Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

End of Bibblio RCM includes -->

Required MFA Is Not Sufficient for Strong Security: Report

Attackers and red teams find multiple ways to bypass poorly deployed MFA in enterprise environments, underscoring how redundancy and good design are still required.

Multi-factor authentication (MFA) is among the most useful measures companies can use against the rise in credential attacks, but attackers are adapting, as demonstrated in a variety of bypasses that allowed them to infiltrate networks — even those protected by MFA.

In an analysis of recent attacks, identity and access management firm CyberArk found at least four ways that attackers, including its own red teams, could circumvent MFA or at least greatly diminish its benefits. Attackers behind the SolarWinds Orion compromise, in a recent example, stole the private keys for single sign-on (SSO) infrastructure at many companies and then used those keys to bypass MFA checks.

Related Content:

MFA-Minded Attackers Continue to Figure Out Workarounds

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How Can I Test the Security of My Home-Office Employees' Routers?

Companies must model these threats and ensure their MFA infrastructure does not have the same weaknesses, says Shay Nahari, vice president of red team services at CyberArk.

"Over the last year, we have seen a spike in companies who have MFA as part of their security control — which is always good — but we have also seen some MFA-based attacks during post-breach activities on our clients," he says. "They used it both for the initial access, and we saw attackers who got access in some other way, and then pivot to gain more sensitive access."

Both businesses and consumers worried about the increase in account compromise have adopted MFA. In 2019, a bi-annual report tracking the adoption of two-factor authentication found 53% of respondents used it to secure important accounts, up from 28% in 2017. Another study, funded by Microsoft, found 85% of executives expected to have MFA implemented by the end of 2020. 

The benefits are clear: Microsoft maintains that accounts with MFA are 99.9% less likely to be compromised. 

"The point is — your password, in the case of breach, just doesn't matter — unless it's longer than 12 characters and has never been used before — which means it was generated by a password manager," Alex Weinert, director of security at Microsoft, wrote in an analysis of MFA in 2019. "That works for some, but is prohibitive for others ... Or you could just enable MFA."

With the increasing adoption of MFA, especially to help secure remote workers during the pandemic, attackers are hunting for ways around the technology. Sometimes, they find it. 

Companies that use MFA in conjunction with SSO portals may have architectural design flaws. In one case, once the user was authenticated at the infrastructure level, they were not verified using MFA when accessing critical assets, the CyberArk analysis stated. This weakness could allow a single low-level machine or worker to be compromised and then trusted throughout the network. An attacker who compromised a machine and had credentials for higher-privileged users could access more sensitive assets.

"The MFA was not architected correctly," says Nahari. "The weakness is that it was not based on identity. There was no zero trust."

Another company created a weakness when onboarding new users. They sent an email with a link that users had to open on their phone so the corporate MFA system could pair with their software token application. Unfortunately, the link containing the cryptographic seed used to generate the token was only protected with a four digit PIN, which the red team quickly brute forced. Any attacker with access to a user's email could replicate an employee's MFA token, Nahari says.

"The onboarding was done in an insecure manner," he says. "The idea that you are crossing channels is a fundamental no-no. You need to decouple the channels, so the distribution of the seed should have been done on a different channel."

Other companies required MFA for remote desktop access to a server, but not for other ports or applications on that server, opening the machine up to credential compromises on other channels. This could give an attacker access to the entire machine.

Organizations should audit their MFA infrastructure to identify the ways it could potentially be bypassed. In addition, they should design threat models to understand the ways attackers might try to circumvent their access security, Nahari says.

"MFA should not be the only thing, it should be part of a bigger approach," he says. "Every attack we've shown is not attacking the MFA, but finding ways to circumvent the way it was implemented."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
//Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Incorporating a Prevention Mindset into Threat Detection and Response
Threat detection and response systems, by definition, are reactive because they have to wait for damage to be done before finding the attack. With a prevention-mindset, security teams can proactively anticipate the attacker's next move, rather than reacting to specific threats or trying to detect the latest techniques in real-time. The report covers areas enterprises should focus on: What positive response looks like. Improving security hygiene. Combining preventive actions with red team efforts.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-26067
PUBLISHED: 2022-05-25
An information disclosure vulnerability exists in the OAS Engine SecureTransferFiles functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted series of network requests can lead to arbitrary file read. An attacker can send a sequence of requests to trigger this vulnera...
CVE-2022-26077
PUBLISHED: 2022-05-25
A cleartext transmission of sensitive information vulnerability exists in the OAS Engine configuration communications functionality of Open Automation Software OAS Platform V16.00.0112. A targeted network sniffing attack can lead to a disclosure of sensitive information. An attacker can sniff networ...
CVE-2022-26082
PUBLISHED: 2022-05-25
A file write vulnerability exists in the OAS Engine SecureTransferFiles functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted series of network requests can lead to remote code execution. An attacker can send a sequence of requests to trigger this vulnerability.
CVE-2022-26303
PUBLISHED: 2022-05-25
An external config control vulnerability exists in the OAS Engine SecureAddUser functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted series of network requests can lead to the creation of an OAS user account. An attacker can send a sequence of requests to trigger t...
CVE-2022-26833
PUBLISHED: 2022-05-25
An improper authentication vulnerability exists in the REST API functionality of Open Automation Software OAS Platform V16.00.0121. A specially-crafted series of HTTP requests can lead to unauthenticated use of the REST API. An attacker can send a series of HTTP requests to trigger this vulnerabilit...