Security

How Cybercriminals Foil Multifactor Authentication, and What to Do About It

Hackers successfully breached three organizations with MFA in place last year. Here’s how they did it, and how you can avoid being the next victim.

Bob Keaveney

Bob is the managing editor of BizTech magazine.

Cybercriminals depend on compromised or stolen credentials to breach networks and have spent a great deal of energy in recent years trying to overcome multifactor authentication systems, which provide an additional defense layer should someone’s username and password become successfully compromised.

In 2022, they had some high-profile successes, said Dave Taku, senior director of product management and user experience design at RSA Security, a maker of identity management products including MFA. He spoke at RSA 2023, the large cybersecurity conference taking place through March 27 in San Francisco.

Taku, whose company started the event decades ago but is no longer involved in running it, addressed some difficult questions about whether MFA was beginning to falter as a defense tactic against ever-savvier threat actors.

He argued that the technology is sound. The problem — as usual in cybersecurity — is people. He detailed what happened in three attacks that succeeded despite the fact that the organizations had deployed MFA solutions.

“The reality is that none of these attacks were against the authentication technology,” he said. “They bypassed the authentication technology with some very old-school means.”

Click the banner below to receive exclusive industry content when you register as an Insider.

Why More Organizations Are Adopting MFA

Multifactor authentication is rapidly becoming regarded as basic security hygiene in a zero-trust network architecture world. The pandemic that jump-started the ongoing digital work revolution also prompted organizations to deploy MFA to secure those digital workspaces.

By 2021, about 62 percent of large organizations were using it, by one estimate. “At the same time, in 2022, we saw some of the most significant attacks ever on MFA systems,” Taku said. “So, why are these attacks on the rise?”

One some level, Taku said, MFA is a victim of the very trend it is meant to enable. He argued that the size of the attack surface has widened broadly as people work remotely full- or part-time, often using their own devices.

“We’re protecting people everywhere,” he said. “Mobile has really changed the game, where it’s become imperative that we not only protect the assets of the company but to propel the business forward and make information readily available to our constituents. All these things are massively disrupting the way we used to do things before, and it’s creating all these ways for attackers to exploit chinks in the armor.”

WATCH: Why you should be aware of your cybersecurity team’s mental health.

The Russian-sponsored hackers who attacked an unnamed U.S. nongovernmental organization last year certainly found some vulnerabilities.

The episode began as a brute-force attack targeting the weak password of a former NGO employee. With no limits in place on the number of unsuccessful log-in attempts that would trigger an automatic lockdown of the account, and no one monitoring the “orphan account” of a former employee, the attackers eventually guessed correctly.

The hackers used the orphan account to enroll into the MFA system itself, with only a username and password required. This was another mistake, Taku said: Better authentication protocols should have been in place for those enrolling in the MFA program.

“Here we have a problem where you can have a strong credential but a weak process for issuing that credential,” he said. “That compromised password was the only thing required to enroll in MFA. From there, the hacker had access to everything.”

Mobile has really changed the game. All these things are massively disrupting the way we used to do things before, and it’s creating all these ways for attackers to exploit chinks in the armor.”

Dave Taku Senior Director of Product Management and User Experience Design, RSA Security

Lessons Learned From Successful MFA Hacks

One lesson is an old one: Require strong passwords or eliminate them entirely. Another is to ensure that you’re not relying on the default settings of the tools you use, including MFA tools. In addition to failing to set an account lockout policy, the NGO failed to securely configure its MFA enrollment process.

“Your MFA credential is only as strong as the enrollment process that gets you there,” Taku said.

The second breach occurred when a company’s subcontractor, which was providing customer support services, was breached through a “VPN compromise,” the details of which have never been made clear, Taku said. Once it was in the network, the attacker found a file whose filename made clear that it contained domain information on the company’s MFA deployment.

The third successful breach involved a growing tactic referred to as “prompt bombing,” in which a hacker, having successfully compromised an end-user’s username and password, simply begins attempting to log in, prompting repeated authentication messages to be sent to the end user. Often, the end user will eventually approve the request, perhaps misunderstanding what’s happening.

Not this time, though. “The employee kept getting these push messages and kept hitting ‘deny, deny, deny.’ So, the attacker calls him up and says, ‘Hey, I’m with the company help desk; we’re running a test, can you please press “approve” this time?’ And the guy says, ‘OK!’”

Human error was the cause of all three breaches, Taku noted. In some cases, mistakes were made by end users who fell victim to social engineering; in others, the errors were made by IT professionals in configuration and policy setting. Most of the time, there were mistakes on both sides. For example, in the third case, the employee had been granted access to key PowerShell assets for which he had no use, making life much easier for the hacker.

“Criminals may start with a stolen credential but quickly benefit from the fact that the user whose credential they stole has access to things he shouldn’t,” Taku said.

Multifactor authentication continues to be a critical defense tool in the age of remote work, Taku said, but it’s no substitute for well-implemented policies and attention to basic security hygiene. “We’ve got solve, fundamentally, the human problem,” he said. “We have to understand better how people think."

Keep this page bookmarked for articles and videos from the event, follow us on Twitter @BizTechMagazine and join the event conversation at #RSAC.