Cyberattackers Double Down on Bypassing MFA

As companies increasingly require stronger versions of security for their employees and customers, attackers are getting better at bypassing multifactor authentication (MFA), resulting in a steady stream of compromises, such as this week's announcement of a data leak at cybersecurity firm LastPass and the announced breach at social media service Reddit earlier in February. 

While multiple ways exist to bypass the flawed security of two-factor authentication (2FA) that uses one-time passwords (OTPs) sent through short message service (SMS) texts, systems protected by push notifications or using hardware tokens are considered much harder to compromise. Yet attackers have landed on a trio of techniques to get around the additional security: MFA flooding, proxy attacks, and session hijacking — focused on the user, the network, and the browser, respectively. 

"Most of the time, attackers are getting around weaker forms of MFA, especially those that use SMS, [but] there are plenty of techniques attackers use to circumvent MFA, including MFA flooding, SIM-swapping, and attacker-in-the-middle attacks," says Matt Caulfield, CEO of Oort, an identity-security provider.

MFA bypass attacks increased in 2020 (green) compared with previous years. Source: Okta

MFA Flooding & Fatigue

The first target for attackers is often the human behind the keyboard. Overall, 82% of breaches involved the "human element," and more than 80% of Web application breaches are attributed to the use of stolen credentials, according to Verizon's "2022 Data Breach Investigations Report (DBIR)." 

MFA flooding, where an attacker will repeatedly attempt to log in using stolen credentials to create a deluge of push notifications, aims at taking advantage of users' fatigue for security warnings. "Push notifications are a step up from SMS, but are susceptible to MFA flooding and MFA fatigue attacks, bombarding the victim with notifications in the hope they will click 'Allow' on one of them," Caulfield says. 

Another popular tactic — the account reset attack — aims to fool tech support into giving attackers control of a targeted account, an approach that led to the successful compromise of the developer Slack channel for Take-Two Interactive's Rockstar Games, the maker of the Grand Theft Auto franchise.

"An attacker will compromise a user’s credentials, and then pose as a vendor or IT employee and ask the user for a verification code or to approve an MFA prompt on their phone," says Jordan LaRose, practice director for infrastructure security at NCC Group. "Attackers will often use the information they’ve already compromised as part of the social engineering attack to lull users into a false sense of security."

Session Hijacking & Pass-the-Cookie Attacks

After a worker logs in to an online account or cloud service, a session cookie containing the user’s authentication credentials is typically set and remains active until the user ends the session by logging out. A common post-compromise tactic is for the attacker to harvest every cookie in the browser cache for potential use as a session hijack or pass-the-cookie attack. Malware such as Emotet has this functionality as a regular feature.

Other variants of this attack use cross-site scripting or malicious browser extensions to take control of a user's session after they pass the MFA barrier, says NCC Group's LaRose.

"The ultimate goal of this technique is to attack the user’s session indirectly, and therefore not interact with the stronger security controls in the login flow," he says.

Proxy Attacks & AitM

Finally, attackers can try to compromise infrastructure between the users device and a cloud service or online site. Using a compromised or malicious server to intercept requests from the user and destination server, a proxy attack — or adversary-in-the-middle (AitM) attack — allows cyberattackers to harvest the authentication mechanism in real time.

"This allows the attackers to bypass most available methods of MFA, since the user is providing the site, and the hacker, with both the username and password and additional authentication," Drew Trumbull, incident response team lead with the Information Security Office at the University of North Carolina, said in a review of the technique.

The technique may have contributed to the breach at LastPass, where "the threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA," according to the company's statement.

Resetting the Matrix

To defend against the latest attacks, companies should deploy phishing-resistant MFA, which consists of something you own, such as a hardware key, and something you are, such as a biometric. Common hardware key solutions, such as Yubikey, have made phishing-resistant MFA more easy to deploy, says NCC Group's LaRose.

Unfortunately, there are still hurdles for companies in adopting hardware keys, making it difficult to attain complete coverage, says Oort's Caulfield.

"Just the logistics of shipping hardware-based security keys to every employee and managing the process when they lose them can be a nightmare," he says. "Shipping laptops and security keys to contractors is even harder."

And with the increased overhead to manage the devices comes another in-road for attackers — resetting an account following a lost or stolen device. By pretending to be the victim, an attacker can claim to have lost a device, allowing them to enroll a new factor upon sign-in or act during a reset grace period, says Oort's Caulfield. 

"MFA resets are a massive challenge," he says. "It’s likely we’ll see attackers shifting from the factor as a weakness to the registration and reset process."

And indeed, rather than use a hardware token, workers and consumers are far more likely to subscribe to a security question or use a time-based OTP (TOTP) received through email or SMS. Nearly 80% of users polled at identity-provider Okta, for example, use email as a second factor — and nearly 40% have a TOTP pushed to them through an application — while only about 5% use a token or Yubikey, according to Oort's "2023 State of Identity Security" report. Users of Azure AD and Duo Security show similar preferences, the report noted, with security questions and SMS passcodes dominating enrollment numbers.