Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/10/2020
10:00 AM
Alan Bavosa
Alan Bavosa
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

How Hackers Blend Attack Methods to Bypass MFA

Protecting mobile apps requires a multilayered approach with a mix of cybersecurity measures to counter various attacks at different layers.

Many security experts recommend multifactor authentication (MFA) to prevent unauthorized access to protected accounts. It's a key security measure for mobile apps, but it's not a silver bullet. Hackers are getting better at defeating second- and third-layer security protections like MFA. 

For example, the Iranian hacker group Rampant Kitten targeted Iranian dissidents using malware deposited in the victim's Telegram messaging app, whose MFA was bypassed using previously intercepted SMS codes.

Then there's Cerberus, a Trojan that abuses Android accessibility features like "developer options" and "enable unknown sources" to escalate privileges, enable remote access, and update malware on target systems. Hackers reverse-engineered Google's authentication flow and extracted two-factor authentication credentials from mobile apps to mimic and bypass Google Authenticator. 

Related Content:

7 Mobile Browsers Vulnerable to Address-Bar Spoofing

The Changing Face of Threat Intelligence

New on The Edge: 9 Cyber Disaster-Recovery Planning Tips for a Disaster-Prone Time

Plus, earlier this year we saw the emergence of the Eventbot malware, which targets mobile banking apps and often masquerades as a well-known app (like Microsoft or Adobe). It can intercept SMS messages to obtain MFA codes for account takeovers and data theft. Newer and more sophisticated variants continue to pop up thanks to auto-update capabilities.

And these are just a few well-known cases. Hackers bypass MFA all the time, often using the following common techniques to attack mobile apps.

Reverse Engineering & Tampering 
Hackers use static and dynamic analysis to understand how apps work and to alter apps in many ways. They use debuggers and emulators to observe how apps function in simulated environments. They use disassemblers and decompilers to obtain source code and understand how it executes. For everything a hacker wants to do, there's five or 10 tools to do it, all freely available.

With the information these tools provide, hackers figure out where apps' weaknesses are and then craft attacks to exploit those weaknesses. For example, using tools like Ghidra, IDA, and others, hackers can execute a class dump and show all third-party libraries in any app. Then they search public data sources (such as MITRE) to find all the bugs and vulnerabilities in those libraries so they can craft an attack that exploits them. And they enhance their attacks by blending attack techniques. The more they know about the app, the more damage they can do.

Transport Layer Attacks and Social Engineering
Hackers alter digital certificates and use them in phishing and man-in-the-middle (MitM) attacks. For example, let's say an attacker intercepts a mobile banking session using an altered certificate to establish connections on both sides (that is, the hacker sits "in the middle" of the user and the bank). Both the bank's server and the mobile user think they are talking to a trusted entity because the certificate appears real, as it's the digital equivalent of a "fake ID."

To appear even more legitimate, hackers often insert a screen overlay, which is a fake copy of the website to which the user thinks he or she is connecting. Then they record the user's keystrokes to intercept the data or trick the user into revealing info to them. That's one of the methods used in the Rampant Kitten example above to get victims to install the malware.

Data Extraction & Credential Theft
Hackers search for unencrypted data stored in many different locations in a mobile app, such as the app sandbox, clipboard, preferences, resources, and strings. Mobile apps also store authentication tokens, cookies, and user credentials in shared storage areas. Hackers can extract this data easily, especially if it's not encrypted or obfuscated. 

Recommendations for Mobile App Developers
Protecting mobile apps requires a multilayered approach with a mix of cybersecurity measures to counter various attacks at different layers.

● Harden apps with anti-tampering, anti-reversing, checksum validation, and jailbreak/root prevention. Build in protection against the common tools that hackers use to study, simulate, and learn about your app and all its components.

● Obfuscate your code for both native and non-native apps, including third-party libraries and your code's logic. This prevents reverse engineering.

● Encrypt sensitive data in all places that it exists. The sandbox is not the only place where data lives. Encrypt strings, data in-app preferences, resources, API keys, and secrets. And never leave sensitive data or artifacts in the clear.

● Protect data in transit: Implement certificate pinning and certificate or certificate authority validation to protect against MitM attacks, phishing, and altered certificates. 

● Consider "in-app" MFA: Developers can strengthen MFA with biometric security by leveraging in-app FaceID/TouchID on a per-app basis. That way, even if the device PIN code or the MFA solution is compromised, the app is still safe. 

Solid security requires a layered defense. MFA is far stronger than a traditional username/password model for authentication, and I encourage its use. But it's insufficient by itself, and lack of app/data protection can actually lead to MFA compromise.

Alan is VP Security Products at Appdome. A longtime product exec and serial entrepreneur, Alan has previously served as chief of product for Palerra (acquired by Oracle) and Arcsight (acquired by HP). View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
boholuxe
67%
33%
boholuxe,
User Rank: Strategist
11/10/2020 | 11:17:21 AM
I don't trust apps
I do not trust mobile apps. They are created mostly by unknown developers. And I do not know what will they do with my data
markoer
100%
0%
markoer,
User Rank: Strategist
11/12/2020 | 12:27:30 AM
Re: I don't trust apps
Because of course you know who develops web applications - you know them all, one by one.
azotosolutions
100%
0%
azotosolutions,
User Rank: Apprentice
11/14/2020 | 12:03:15 AM
Pending Review
This comment is waiting for review by our moderators.
quieron
100%
0%
quieron,
User Rank: Apprentice
11/14/2020 | 6:24:30 AM
Pending Review
This comment is waiting for review by our moderators.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
The Yellow Brick Road to Risk Management
Andrew Lowe, Senior Information Security Consultant, TalaTek,  11/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: He hits the gong anytime he sees someone click on an email link.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14190
PUBLISHED: 2020-11-25
Affected versions of Atlassian Fisheye/Crucible allow remote attackers to achieve Regex Denial of Service via user-supplied regex in EyeQL. The affected versions are before version 4.8.4.
CVE-2020-29074
PUBLISHED: 2020-11-25
scan.c in x11vnc 0.9.16 uses IPC_CREAT|0777 in shmget calls, which allows access by actors other than the current user.
CVE-2020-14191
PUBLISHED: 2020-11-25
Affected versions of Atlassian Fisheye/Crucible allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the MessageBundleResource within Atlassian Gadgets. The affected versions are before version 4.8.4.
CVE-2020-29070
PUBLISHED: 2020-11-25
osCommerce 2.3.4.1 has XSS vulnerability via the authenticated user entering the XSS payload into the title section of newsletters.
CVE-2020-26212
PUBLISHED: 2020-11-25
GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.3, any authenticated user has read-only permissions to the planning of ever...