X-Force Incident Response and Intelligence Services (IRIS) has responded to multiple security incidents where multifactor authentication (MFA) was not implemented—but where implementing MFA might have significantly reduced the impact of the incident. Such incidents have even included destructive malware attacks, resulting in millions of dollars in losses and the irreversible destruction of thousands of machines on the network. In fact, unauthorized use of credentials accounted for 29% of all attacks observed by X-Force IRIS in 2019. Employing MFA on all remote access points can significantly decrease the likelihood of an attacker successfully using stolen credentials to compromise a network.
Even so, threat actors are continually searching for ways to circumvent security controls, and MFA is no exception. We are in many ways seeing MFA as the next battleground of the threat actor-network defender conflict, and malicious actors are occasionally gaining the upper hand and succeeding in circumventing MFA controls. In other cases, configuration or implementation errors open the door for attackers who would otherwise be stopped by MFA.
This blog will explore some of the methods we have observed attackers using to sidestep MFA controls or take advantage of MFA misconfiguration. In addition, we will consider some actions organizations can take to more effectively implement MFA and up their game against this malicious activity.
Social Engineering to Circumvent MFA
Attackers lean heavily on social engineering to trick targets into clicking on links and attachments in phishing emails, revealing passwords online or over the phone, or even to gain physical access to victim facilities. Thus, it would stand to reason that attackers would seek to use social engineering tactics to circumvent MFA as well. In particular, X-Force IRIS has observed Business Email Compromise (BEC) attackers—some of the kings of social engineering—leverage this technique to even circumvent MFA.
Business Email Compromise
On many occasions, X-Force IRIS has observed BEC attackers successfully take over a company email account when MFA is not employed, which creates an easy avenue for these attackers to use stolen credentials. Once discovering such a compromise, organizations are usually quick to implement MFA, although by then it often is too late. For those who do not implement, another compromise becomes a higher probability.
In one interesting case where MFA was employed, however, the victim received an email with a link pointing to what appeared to be a sign-in page for Microsoft OneDrive. The page was a spoofed webpage from a phishing kit tailored to Microsoft Office 365 users in an attempt to harvest their credentials. Since MFA was enabled, the victim also received a prompt on their phone, to which they responded affirming they were logging in. In this case, the attacker stole the victim’s credentials in real time and entered them into a true login portal, which generated a MFA prompt from the victim’s phone. Thus, when the user received and approved the MFA prompt, this action was actually allowing the attacker into the account. Once inside the account, the attacker set up mail forwarding rules, sending all email to a separate account to evade detection.
A similar technique for circumventing MFA is a compromise of the actual device used for MFA, which in many cases is a cell phone used to receive a one-time code. This compromise can also be accomplished through social engineering to execute a SIM swap, a technique covered thoroughly in a blog we published last October. Throughout 2018 and 2019, the FBI has observed SIM swapping as a common tactic used to circumvent MFA, warning companies and individuals of social engineering tactics used to switch SIM card activity to a new phone—including MFA prompts and codes.
SIM swapping mostly occurs when an attacker collects a sufficient amount of personally identifying information (PII) on a victim to impersonate that person when calling the victim’s cellular provider. Pretending to be a victim who has lost a phone and acquired a new one, the attacker can then convince the provider to switch phone activity over to a new device under the attacker’s control. This means that the attacker has access to all phone activity—including MFA push notifications. In some cases, this can be accomplished with all activity remaining on the victim’s cellular device as well.
Misconfigurations, Failures and Flaws Give Attackers the Upper Hand
Opportunities open up for attackers when MFA fails due to improper configuration, failure of the infrastructure behind it or even man-in-the-middle attacks. X-Force IRIS has observed an insider attack causing a server governing MFA to go down, potentially leading to a scenario in which MFA is no longer required to gain access to a system. Similarly, penetration testers have noted that certain configurations, such as allowing users to unilaterally add a new device for MFA, can assist attackers in circumventing MFA controls. In February 2019, one researcher at the RSA cybersecurity conference in San Francisco revealed several session hijacking and man-in-the-middle techniques attackers can employ to sidestep MFA. All these situations would give an attacker the upper hand and allow the attacker to use stolen credentials to gain or expand access to a network.
In addition to misconfigurations, failure to implement MFA across all remote access points into an enterprise leaves an opportunity for attackers. X-Force IRIS has responded to numerous incidents where attackers have used valid credentials to access environments that had only partial implementation of MFA. Additionally, in the latter half of 2019, numerous reports of ransomware activity support the suggestion it is not enough to limit MFA to enterprise webmail and VPN solutions without considering third-party access to a network. For instance, Sodinokibi ransomware actors used compromised IT providers then delivered ransomware to their clients through suspected single-factor remote monitoring tools. This consideration also applies to remote access protocols that can connect into an enterprise, such as Secure Shell (SSH) and Remote Desktop Protocol (RDP). Single-factor implementations of these protocols have allowed threat actors to gain access to networks and deploy ransomware as observed in the 2015-2016 SamSam activity that cost organizations approximately $30 million in losses.
MFA is Vital to a Strong Organizational Security Posture
Incidents X-Force IRIS has responded to on the front lines suggest that overall, attackers’ ability to circumvent MFA is still rare. Most of our observations regarding MFA involve a lack of implementation across the enterprise and subsequent compromise by attackers. It is relatively easy for an attacker to gain valid credentials to an enterprise environment, but we can make it more difficult for attackers to use those credentials to achieve their objectives in several ways:
Identify ways to overcome hurdles to implementing MFA. As a rule, we recommend implementing MFA whenever possible. However, we recognize there are several reasons a company may choose not to: frustration from customers, incompatibility with MFA for some applications, and additional steps for everyday business, among others. In many incidents where we have observed that a lack of MFA led to malware deployment, we found that another solution to the MFA problem could have been sought and implemented. For example, IBM identity access management (IAM) architects have identified several ways to implement frictionless MFA for an enhanced customer experience. X-Force IRIS has also recommended migrating legacy applications and protocols that can be incompatible with MFA—such as those that use IMAP—off of O365 or other platforms with remote access to a network.
Implement MFA on every remote access point into your enterprise. Expand the traditional mindset that webmail and VPN are the only ways to remotely access your organization and include remote access protocols such as SSH and RDP in your MFA plans. Third-party access to your enterprise also leaves a door open for attackers to walk in. Don’t forget about third-party applications that support your employees, such as payroll and incentive programs. Many of these offerings come with the option to enable MFA at the organization’s discretion.
Leverage subject matter experts. Every enterprise network is unique, so the optimal MFA implementation will vary slightly from company to company. X-Force IRIS can use an Incident Response Program Assessment or Strategic Threat Assessment to assess your organization’s MFA strategy, or help you understand the overall risks for your organization. In addition, IBM IAM experts have in-depth knowledge on the wide range of MFA options available for IBM architectures.
Take advantage of MFA solutions that rely on biometrics or behavioral analytics. MFA that uses fingerprints, facial recognition, retina scans, or keystroke analysis tend to be more difficult for threat actors to circumvent than MFA that relies on a code sent to a separate device that can be hijacked—such as a cellphone. In some cases, these forms of MFA can be easier for users to provide as well and can create an enhanced user experience.
Train your employees to be cautious about oversharing online. The results of social engineering are not limited to phishing attacks against an enterprise. For most SIM swapping attacks to work, attackers must collect a sufficient amount of information about a victim to convince a mobile phone company that they are the victim when they make a call. If the attacker is unable to collect this information, he or she will be less likely to succeed in a SIM swapping operation. Be sure your enterprise information security program includes employee training regarding the limitation of personal information openly available on the Internet, such as phone numbers, home addresses, or birthdays.
Use MFA to track use of higher-risk devices. MFA can be used not only to provide a separate form of authentication for users, but also to track when a user logs in from a new or potentially risky device. For example, a user employing this option would receive a MFA prompt, along with a separate notification of a login from a new device not usually used to access that network.