How to Prevent Multi-factor Authentication BypassHackers exploit common weaknesses to bypass Multi-Factor Authentication. With simple solutions, you can shore up security risks. By: Ben Jacob, Tech-lead EMEA – Adversary Group
Organizations understand that relying on a single-factor authentication mechanism (username and password) on external portals poses a security risk. Without a strong password policy, users may choose weak passwords or re-use old passwords, leaving their account vulnerable. Rolling out Multi-factor Authentication (MFA) provides an extra layer of security to prevent account takeover. Using this mechanism, users must provide a username/password and second factor to successfully authenticate. But what are the common pitfalls that hackers use to bypass MFA?
How Hackers Guess Passwords
Secureworks® Adversary Group (SwAG) is a team of 90+ elite ethical hackers performing +1400 engagements annually. During their penetration testing engagements, SwAG is often able to guess accounts’ passwords. But how can they achieve that? The technique is simple: the adversary searches the LinkedIn profile of the victim organization, collects the first name and last name of all employees, and creates a user list.
Then, using Microsoft365 built-in features, they try various combinations of an employee first name and last name (john.doe, jdoe, johndoe, etc.) to establish the username format used to authenticate.
Knowing a username format helps create a username list of all the employees found on the LinkedIn group of the victim organization. With this knowledge adversaries can perform a password spray to identify employees using weak passwords, such as Welcome2022!, Password2022!, Spring2022!, etc.
Unfortunately, it is still common for employees or a helpdesk to use simple dictionary words when selecting passwords, allowing for adversaries to simply guess credentials.
How Hackers Bypass MFA
Now that the simulated adversary has compromised credentials via password spraying, or phishing, SwAG typically encounters an MFA mechanism.
The simplest, yet most common MFA bypass scenario is to find an account that has not yet enrolled with MFA, like an onboarding employee or a contractor having not yet accessed their account. With a valid username/password, a hacker can simply enroll their mobile phone and gain authenticated access.
Another common scenario consists of finding external systems that are not protected by MFA. For example, an organization’s external perimeter may enforce MFA on Microsoft365 and on their SSL VPN. However, an old Citrix portal not used by employees anymore has been forgotten when rolling out MFA. This system would be a target of choice for a hacker having compromised credentials to land a foothold on the internal network.
MFA varies; sometimes users must accept a push notification, other times a One Time Token is required. Adversaries can bypass push notifications by relying on user fatigue. Also known as prompt-bombing technique, the adversary sends multiple push notifications until a user gets fed-up and accepts one of them to stop being disturbed. Another MFA bypass technique is to identify the victim’s local-time and wait for 9:00AM to send a push notification. The victim is more likely to accept the notification as part of their morning sign-in routine, rather than a notification received in the middle of the night. While simplistic, these MFA bypass techniques are actively used by Threat Groups, like the Lapsus$ Threat Group that breached Microsoft, Okta, and Nvidia in recent months.
One Time Tokens are the most secure alternative, as an employee needs to manually input the token into a web portal. However, the tokens are often not considered as sensitive information by employees. For example, during Red Team engagements, the Secureworks Adversary Group is often successful at calling victims, pretending to be the IT Helpdesk, and making their victims reveal their One Time Token.
Organizations should integrate this non-exhaustive list into their practices to prevent account takeovers:
- Enforce a strong password policy (15 characters, upper/lowercases and special characters).
- Deny dictionary words to prevent password guessing.
- Monitor authentication attempts to detect password spray attacks.
- Thoroughly review the business needs of all external assets.
- When authentication is required, enforce MFA via Single Sign On.
- Engage an adversary testing organization with expert skills to identify your weaknesses and help bolster overall security posture
Learn more about our proactive security consulting here: https://www.secureworks.com/services#proactive