Webinar:
First Line of Defense: Menlo Secure Enterprise Browser
Icon Rounded Closed - BRIX Templates

The art of MFA Bypass: How attackers regularly beat two-factor authentication

Neko Papez
|
April 23, 2023
linkedin logotwitter/x logofacebook logoSocial share icon via eMail

Whether it’s cloud-based productivity suites, powerful analytics platforms, the largest of enterprise ERP systems, and every application in between — to get work done, the web browser is the modern go-to application interface. Unfortunately, it also means that the web browser is the go-to target for modern attackers. This profoundly impacts the nature of current attack techniques and the effectiveness of traditional security defenses — or the lack thereof.

In fact, threat actors are increasingly leveraging evasive attack techniques that enable them to successfully bypass the typical security defenses enterprises have in place, such as inspections performed by Secure Web Gateways (SWG), malicious link analysis, anti-malware analysis, sandboxing, network traffic analysis, as well as defenses based on domain categorization, among many other so-called “solutions.” These attacks move too quickly for traditional security tools to keep up with contemporary, highly-evasive attack techniques that target the web browser. And, because attackers are effectively targeting the web browser, security defenses that don’t directly defend the web browser are very likely to fail.

One such highly evasive attack technique involves multi-factor authentication (MFA) bypass attacks. Because the use of MFA has increased in recent years for both consumer and enterprise authentication, attackers have shown considerable interest, and success, in learning how to bypass MFA.

What are MFA bypass attacks?

MFA bypass attacks refer to techniques cybercriminals use to circumvent the additional layers of security provided by MFA, such as one-time passwords, digital tokens, or biometric authentication, and gain unauthorized access to sensitive data and systems. Also known as single sign-on (SSO) impersonation, these attacks allow threat actors to exploit the trust in SSO systems such as Okta, LastPass, and OneLogin, to gain unauthorized access to multiple related services. Attackers use various methods in MFA bypass attacks, including social engineering, phishing, and exploiting vulnerabilities in the authentication process.

When attackers target MFA systems, they are trying to exploit one or more specific MFA components — such as the password (something the user knows), the token (something the user has), or the biometric (something the user is). Organizations must remain diligent and employ the proper security defenses to stop these attacks.

Next, we look at some of the more common MFA bypass techniques that have been successfully used against businesses.

How MFA bypass attacks work

There are three common types of MFA bypass attacks that we see target organizations. They are MFA fatigue, man-in-the-middle, and token theft.

MFA fatigue

This is an attack in which, after having obtained stolen username and password credentials, attackers attempt repeated logins to the targeted users’ accounts. For those organizations where users have push or SMS notifications enabled as part of their MFA protection, the targeted users are bombarded with login verification requests. Often, through sheer frustration or by accident, users will eventually click on the link or confirmation request. That action then gives the threat actor a way in.

Man-in-the-middle

This attack is sometimes called session hijacking or real-time phishing. When threat actors only needed to target username and password combinations, they’d typically establish a fake authentication webpage and attempt to trick users into entering their credentials. With MFA so widely used today, attackers need both the username/password combination and the digital token or one-time password used as the second form of authentication. Unfortunately, this is proving easier to do than many had previously hoped.

In these attacks, threat actors insert themselves between the targeted end user and the legitimate login page. Often, victims will receive an out of band request to access their MFA provider–through an SMS text or email–that users are enticed to click on, which then directs them through a malicious proxy server to the legitimate login page. With the proxy sitting in line, the attackers can capture the credentials and then modify the session cookie and immediately access the targeted company’s systems. We expect to see many more variations of these types of attacks.

Token theft

So that users don’t have to re-authenticate during their sessions, “session cookies” are stored on endpoint devices. Threat actors steal these session cookies. The session cookies are then placed within the attacker’s session, which tricks the browser into believing the actual trusted user is being authenticated. Once in, the attacker can do everything the trusted user was enabled to do with that same cookie.

Recent examples of MFA bypass attacks

MFA fatigue attack evidence

MFA bypass attacks have indeed been grabbing headlines of late. One example was the recent breach of Uber’s IT systems last fall. In that “MFA fatigue” attack, the threat actor convinced Uber employees they were from Uber’s IT department. After continuous attempts to get the users to approve a login request, Uber employees were eventually either worn down or tricked into approving.

Man-in-the-middle attack evidence

Reddit reported earlier this year that threat actors successfully captured employee usernames, passwords, and two-factor authentication tokens. Reddit CTO Christopher Slowe detailed the incident on their site. “On late (PST) February 5, 2023, we became aware of a sophisticated phishing campaign that targeted Reddit employees. As in most phishing campaigns, the attacker sent out plausible-sounding prompts pointing employees to a website that cloned the behavior of our intranet gateway in an attempt to steal credentials and second-factor tokens,” Slowe wrote.

Similar attacks targeted Twilio and Cloudflare. And researchers at Stony Brook University have shown how man-in-the-middle phishing attacks, thanks to widespread kits such as Evilginx, Modlishka, and Muraena, are increasing.

Token theft attack evidence

The ransomware group known as Lapsus$ recently employed a token theft attack. The group claimed to have purchased a stolen session cookie from an Electronic Arts employee on the recently-shuttered criminal bazaar known as Genesis Marketplace. The stolen cookies enabled cybercriminals to access EA’s Slack instance. This eventually led to Lapsus$ grabbing 780GB of EA’s data, including game and graphics engine source code. The group then subsequently used that data to attempt to extort Electronic Arts.

The insidious nature of evasive attack techniques

These evasive attacks are significant because they show how vulnerable enterprise systems and data fall prey to skillful attackers. They also take advantage of the proliferation of network and endpoint security tools that have not evolved to protect web browsers and their increased use. These existing solutions were designed to protect the network layer — not the web browser, which these modern attacks target.

MFA bypass attacks that targeted organizations such as EA, Reddit, Twilio, Uber, and others were successful because they evaded existing security tools, including content categorization engines, URL filtering, secure email gateways, and enterprise anomaly detection capabilities, in addition to bypassing MFA. Many endpoints targeted were personal devices that the enterprise security team did not manage or secure. These devices are sitting targets for attackers, with little to no security.

Because of their evasive nature, we categorize these threats as Highly Evasive Adaptive Threats (HEAT). HEAT attacks arose during the increase in remote work and the hybrid workforce, cloud migration, and the accelerated adoption of software-as-a-service (SaaS) applications. HEAT attacks utilize techniques that successfully avoid the detection-based security tools in place today, and target the productivity software used by all knowledge workers today: the web browser.

HEAT attacks, such as MFA bypass attacks, are particularly dangerous because they happen in real time. This allows malicious actors to take advantage of an organization's vulnerabilities before conventional security measures like web filters can be updated. The effectiveness of these HEAT attacks also stems from their use of social engineering techniques, such as impersonating tech support staff or overwhelming users with repeated authentication requests, which deceive individuals into compromising their security.

Since a certain proportion of end users will inevitably succumb to social engineering tactics, and these attacks are too rapid for signature-based defenses, organizations must take measures to halt them while in progress. To effectively counteract such attacks, it is essential to stop them within the user's web browser.

MFA bypass prevention

To successfully defend against MFA bypass and other HEAT techniques, enterprises must focus their security efforts on preventative solutions that provide visibility into the browser. They need to be able to detect and respond to these evasive attacks as they occur in real-time. And security teams need to put their efforts where the attackers put theirs: inside the web browser. Just as threat actors adjust their tactics in real-time, enterprises need to be able to apply adaptive security controls that can enforce security defenses directly within the web browser. This is how to stop attacks before they impact devices or systems and expose data.

Blog Category
Tagged