259451736 | Olivier Le Moal | Dreamstime

Maximum security? How multifactor authentication is being defeated

April 4, 2024
Understanding the vulnerabilities of one of the hottest current security strategies against cyber intrusion.

Whenever you hear security advice, topping the list of suggestions usually is multifactor authentication. Whether it's securing an application, protecting a device, or logging into an account, MFA is highly recommended. Its rise in prominence comes from industry best practices or security requirements that demand its use to reduce the risk of potential breaches.

MFA provides a critical layer of defense within security, and boosts protection against the risk of unauthorized access, especially if passwords alone are the only defense layer in place. Given how quick and simple it can take to crack and breakthrough passwords, this is insufficient as a single source of security.

Podcast: Cybersecurity landscape and SEC rules for 2024

While MFA is still a robust safeguard, its efficacy can be undermined if accompanied by a weak or compromised password, which makes it highly vulnerable to being hacked and causing breaches. Manufacturing IT and OT operators must be wary of the fact that MFA isn’t a silver bullet for bad passwords—just like there isn't the holy grail security solution on the market.

Unfortunately, MFA security can be bypassed, and this occurs in a number of ways—and often. As we explore these techniques, businesses need to be vigilant on the key element that multifactor authentication is designed to add protection for: passwords.

MFA notification bombardment

A common feature within authentication applications is they initiate a push notification that requires the user to authorize or reject the login request. The convenience this offers the end user can also be exploited by bad cyber actors.

See also: Inside the Rockwell, Church & Dwight OT cybersecurity team-up

For example, should a hacker already compromise a password, they can then attempt to log in and trigger the MFA process to gain access to the user's device or application. This tactic relies on either the end user believing this to be a genuine MFA prompt and accepts it or the user has become careless and disinterested in notifications, leading them to grant the prompt in a bid to get rid of the disruption.

Research shows that this technique, commonly known as “MFA prompt bombing,” is leveraged effectively by several hacking groups, including 0ktapus, which has reportedly targeted multiple industries both in the U.S. and Canada.

Tricking service desks with social engineering

Cybercriminals have been seen duping service desks with social engineering tricks to skip past MFA by calling IT helpdesks as a worker from the company and forgetting their password. If the IT support agent doesn't go through a verification process with the caller, they could provide the cybercriminal with the login details and can access the organization’s network.

If you believe this to be far-fetched, this technique was used by hackers to gain initial access to high profiled Las Vegas casinos, including MGM Resorts. The hacking group known as Scattered Spider was then able to launch a ransomware attack on the systems after the hackers found an employee’s information on LinkedIn and impersonated them in a call to MGM’s IT help desk to obtain credentials to access and infect the systems.

Webinar replay: New U.S. reporting requirements and your cyber defenses

This scenario highlights the importance for businesses to enforce end user verification steps in place for all callers to the IT service desk. Such security defenses exist to remove the risk of social engineering techniques like vishing or user impersonation which rely on human error.

Adversary-in-the-middle attacks

Duping is a common method for defeating MFA protection, but adversary-in-the-middle, or AITM, attacks are another way this is achieved. AITM attacks will aim to deceive and manipulate a user into believing they’re accessing authentic networks, applications, or websites, only to unknowingly input sensitive details onto fraudulent replicas.

During this process, threat actors can intercept passwords and prevent security measures like the MFA prompts from being initiated. For example, should an employee interact with a spear phishing email that appears to be from a legitimate source, the user will be taken to a fake site and input their credentials, believing the site to be real. Hackers harvest the necessary login information.

Session hijacking

Session hijacking is very similar to AITM attacks as it involves a cybercriminal placing themselves within a legitimate process to try and exploit. Typically, when users complete the authentication process using their password and MFA, it is common for applications to employ a cookie or session token that will retain the user’s authenticated status.

See also: Cybersecurity in the spotlight: What recent attacks show about industry vulnerabilities, defenses

This enables continued access to secured resources without the need for repeated authentication. Yet, cybercriminals have developed tools like Evilginx to steal the session token or cookie session, giving them the ability to impersonate the user. From here, MFA can be bypassed and so can any other security checks.

Swapping sims

Mobile devices and MFA are very much entwined, and cybercriminals are aware of this fact. Often, it's through a mobile device where MFA authentication is granted. SIM swap attacks are therefore lucrative for cybercriminals.

This involves tricking service providers into transferring services from a victim's SIM card to a SIM card controlled by an attacker. In doing so, the cybercriminals will have seized the individual's phone number and all elements associated with it. From here, they can intercept any MFA prompt to begin the hijacking service and thus gain access to the victim's accounts.

The importance of strong passwords

We are not at a stage where being passwordless is a viable option because too many organizations still depend on this element of security. We also can't ignore password security given the many methods MFA can be breached. In fact, most account compromises stem from the victim using a weak, compromised, or breached password.

See also: Why IoT device manufacturers need to prioritize cyber resilience

Research has shown the common base term found in passwords used to attack networks across multiple ports is still “password.” It's these failings in password security that increase the risk of password compromise.

Therefore, organizations must ensure they have a robust password policy in place that is complemented by strict password criteria and prevents the use of weak, compromised, or breached passwords.

Remember, once an attacker has a password, they can turn their attention to defeating MFA and, ultimately, gain access to a business's network.

About the Author

Darren James

Darren James is a senior product manager at Specops Software. He’s a seasoned cybersecurity professional with more than 20 years of experience in IT and has worked as a consultant across various organizations and sectors, including central and local governments, retail, and energy.