Identity, Ransomware, Security Staff Acquisition & Development

Should we take comfort in knowing that threat actors are finding ways to bypass MFA?

A woman is silhouetted against a projection of a password log-in dialog box.
Threat actors attacking multi-factor authentication might be a sign that MFA is widespread enough to disrupt criminals, said one expert. (Photo by Leon Neal/Getty Images)

Threat actors are starting to find ways to bypass multi-factor authentication, a sign that some security researchers say may demonstrate that MFA has become more mainstream, according to a report released Tuesday by Secureworks.

“The fact that multi-factor itself is now a target is a good thing — it shows that it’s widespread enough to be disrupting the criminal access, so much so that the technology itself is under attack,” said Andrew Barratt, vice president at Coalfire.

Mike Parkin, senior technical engineer at Vulcan Cyber, said the challenge with MFA is that they’re not all created equal and not everyone implements them in the most secure way possible.

“Some forms of MFA are inherently more robust than others, and more resistant to attack," Parkin said. "Though almost any MFA implementation is a step in the right direction, they’re not a silver bullet and need to find the right balance between convenience and effectiveness.”

Patrick Harr, chief executive officer at SlashNext, said users should always stay observant when using MFA. Harr said it’s still an effective mitigation against phishing because it increases the difficulty of leveraging compromised credentials to breach an organization.

“However, it’s not infallible,” Harr said. “If the link leads the user to a fake replica of a legitimate site, then the user can fall victim. In fact, CISA has warned about an increase in cybercriminals using tactics to bypass MFA as an effective tactic for financial and data theft.”

Jerrod Piker, competitive intelligence analyst at Deep Instinct, said while MFA has been effective, attackers have recently been bypassing these tools to gain access.

One example of how they’re getting past MFA is referred to as “prompt bombing,” explained Piker. This entails an attacker who has successfully gained access to one factor of authentication sending authentication requests over-and-over again in the hopes they will wear the end user out and get them to either accidentally or purposefully approve a request. Piker said there have been several public reports of this method’s success.

“The important thing is to remind users that if they see a lot of unusual activity like this, they should report it to their security team as quickly as possible and change their passwords,” Piker said.

Another method attackers are seeing success with is session hijacking, said Piker. In this technique, an attacker sends a phishing email with a link to a legitimate log-in site, but with a transparent proxy in-between so that the attacker can steal credentials and session keys and continue to work with an authenticated session. Piker said to avoid this type of attack, security teams should train users never to log-in from a link found in an email. Instead, they should go directly to the URL of the MFA resource to initiate a log-in session.

Ransomware still the primary threat

Overall, the Secureworks report found that ransomware still remains the primary threat facing private and public organizations.

The researchers found that the median detection window for ransomware attacks in 2022 stands at 4.5 days. Loaders also remain an important component of the ransomware ecosystem, although use fluctuates between new and long-established options.

“Ransomware has proven a consistent payload that can be dropped in to a target using any number of attack vectors that [attackers] can monetize,” said Coalfire’s Barratt. “With initial access brokers having ‘wholesale’ access to some environments, there’s a crime-as-a-service business model to this. Buy the initial access en mass from a broker — drop in your ransomware/malware toolkit and then exploit the victim for high payouts. This gives the criminals a very easy-to-determine ROI and means the initial access broker gets a quick pay out and moves on.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.