As our customers continue to adopt and implement remote work practices in response to global quarantine strategies, our team of 100+ ethical hackers known as the Secureworks Adversary Group has been hard at work responding to requests for vulnerability assessments. The demand for engagements to pressure test rapidly deployed remote systems was anticipated. The results, on the other hand, have sometimes been a surprise.
During a Remote Access Vulnerability Assessment (RAVA), our team was able to breach a customer’s environment through an internet-facing application protected by multi-factor authentication (MFA). My team and I share this takeaway not as a low vote of confidence for MFA, a critical and non-negotiable part of a layered defense strategy, but to reinforce that there is no silver bullet in cybersecurity. Technology, people, and process must work together to keep administrative credentials, data, and IP safe, and that’s why customers engage us: to identify possible gaps and close them.
Here’s one example of how a breach can occur even when MFA is in place, using one of our RAVA test scenarios. As we mentioned in our previous blog, RAVA engagements have two main components: performing a vulnerability assessment on the infrastructure, and manual password-spraying of applications. The vulnerability assessment part of the engagement may highlight no flaws; everything is patched up and configured correctly. Our team then switches gears and starts testing passwords. With a full list of the organization’s users, we start testing against an internet-facing application. In short order, our team easily guesses the password to a forgotten system account. Compromising this user in the application allows our team to gain the initial entry point and start compromising other systems and applications within the customer’s network.
So how did we compromise the environment even with MFA deployed? After our first login to Citrix we got a prompt to enroll the forgotten account in the multi-factor authentication solution. Since this wasn’t an actual user’s account, it had never been enrolled in MFA. The Adversary Group enrolled the account in the customer’s MFA solution, and now had access to both the customer’s Citrix environment and several other services and applications. One key takeaway is that adversaries can still be successful password spraying an MFA portal if it is configured to require username + password before MFA.
This is a great example of how attackers can compromise an organization, even if they have an MFA solution deployed. It also demonstrates the value of receiving feedback on vulnerabilities provided by our team during these engagements in a near real-time fashion. As part of our commitment to help secure remote work during the coronavirus pandemic, we’ve introduced a process to schedule remote vulnerability assessments quickly and deliver the final report within a week’s time. If you’d like to see what we can do for you, we’re here to help.