To protect any account, one of the most important safeguards is multi-factor authentication (MFA). This method creates an additional barrier, in addition to the password, because the user must ensure at each connection that it is himself. This verification can be done through an SMS, an authenticator application or even a physical security key.
Because to compromise accounts, cybercriminals tend to favor phishing attacks to steal passwords, or to use techniques to guess weak passwords. And hope to use these passwords to gain access to the targeted account. If the attacker manages to steal the password of an account where multi-factor authentication is enabled, but not the verification message or the physical device, the system will not let him in and he will not be able to go further. far.
While multi-factor authentication has proven itself and protects against the majority of attempts to compromise accounts, there has recently been an upsurge in attacks aimed at circumventing this security measure. According to Microsoft, in a single campaign, 10,000 organizations were targeted in this way over the past year.
Bypass MFA
To circumvent multi-factor authentication, some cybercriminals use a technique called adversary-in-the-middle, or AiTM, which combines a phishing attack with a proxy server between the victim and the website they are trying to connect to. It allows attackers to steal the password and session cookie which provides the extra level of authentication they can exploit – in this case, to steal emails. The user thinks they have logged into their account as usual.
“Note that this is not an MFA vulnerability; since AiTM phishing steals the session cookie, the attacker authenticates to a session on behalf of the user, regardless of the login method used by the user,” Microsoft explains about this particular campaign.
With this technique, attackers don’t attack multi-factor authentication itself, they circumvent it by stealing cookies. But it allows them to be able to use an account as if they were its user, including later. In this situation, the presence of the MFA becomes useless – and the targeted account and its user are threatened.
Exploiting Human Weaknesses
To circumvent multi-factor authentication, other cybercriminals focus on the human aspect. Indeed, when this security measure is activated, a code is required for each connection. And it is a human who must seize it. But any human being can be deceived or manipulated.
“At the end of the day, whether it’s a number or information, as long as the user knows the code, the attacker can steal it,” warns Etay Maor, senior director security strategy at Cato Networks.
The efforts provided by the attacker will have to be more advanced, but he will be able to seize the requested code. For example, if the MFA requires a code sent by SMS – SMS is still commonly used today, especially by banks and operators – the attacker can contact the user by pretending to be through a help desk , for example, to ask him to communicate the code in question.
Although the process can be complex, the attacker could contact the user by impersonating a help desk or other employee. The victim will be more inclined to communicate the confidential code if they think they are talking to someone who is there to help them. This is why many services precede the codes received by SMS with a warning that they will never call you to ask you for it.
“It is not surprising that attackers attack the human aspect, the human components of the system. People are busy, people are stressed, all kinds of things influence the decisions we make”, analyzes Oz Alashe, CEO and founder of CybSafe.
Use malware
A third method can be used to circumvent multi-factor authentication: it consists of using information-stealing malware. For example, an attacker can use a Trojan to monitor a user when accessing their account and then gain access to the account through the infected device. He can also take control of the device without the victim’s knowledge, by using the authenticator application and the code provided to remotely access the account from another machine.
On the network or account side, the access is legitimate, since the correct credentials were used. Still, there are some signs that may indicate suspicious activity. And those signs, security teams and networks can be trained to look for.
“The system itself must then ask itself if it is normal for the user to connect from this place or at this time. And, as a result, he wonders whether to perform another level of verification before granting access,” says Oz Alashe.
A proven method, but not infallible
Multi-factor authentication isn’t foolproof: “While security processes like multi-factor authentication add an extra layer of security, they shouldn’t be seen as silver bullets to protect against phishing attacks. With the use of advanced phishing kits and clever techniques, attackers can bypass both traditional and advanced security solutions,” ZScaler said last month when analyzing an AiTM-type attack.
However, this security measure is essential, because it allows you to protect yourself from many cyberattacks, and in particular to avoid the remote control of accounts. But the more time passes, the more cybercriminals learn. And the more they will tackle the MFA, the more they will succeed.
That’s why network security managers should consider additional layers of security now. ” This is a good thing [que la MFA] be recommended. […] But it absolutely must be accompanied by additional layers of security, because, like any other siled security solution, it can be circumvented. And don’t think everything is secure just because you have a layer of security in place,” warns Etay Maor.
Take into account the human factor
Technology can’t do everything. Especially when attackers target the humanity of their victims by trying to manipulate them into making bad decisions. “People are wonderful, they want to be useful, so they sometimes get tricked,” says Oz Alashe.
“This is a significant challenge for society as digitization is on the way and we have an incredible opportunity to continue to use technology wisely. But we also have to meet these challenges in terms of resilience and the human aspect,” he sums up.
As an illustration of this threat, the cybersecurity company Mitiga a few weeks ago detailed attacks targeting Microsoft 365 accounts that could bypass MFA, and resulting from a campaign combining phishing and BEC.
Source: ZDNet.com