A sinister way to bypass multi-factor authentication is gaining momentum

- Advertisement -

Multi-Factor Authentication (MFA) – This is the main protection, which is one of the most effective in preventing account takeover. In addition to requiring users to provide a username and passwordThe MFA ensures that they must also use an additional factor – be it a fingerprint, a physical security key, or a one-time password – before they can access an account. Nothing in this article should be construed as a statement that MFA is anything but necessary.

- Advertisement -

However, some forms of MFA are stronger than others, and recent events show that these weaker forms are not a deterrent to some hackers. Over the past few months, suspected screenwriter kids like Lapsus$ data ransomware gang and elite subjects of the Russian state threat (e.g. Cozy Bear, the group behind solarwinds hack) both successfully defeated the defense.

Enter MFA Instant Bombing

The strongest forms of MFA are based on a structure called FIDO2, which was developed by a consortium of companies to balance security and ease of use. This gives users the option to use the fingerprint scanners or cameras built into their devices or special security keys to confirm that they are authorized to access the account. FIDO2 MFA Forms: relatively newso many services for both consumers and large organizations have yet to adopt them.

- Advertisement -

This is where the older, weaker forms of MFA come in. These include one-time passwords sent via SMS or generated by mobile applications such as Google Authenticator or push hints sent to a mobile device. When someone logs in with a valid password, they must also either enter the one-time password in the box on the login screen or press the button displayed on their phone screen.

According to recent reports, it is this last form of authentication that is bypassed. One group using this technique, according security firm Mandiant – Cozy Bear, a group of elite hackers working for the Russian Foreign Intelligence Service. The group is also known as Nobelium, APT29 and Dukes.

“Many MFA providers allow users to accept a phone app push notification or accept a phone call and press a key as a second factor,” the Mandiant researchers write. ” [Nobelium] The attacker took advantage of this and sent multiple MFA requests to the end user’s legitimate device until the user accepted authentication, allowing the attacker to eventually gain access to the account.”

Lapsus$gang of hackers who hacked Microsoft, Octaand Nvidia in recent months also used this technique.

“The number of calls that can be made is not limited,” a Lapsus$ member wrote on the group’s official Telegram channel. “Call an employee 100 times at 1am while he is trying to sleep and he will most likely accept it. Once the employee takes the first call, you can access the MFA Enrollment Portal and enroll another device.”

A Lapsus$ member said the MFA’s rapid bombing method was effective against Microsoft, which said earlier this week that a hacker group was able to gain access to the laptop of one of its employees.

“Even Microsoft!” man wrote. “Able to sign in to Microsoft VPN for an employee from Germany and the US at the same time, and they didn’t even seem to notice. I was also able to re-enter the Foreign Ministry twice.”

Mike Grover, salesman of Red Team hacking tools for security professionals and Red Team consultant who goes by the pseudonym Twitter. _MG_, told Ars that the method “essentially is a single method that takes many forms: tricking the user into confirming an MFA request. “MFA bombing” has quickly become a descriptor, but it overlooks the more hidden methods.”

Methods include:

  • Sending many MFA requests in the hope that the target will finally accept one of them to stop the noise.
  • Sending one or two requests per day. This method often attracts less attention, but “there is still a good chance that the target will accept the MFA request.”
  • Call the target, pretend to be part of the company, and inform the target that they need to submit an MFA request as part of the company process.

“These are just a few examples,” Grover said, “but it’s important to know that mass bombing is NOT the only form this takes.”

AT Thread on Twitter, he wrote, “Red teams have been playing variations of this for years. This helped companies that were lucky enough to have a red team. But real-world attackers are moving in that direction faster than the collective position of most companies is improving.”

Other researchers were quick to point out that the MFA hint method is not new.

“Lapsus$ didn’t invent the MFA’s fast bombing,” says Greg Linares, a pro on the red team. tweeted. “Please stop crediting them with… creating this. This attack vector was used in real world attacks 2 years before the lapse was known.”

Good boy, FIDO

As noted earlier, MFA FIDO2 forms are not susceptible to this technique because they are tied to the physical computer that someone uses when they log into the site. In other words, authentication must be performed on the device from which you are logging in. It cannot happen on one device to grant access to another device.

But that doesn’t mean organizations using FIDO2-compliant MFAs can’t be quickly bombarded. Inevitably, a certain percentage of people enrolled in these MFA forms will lose their key, drop their iPhone down the toilet, or break their laptop’s fingerprint reader.

Organizations must have contingencies in place to deal with these inevitable events. Many will turn to more vulnerable forms of MFA in case an employee loses a key or device needed to send an additional factor. In other cases, a hacker can trick an IT administrator into resetting the MFA and enrolling a new device. In other cases, FIDO2 compliant MFA is just one option, but less secure forms are still allowed.

“Reset/backup mechanisms are always very attractive to attackers,” Grover said.

In other cases, companies using FIDO2 compliant MFAs rely on third parties to manage their network or perform other essential functions. If third-party employees can access a company’s network with weaker forms of MFA, this largely negates the benefits of stronger forms.

Even as companies use FIDO2-based MFA everywhere, Nobelium has been able to defeat the defense. However, this bypass only became possible after hackers completely compromised the target’s Active Directory, a highly secure database tool that network administrators use to create, delete, or modify user accounts and grant them privileges to access authorized resources. This workaround is out of the scope of this post because once AD ​​is hacked, the game is pretty much over.

Once more, Any a form of MFA is better than no use of MFA. If SMS-delivered one-time passwords are all that’s available—however erroneous and obnoxious they may be—the system is still infinitely better than No MFA. Nothing in this post is meant to suggest that MFA is not worth the hassle.

But it is clear that MFA is not sufficient on its own, and it is unlikely that it is a box that organizations can test and be done with. When Cozy Bear found these loopholes, no one was particularly surprised, given the band’s endless resources and top-notch craftsmanship. Now that teenagers are using the same methods to hack powerful companies like Nvidia, Okta and Microsoft, people are starting to realize the importance of using MFA correctly.

“Although it might be tempting to dismiss LAPSUS$ as an immature and celebrity-seeking band,” reporter Brian Krebs of KrebsOnSecurity. wrote last week“Their tactics should make everyone in charge of corporate security sit down and take notice.”

The MFA fast bombardment may not be new, but companies can no longer ignore it.

This story originally appeared on Ars Technique.

More Great WIRED Stories


Credit: www.wired.com /

- Advertisement -

Stay on top - Get the daily news in your inbox

DMCA / Correction Notice

Recent Articles

Related Stories

Stay on top - Get the daily news in your inbox