Why Are We Still Attacked by Hackers Even Though We Have MFA?

2024.09.19

In 2023 , a survey of 2,600 IT professionals by the well-known cybersecurity company KnowBe4 showed that there is still a significant difference in security practices between large organizations and small and medium-sized organizations. Although only 38 % of large organizations have not yet protected their user accounts by enabling multifactor authentication ( MFA ) , as many as 62% of small and medium-sized organizations have not implemented any MFA at all.

However, the good news is that with the popularity of password-free methods and the growth of application complexity, MFA methods are being used more and more. In the post-epidemic era, the Biden administration of the United States issued an executive order on improving national cybersecurity in 2021. As a follow-up, Google also made MFA requirements for all its employees that year. After that, all types of logins for Microsoft for Azure strengthened their authentication practices, aiming to enhance IT operations and encourage comprehensive and continuous authentication in all applications. Surveys show that two-thirds of ordinary users currently use MFA to log in frequently, and the number of enterprise administrators who use MFA for login protection is as high as 90% .

Is MFA foolproof?

At present, most people have already appreciated the advantages of MFA in enhancing security. However, there are problems with the specific implementation of MFA, which is inconsistent and even uneven. This often confuses business security managers and their users. Of course, sometimes MFA users will also bear additional workloads due to the addition of more authentication factors. This inherent inconvenience also increases the barriers of MFA.

If you pay attention, you will find that various attacks that bypass MFA have been reported repeatedly in the news . For example, there have been recent reports that a group launched a spear-phishing attack against small businesses that have installed Microsoft 365. In addition, Okta also suffered a series of cyber attacks in 2022. These attacks stole the source code stored in GitHub by infecting the supply chain . Moreover , two of the separate attacks stole a large number of user credentials and destroyed the portal pages supported by them. As an identity authentication service provider, Okta did not provide very transparent information about the incident. This has raised questions about whether MFA has been implemented correctly.

Notable MFA threat patterns

Before we start discussing the most common hacking techniques, let’s first look at some typical MFA failure cases . In general, they can be summarized into the following three threat modes:

  1. MFA fatigue, or push bombing , works by sending a large number of authorization requests ( usually in the form of dense SMS messages) until the user becomes overwhelmed and approves the request , granting access to the attacker . For example , the security incident that occurred at Uber in 2022 belongs to this category . Ironically , the more widely MFA is enabled , the more successful MFA fatigue attacks will be. "The level of MFA adoption we have achieved has incentivized adversaries to bypass this control , " Jennifer Golden of Cisco Duo wrote in a 2022 blog post .
  2. Attackers also use a combination of social engineering and phishing attacks to disrupt the overall authentication process of the system and trick users into giving up their MFA tokens. Changes in user behavior ( such as the intensive use of remote work during the epidemic and the Olympics ) are often exploited by attackers . Arctic Wolf wrote in a recent blog : "Combining social engineering with MFA fatigue attacks will greatly increase the success rate of attackers . After all , it is easy to create a false sense of trust.
  3. Targeting non-MFA users and applications with weak passwords is the third As mentioned earlier, while MFA adoption has increased significantly, it is far universal , and attackers can still find unprotected systems and users to carry out corresponding attacks . For example, a few years ago , Akira ransomware attackers used Cisco networks without MFA configured to infiltrate target organizations and use brute force to obtain user credentials. Everyone must still remember the Colonial Pipeline attack in 2021. At that time, analysts found that it was caused by the leakage of a single password on a traditional network that did not run any MFA . Such weak passwords have been used in Cisco network switches connected to a very "long-lived" application . Despite the company's warning in a 2017 blog post, this feature continues to be exploited.

Common MFA attack methods

Among the various threats mentioned above, the following three types of MFA attacks are usually used .

  1. Poor mobile security. Mobile smartphones are an important point of entry into corporate networks , and attackers will use various methods , such as replacing SIM cards , to achieve their goals . For example, attackers can try to convince the customer service staff of the telecommunications service provider that they are the legitimate SIM card owner, so that they can obtain SMS authentication messages. Of course, other methods also include directly attacking the cellular service provider 's network itself.
  2. Incomplete MFA authentication workflow. Typically, the authentication workflow of an enterprise is complex , and users can choose to access and call applications directly through web portals, smartphone applications , and application program interfaces (APIs) . At the same time, they can connect through various ports , local networks, or private networks using different operating systems . All of this means that when we test MFA , we must consider various situations and try to block MFA code- level attacks launched by middlemen in the supply chain or man-in-the-browser in the browser .
  3. Attacks against cookies , such as pass-the-cookie and stolen session cookies. These often occur because the website does not enforce session inactivity limits , allowing attackers to use these imperfect cookies to bypass MFA . You can find more details at the link provided by KnowBe4 .

Strategies to prevent MFA attacks

Given the above vulnerabilities, we need to build a more complete MFA without sacrificing user experience . Here are some suggestions to ensure the success of your MFA strategy .

  • First, understand what you are trying to protect. “Cyberthreat attackers often target email systems, file servers, and remote access systems to gain access to an organization’s data, while also attempting to compromise identity servers such as Active Directory so they can create new accounts or take control of existing user accounts,” CISA (the U.S. Cybersecurity and Infrastructure Security Agency) said in its 2022 fact sheet .CISA recommends that you consider using FIDO -enabled systems for the most important components protected by MFA , such as hardware keys used by the most sensitive applications. The FIDO Alliance has published a series of white papers on how enterprises can better implement such methods . RSA has provided an in-depth discussion through the link , which is worth your careful reading .
  • Second , all authentication should be risk-based and automatically and dynamically adjust security protection based on the user's behavior at any given moment . In other words, old methods that only use single access control need to be replaced or integrated in a timely manner . Currently , many authentication products are able to couple MFA into their adaptive authentication process .This should be coupled with a careful assessment of access rights. Given that, most of the time, once users are provisioned with access rights, there is no subsequent review or adjustment of permissions, IT security personnel should "ensure that employees can only access and complete the limited data required for their job responsibilities," Abnormal Security wrote in a blog post .
  • In addition, please do not ignore the password reset process , which is often a common point of attack for attackers . Mitnick Security mentioned in a blog post in April this year : "Surprisingly, there are many websites that do not provide two-factor verification for their 2FA reset password process , or they simply provide a mechanism that does not force users to use MFA ."
  • Thirdly , we should conduct assessments to identify users who are most likely to be targeted . CISA wrote in its report : "Every organization has a small number of user accounts with additional access rights . They tend to be high -value targets coveted by cyber attackers . " Therefore, in the initial implementation of the MFA project , we should focus on the control of groups including IT operations, system administrators, lawyers , and HR managers .
  • In fact, each of the above points should be part of the analysis of the overall MFA workflow . Of course, this is nothing new. As early as 2021 , Gerhard Giese, who works at Akamai , pointed out in a blog post that MFA is not always an effective defense against credential stuffing attacks . He said that IT managers need to "re-examine existing authentication workflows and login interfaces to ensure that attackers cannot discover valid credentials by querying the response of the web server , as well as implement effective management against botnet attacks ."

In summary, through comprehensive planning, implementation, and testing, MFA technology should become part of the enterprise's critical security infrastructure internally and become the driving force for implementation in response to government and regulatory requirements externally .