose as a user within their target organization. The threat actor will provide basic information about the user (typically information that can be found on public sources like LinkedIn) and pretend to be locked out of their account. The unsuspecting helpdesk operator believes this is a legitimate user needing to reset their credentials or MFA method, and compl, ies with the request. If all goes according to plan, the threat actor now has access to the account, and all it took was tricking the helpdesk operator.
MFA fatigue/prompt bombing
If attackers possess stolen credentials but are blocked by a request for an authentication code they may turn to a tried-and-true bypass method: MFA fatigue (or prompt bombing). This calls for harassing users with repeated authentication requests. Attackers rely on the onslaught of push notifications to be overwhelming enough that the end user will eventually confirm the request, believing it to be a glitch.
SIM swapping is when an attacker convinces a mobile carrier to transfer a victim’s phone number to a SIM card they control. This allows them to intercept calls and messages, including those used for MFA. The attacker gathers personal information about a victim, contacts their mobile carrier pretending to have lost their phone, and requests to transfer the victim’s number to a new SIM card.
How Your Organization Can Prevent Attacks
Despite these new attack techniques, MFA is still an important and effective security control. But like all security measures, there are weaknesses being exploited by attackers.
To decrease the chances of MFA bypass at your organization, consider taking these additional measures:
- Train employees: Regularly provide updates and training on the latest social engineering tactics, how to identify red flags, and how to exercise caution when clicking links on emails or receiving MFA prompts.
- Implement passkeys: Passkeys are a FIDO2 (Fast Identity Online) digital credential that uses biometric authentication. They are a passwordless way to log in, typically using a fingerprint, face scan, or screen lock PIN — and they’re phishing resistant!
- Help your IT helpdesk: As social engineering attacks continue to leverage help desks to access user credentials, organizations should implement multi-step verification processes and log and track reset requests.
- Apply the principle of least privilege: Threat actors are after user credentials that offer them the most access with the least work. Ensure that users can only access what they need to perform necessary tasks for their job.
- Monitor suspicious activity: Have systems in place (like endpoint detection response) to catch unusual logins (unfamiliar locations or strange times) or failed login attempts.
- Multi-factor Authentication
- Endpoint Detection and Response
- Three Tactics to Combat Next-Gen Social Engineering
- Rise in MFA Bypass Leads to Account Compromise (Kroll)