Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

Required MFA Is Not Sufficient for Strong Security: Report

Attackers and red teams find multiple ways to bypass poorly deployed MFA in enterprise environments, underscoring how redundancy and good design are still required.

Multi-factor authentication (MFA) is among the most useful measures companies can use against the rise in credential attacks, but attackers are adapting, as demonstrated in a variety of bypasses that allowed them to infiltrate networks — even those protected by MFA.

In an analysis of recent attacks, identity and access management firm CyberArk found at least four ways that attackers, including its own red teams, could circumvent MFA or at least greatly diminish its benefits. Attackers behind the SolarWinds Orion compromise, in a recent example, stole the private keys for single sign-on (SSO) infrastructure at many companies and then used those keys to bypass MFA checks.

Related Content:

MFA-Minded Attackers Continue to Figure Out Workarounds

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How Can I Test the Security of My Home-Office Employees' Routers?

Companies must model these threats and ensure their MFA infrastructure does not have the same weaknesses, says Shay Nahari, vice president of red team services at CyberArk.

"Over the last year, we have seen a spike in companies who have MFA as part of their security control — which is always good — but we have also seen some MFA-based attacks during post-breach activities on our clients," he says. "They used it both for the initial access, and we saw attackers who got access in some other way, and then pivot to gain more sensitive access."

Both businesses and consumers worried about the increase in account compromise have adopted MFA. In 2019, a bi-annual report tracking the adoption of two-factor authentication found 53% of respondents used it to secure important accounts, up from 28% in 2017. Another study, funded by Microsoft, found 85% of executives expected to have MFA implemented by the end of 2020. 

The benefits are clear: Microsoft maintains that accounts with MFA are 99.9% less likely to be compromised. 

"The point is — your password, in the case of breach, just doesn't matter — unless it's longer than 12 characters and has never been used before — which means it was generated by a password manager," Alex Weinert, director of security at Microsoft, wrote in an analysis of MFA in 2019. "That works for some, but is prohibitive for others ... Or you could just enable MFA."

With the increasing adoption of MFA, especially to help secure remote workers during the pandemic, attackers are hunting for ways around the technology. Sometimes, they find it. 

Companies that use MFA in conjunction with SSO portals may have architectural design flaws. In one case, once the user was authenticated at the infrastructure level, they were not verified using MFA when accessing critical assets, the CyberArk analysis stated. This weakness could allow a single low-level machine or worker to be compromised and then trusted throughout the network. An attacker who compromised a machine and had credentials for higher-privileged users could access more sensitive assets.

"The MFA was not architected correctly," says Nahari. "The weakness is that it was not based on identity. There was no zero trust."

Another company created a weakness when onboarding new users. They sent an email with a link that users had to open on their phone so the corporate MFA system could pair with their software token application. Unfortunately, the link containing the cryptographic seed used to generate the token was only protected with a four digit PIN, which the red team quickly brute forced. Any attacker with access to a user's email could replicate an employee's MFA token, Nahari says.

"The onboarding was done in an insecure manner," he says. "The idea that you are crossing channels is a fundamental no-no. You need to decouple the channels, so the distribution of the seed should have been done on a different channel."

Other companies required MFA for remote desktop access to a server, but not for other ports or applications on that server, opening the machine up to credential compromises on other channels. This could give an attacker access to the entire machine.

Organizations should audit their MFA infrastructure to identify the ways it could potentially be bypassed. In addition, they should design threat models to understand the ways attackers might try to circumvent their access security, Nahari says.

"MFA should not be the only thing, it should be part of a bigger approach," he says. "Every attack we've shown is not attacking the MFA, but finding ways to circumvent the way it was implemented."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20027
PUBLISHED: 2021-06-14
A buffer overflow vulnerability in SonicOS allows a remote attacker to cause a Denial of Service (DoS) by sending a specially crafted request. This vulnerability affects SonicOS Gen5, Gen6, Gen7 platforms, and SonicOSv virtual firewalls.
CVE-2021-32684
PUBLISHED: 2021-06-14
magento-scripts contains scripts and configuration used by Create Magento App, a zero-configuration tool-chain which allows one to deploy Magento 2. In versions 1.5.1 and 1.5.2, after changing the function from synchronous to asynchronous there wasn't implemented handler in the start, stop, exec, an...
CVE-2021-34693
PUBLISHED: 2021-06-14
net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.
CVE-2021-27887
PUBLISHED: 2021-06-14
Cross-site Scripting (XSS) vulnerability in the main dashboard of Ellipse APM versions allows an authenticated user or integrated application to inject malicious data into the application that can then be executed in a victim’s browser. This issue affects: Hitachi ABB Power Grids ...
CVE-2021-27196
PUBLISHED: 2021-06-14
Improper Input Validation vulnerability in Hitachi ABB Power Grids Relion 670 Series, Relion 670/650 Series, Relion 670/650/SAM600-IO, Relion 650, REB500, RTU500 Series, FOX615 (TEGO1), MSM, GMS600, PWC600 allows an attacker with access to the IEC 61850 network with knowledge of how to reproduce the...