SpearTip | September 27th, 2022

A simple username and password are not enough to secure your sensitive information—including personal and financial records.  Studies indicate that, on average, individuals have roughly 100 passwords in use across their digital platforms, for both personal and work accounts. With this abundance of distinct accounts held by the average internet user and the tendency for personal and professional internet use to overlap, there is an equally abundant opportunity for the average person, and therefore business, to experience a data breach. One strategy implemented by digitally savvy users often includes multi-factor authentication (MFA).

What is MFA and How Does It Work?

Threat actors possess multiple tactics to easily gain legitimate credentials, which oftentimes include administrative usernames and passwords: phishing emails, social engineering scams, purchasing in bulk from dark web markets, or acquiring them from previous leaks. MFA is a security protocol that adds an additional step to your username and password by requiring a piece of information a threat actor does not possess or cannot easily acquire. Typically, this information is delivered through an app on your smartphone, text message, or with a physical token.

Why is MFA Generally Seen as Reliable or Important?

Threat actors increasingly target user credentials to log into your network, steal data, and spread ransomware. Implementing MFA can mitigate attacks like phishing emails, voice-based social engineering, and breached credentials. Put simply, if a threat actor can attain your username and password, their access to your account would frequently be prevented by your MFA. And since MFA can be implemented across numerous accounts, access and lateral movement are made much more difficult. Furthermore, when properly implemented and configured, MFA is not inconvenient for users—particularly those aware of threat actor tactics.

When configured correctly MFA does not present an inconvenience to users. Most solutions can remember things like safe network locations and only request the MFA when a login is unusual. This memory factor, however, has recently become a security problem.

Current Threat Landscape

The evolution of threat tactics has created an environment in which MFA is now being bypassed by malicious actors. There are several preferred ways in which this is done.

Stealing Cookies: Like username and password credentials, threat actors can collect or harvest cookies. When web browsers store information, such as with autofill forms for persistent authentication, that information is stored and available to threat actors. If such information is not expired, certain types of MFA logins can be bypassed. Not only can access be granted with stolen cookies, but so can lateral movement throughout a network.

MFA Fatigue (MFA push spam): threat actors will induce MFA fatigue by pushing a ‘pop-up’ to a recipient asking for their approval to sign in to a network. If this pop-up appears so frequently over the course of days—and is then accompanied by a corresponding spam email encouraging the user to accept—there is a high likelihood of the user accepting even though the MFA approval request is fraudulent. To defend against this, a best practice is to disable push notifications and enable number matching, so passcode authentication is required.

Manipulating Security Architecture: In certain instances, threat actors will install their own architecture, such as VirtualBox software, to circumvent deployed security tools. VirtualBox requires administrative rights to install, meaning threat actors must first escalate privileges with an administrator’s account. Having administrator access allows them to bypass security controls as administrative accounts often require minimal safeguards while also having the ability to turn off most security tools (which is not a best practice). By installing VirtualBox, the threat actor can create an ‘invisible’ machine that can communicate with all other internal machines, providing an ideal staging place to spread ransomware.

Adversary in the Middle (AiTM): The threat operators can use reverse proxies to stand in between victims and the email providers’ servers. During the login process for the email server, an MFA code is requested. The phishing kit passes the request to victims, who enter the one-time password (OTP) on the phishing box. The information is sent to the email service, enabling threat actors to access the stolen accounts. This phishing proxy, which is present during the transaction, can steal the authentication cookies generated as a result. Threat actors can utilize the cookies to log in and avoid MFA for specific accounts.

How Should Businesses React?

These threat tactics present major problems for individuals and businesses because what is supposed to be a security process that can prevent 99% of attacks is vulnerable to sophisticated threat actors. While properly configured and utilized MFA is a solid defense against threat actors in most cases, no single security tool is a panacea against the evolving tactics of threat actors.

 SpearTip’s proactive remediation team can quickly identify the systems that require MFA and assist in implementing the security measures tailored specifically to your environment and needs. These may include email operations, Active Directory and Azure Active Directory, VPN or other remote access solutions, and enterprise resource planning systems. Furthermore, we can help train your users in the new MFA solutions for a uniform rollout and ensure your IT team knows how to administer the new systems and configurations.

In addition to these MFA implementation services, SpearTip’s certified engineers continuously monitor partner networks from our SOC 24x7x365 for any potential threats, including those utilized to bypass MFA. It is true that tools create necessary alerts, but if no one is there to receive those alerts no action can be taken. Weekends and holidays are by far the most common time for attacks and a 24×7 SOC sees those immediately, whereas a typical team may not see them until the following week.

By then it’s too late.

In the event of a breach, call our Security Operations Center at 833.997.7327 to speak directly with an engineer.