Threat actors, however, are keeping up with the growing enterprise usage of MFA and are consistently developing ways to evade the added security it provides.
For many years, Microsoft has pushed for the adoption of multi-factor authentication (MFA) to thwart intruders.
Researchers from Mandiant and Mitiga have more recently described various methods through which attackers might (mis)use Microsoft MFA to their advantage.
Attacks including SIM swapping, vulnerability exploitation, rogue apps, antiquated authentication protocols, MFA prompt bombing (also known as MFA weariness), stolen session cookies, and (custom) phishing kits with MFA-bypassing functionality have already been observed.
Most businesses and platforms that use MFA let customers enrol their first MFA device during the subsequent login. Because only the proper username and password are required for that, an attacker who knows these can enter the account and disable MFA.
APT29 (also known as Cozy Bear or Nobelium) and other threat actors have developed a new strategy that involves taking advantage of the MFA self-enrollment process in Azure Active Directory and other systems, according to Douglas Bienstock, an IR manager at Mandiant, who released it last week.
“In one instance, APT29 conducted a password guessing attack against a list of mailboxes they had obtained through unknown means. The threat actor successfully guessed the password to an account that had been setup, but never used. Because the account was dormant, Azure AD prompted APT29 to enroll in MFA. Once enrolled, APT29 was able to use the account to access the organization’s’ VPN infrastructure that was using Azure AD for authentication and MFA,” Bienstock explained.
Mandiant advises businesses to check that every active account has at least one MFA device registered, and to collaborate with their platform provider to add more verification steps to the MFA registration procedure.
Organizations can choose to require MFA for enrollment and issue Temporary Access Passes to employees when they first join or if they lose their MFA device using Conditional Access on Microsoft Azure AD, he continued. Organizations can also use Conditional Access to limit the registration of MFA devices to only trusted locations or trusted devices. Organizations are advised by Mandiant to make sure that every active account has at least one MFA device enrolled and to engage with their platform vendor to add more verifications to the MFA enrollment process.
Organizations can use Conditional Access on Microsoft Azure AD to limit the registration of MFA devices to only trusted locations or trusted devices, he continued, and they can decide to require MFA to enrol MFA and issue Temporary Access Passes to workers upon hire or in the event that they misplace their MFA device. “It is only obvious if one specifically looks for it. If one goes to the M365 security portal, they will see it; but most users never go to that place. It is where you can change your password without being prompted for it, or change an authenticator app. In day-to-day use, people only change passwords when mandated through the prompt, or when they change their phone and want to move their authenticator app,” Mitiga CTO Ofer Maor told Help Net Security.
Also, an isolated, random prompt for the second authentication factor triggered by the attacker can easily not be seen or ignored by the legitimate account owner. “They get prompted, but once the attacker authenticates on the other authenticator, that prompt disappears. There is no popup or anything that says ‘this request has been approved by another device’ (or something of that sort) to alert the user of the risk. Of course, the notification of the prompt on their phone may remain in the notification history, but if done when the user is not paying attention to their phone, it is likely to go away,” Maor noted.
He continued that the issue here was that Microsoft did not demand a new MFA challenge for accessing and switching user authentication methods. “This means that once an account has been compromised, even for an extremely short period of time, it is possible to create persistency using this technique, so an attacker can then reauthenticate with MFA when the session expires or is revoked. It is important to note that even if an organization puts a strict MFA expiration time of one day, it will still not prevent creating for the attacker with this technique.”
Additionally, he made note of how most users do not fully comprehend the MFA process or have the knowledge to pay attention to it, especially given how many things computers “don’t grasp.” “When we investigated it, the user eventually remembered that there was one time they were prompted, but then got into the app and there was nothing there (because by that time the attacker had already approved on their phone). They didn’t pay much attention to it though.”