Hackers have found multiple ways to bypass multifactor authentication (MFA), while nine out of ten security professionals still believe that MFA provides complete protection against account takeover, cybersecurity firm warns.
Multi-factor authentication is often touted as a silver bullet guarding users against account takeover when their passwords get compromised. However, hackers already anticipate this hurdle and have prepared counterattacks. Cybercriminals are launching millions of attacks aimed at bypassing MFA.
Proofpoint's 2024 State of the Phish report reveals that over 1 million attacks were launched every month using just a single MFA-bypass framework, EvilProxy, a phishing-as-a-service toolkit.
“Yet 89% of security professionals consider MFA a complete protection against account takeover. Clearly, there’s a disconnect,” the firm said.
Threat actors are using at least six ways to bypass MFA and many of the tactics are highly sophisticated:
- Phishing attacks: Cybercrooks trick users into entering MFA codes or their login credentials into websites that are controlled by attackers.
- MFA fatigue attacks: Once threat actors have obtained a user’s password, they initiate a barrage of MFA push notifications. They attempt to confuse users. Victims often approve the access request just to make the notifications stop.
- Session hijacking: Attackers use infostealer malware and other means to steal session cookies post-authentication. This makes the preceding MFA-based authentication irrelevant.
- SIM-swapping: If users rely on SMS-delivered codes for MFA, hackers might attempt to transfer the target’s phone number to the attacker. To accomplish this, the threat actor needs to socially engineer the mobile carrier or have an insider at the organization.
- Social engineering: Another way hackers can obtain sensitive credentials is just by asking. Companies often provide a way for remote workers to reset their passwords and MFA configurations without having to show up in person. Without proper online identity verification, attackers can trick the IT helpdesk into handing over spoofed employees’ credentials.
- Adversary-in-the-middle attacks: Attackers intercept session tokens using tools, like the specialized phishing kit Evilginx. Those tokens are then relayed to legitimate services, which grant attackers access.
Previously, researchers even managed to bypass Microsoft’s MFA implementation simply by guessing 6-digit codes. Microsoft claims that MFA can prevent 99% of account compromise attacks.
Proofpoint argues that MFA alone is not enough.
“No doubt, MFA adds a valuable layer of user authentication security. And this makes it harder for threat actors to break in. But the bypass techniques that are described above show why it’s so risky to rely on any single security defense mechanism,” the firm said.
“Attackers can adapt to overcome broadly deployed protections.”
What can you do?
Proofpoint suggests that MFA is part of a larger defense-in-depth strategy, and additional layers of security reduce the likelihood of a successful attack, even if one layer is breached.
MFA tools are not all equal, therefore it is recommended to adopt phishing-resistant MFA. More secure MFA methods include hardware security keys (FIDO2) or biometrics.
Strengthening endpoint protection by deploying EDR (endpoint detection and response) tools is one layer to identify and mitigate unauthorized access at the host level.
“Invest in defenses against credential phishing. Most threat actors prefer to use highly targeted, socially engineered phishing attacks to target your users’ credentials,” Proofpoint said.
Other measures include installing specialized account takeover security systems capable of detecting, investigating, and automatically responding to cloud account takeovers, educating users to recognize phishing attempts, and planning for incident response and recovery.
“Prepare for worst-case scenarios. Make sure to have a well-defined incident response plan that includes a way to quickly revoke access tokens and investigate suspicious logins.”
Your email address will not be published. Required fields are markedmarked