Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

Required MFA Is Not Sufficient for Strong Security: Report

Attackers and red teams find multiple ways to bypass poorly deployed MFA in enterprise environments, underscoring how redundancy and good design are still required.

Multi-factor authentication (MFA) is among the most useful measures companies can use against the rise in credential attacks, but attackers are adapting, as demonstrated in a variety of bypasses that allowed them to infiltrate networks — even those protected by MFA.

In an analysis of recent attacks, identity and access management firm CyberArk found at least four ways that attackers, including its own red teams, could circumvent MFA or at least greatly diminish its benefits. Attackers behind the SolarWinds Orion compromise, in a recent example, stole the private keys for single sign-on (SSO) infrastructure at many companies and then used those keys to bypass MFA checks.

Related Content:

MFA-Minded Attackers Continue to Figure Out Workarounds

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How Can I Test the Security of My Home-Office Employees' Routers?

Companies must model these threats and ensure their MFA infrastructure does not have the same weaknesses, says Shay Nahari, vice president of red team services at CyberArk.

"Over the last year, we have seen a spike in companies who have MFA as part of their security control — which is always good — but we have also seen some MFA-based attacks during post-breach activities on our clients," he says. "They used it both for the initial access, and we saw attackers who got access in some other way, and then pivot to gain more sensitive access."

Both businesses and consumers worried about the increase in account compromise have adopted MFA. In 2019, a bi-annual report tracking the adoption of two-factor authentication found 53% of respondents used it to secure important accounts, up from 28% in 2017. Another study, funded by Microsoft, found 85% of executives expected to have MFA implemented by the end of 2020. 

The benefits are clear: Microsoft maintains that accounts with MFA are 99.9% less likely to be compromised. 

"The point is — your password, in the case of breach, just doesn't matter — unless it's longer than 12 characters and has never been used before — which means it was generated by a password manager," Alex Weinert, director of security at Microsoft, wrote in an analysis of MFA in 2019. "That works for some, but is prohibitive for others ... Or you could just enable MFA."

With the increasing adoption of MFA, especially to help secure remote workers during the pandemic, attackers are hunting for ways around the technology. Sometimes, they find it. 

Companies that use MFA in conjunction with SSO portals may have architectural design flaws. In one case, once the user was authenticated at the infrastructure level, they were not verified using MFA when accessing critical assets, the CyberArk analysis stated. This weakness could allow a single low-level machine or worker to be compromised and then trusted throughout the network. An attacker who compromised a machine and had credentials for higher-privileged users could access more sensitive assets.

"The MFA was not architected correctly," says Nahari. "The weakness is that it was not based on identity. There was no zero trust."

Another company created a weakness when onboarding new users. They sent an email with a link that users had to open on their phone so the corporate MFA system could pair with their software token application. Unfortunately, the link containing the cryptographic seed used to generate the token was only protected with a four digit PIN, which the red team quickly brute forced. Any attacker with access to a user's email could replicate an employee's MFA token, Nahari says.

"The onboarding was done in an insecure manner," he says. "The idea that you are crossing channels is a fundamental no-no. You need to decouple the channels, so the distribution of the seed should have been done on a different channel."

Other companies required MFA for remote desktop access to a server, but not for other ports or applications on that server, opening the machine up to credential compromises on other channels. This could give an attacker access to the entire machine.

Organizations should audit their MFA infrastructure to identify the ways it could potentially be bypassed. In addition, they should design threat models to understand the ways attackers might try to circumvent their access security, Nahari says.

"MFA should not be the only thing, it should be part of a bigger approach," he says. "Every attack we've shown is not attacking the MFA, but finding ways to circumvent the way it was implemented."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
Edge-DRsplash-10-edge-articles
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23394
PUBLISHED: 2021-06-13
The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP.
CVE-2021-34682
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
CVE-2021-31811
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-31812
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-32552
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.