MFA Prompt Bombing No More: Countering MFA Bypass Tactics

Multi-factor authentication (MFA) exploits and countermeasure tooling are evolving in real time and at a rapid pace. Some threat actors aim to bypass this security feature for financial gain, while other groups seek to control the flow of information. Many organizations that Kroll works with every month convey to Kroll that they implemented MFA, almost as checkbox to a security requirement, and then “set it and forget it.” In this article, Kroll experts share some of the latest tactics used to bypass or neutralize MFA as well as what organizations can do to enhance their MFA-related protections as criminal groups look to meet and overcome the “set and forget” MFA systems protecting networks.

Lapsus$ and MFA Prompt Bombing

The threat actor group Lapsus$ has openly discussed techniques they have been employed to defeat MFA, which aligns with what Kroll has observed during its research of the group as well as with our investigations that we have been retained to investigate. One tried-and-true tactic that Lapsus$ has used with great success—MFA prompt bombing—aims to wear down recipients or capitalize on an accidental acceptance:

 

“No limit is placed on the amount of calls that can be made,” a member of Lapsus$ wrote on the group’s official Telegram channel. “Call the employee 100 times at 1 am while he is trying to sleep, and he will more than likely accept it. Once the employee accepts the initial call, you can access the MFA enrollment portal and enroll another device.”

 Nation State Actors Reported Intercepting SMS Codes

Some threat actor groups were recently observed taking a more physical approach to bypass MFA. The Computer Emergency Response Team of Ukraine (CERT-UA) published CERT-UA#4360 on April 5, 2022, in which they stated that a nation-state attempted to intercept one-time SMS codes. As of this writing, it is unclear if actors were using physical systems on the ground designed to capture this information in real time or deny access to the cellular network from the target device. Kroll continues to monitor this situation as details emerge.

Transparent Reverse Proxy Kits on the Rise

In reviewing CERT-UA#4360, Kroll assessed that threat actors could have potentially also used a transparent reverse proxy to intercept the SMS codes. For context and in simple terms, when a user seeks to connect to a website on the internet, the organization hosting that target website employs a web server(s) to communicate with users. The organization may choose to employ a “reverse proxy,” which is a server(s) that sits in front of the web server(s). User requests are routed to and from this reverse proxy server. Transparent reverse proxies do not change or otherwise modify the user’s requests or the target web server’s replies. Actors can either compromise a web server to set up their reverse proxy or lure victims to the mirrored website via embedded links in phishing email messages.

Transparent reverse proxy has seen recent momentum and usage as MFA adoption continues to rise. Duo Security reports that 79% of UK and U.S. users deployed MFA in 2021 versus 53% in 2019. As a direct result, new kits to bypass MFA are emerging as threat actors and organized crime groups seek ways to overcome this security layer.

These kits utilize transparent reverse proxy to present the actual website to the victim that they want the user to log into. The attack relies on presenting the actual website to the victim and invoking a man-in-the-middle attack, which completely negates the use of MFA as all of the user’s information is flowing through the actor’s machine. At this point, the actors intercept the users’ information and credentials before relaying the users on to the legitimate, intended website.

Notable kits on the market to perpetrate these attacks are Modlishka, Muraena/Necrobrowser and Evilginx2. These kits are easy to deploy and available for free, meaning that attackers with low technical ability could easily make use of them. Kroll assesses with high confidence that as the portion of the market using MFA grows, so will the use of kits.

Ultimately, adopting MFA is a step in the right direction for better protecting your network access. However, as attackers continue to evolve their techniques, Kroll suggests organizations enhance their configurations. Unless properly implemented, MFA can give organizations a false sense of security that only becomes apparent when it’s too late.

Seven Tips for Closing Multi-factor Authentication Gaps Before Actors Exploit Them

If your organization has adopted MFA, that’s great news. Adopting MFA means you understand the limitations of passwords and are taking positive steps to control who gets access to your data.

As this article shows, and Kroll’s analysis of incident response (IR) events confirms, threat actors are increasingly not deterred when they encounter MFA at the edge of or within in a victim environment. From experience, actors know organizations often unwittingly create gaps in MFA coverage—and they just need one opening to get in.

We often see in our IR work how MFA implementations can fall short and ultimately lead to crimes such as wire fraud, data exfiltration and ransomware. Worse yet, actors today move quickly once they gain access. Kroll has witnessed incidents where actors steal data or launch ransomware within two hours or less of gaining access.

In environments with enhanced security, Kroll has observed actors using techniques to “live off the land” and ultimately install malware or carry out attacks by staying one step ahead of defenders’ other security measures. This is especially true if they have been able to compromise, or even create user accounts with elevated privileges.

Based on known threat actor activity and evolving tactics, Kroll recommends that organizations examine their MFA configurations and confirm or implement the following seven best practices as soon as possible.

1. Adopt MFA for All Remote Access Accounts
   Actors know that in many cases, organizations adopt MFA only for email access, and in some cases, only for webmail access. This leaves other remote access capabilities, such as virtual private networks (VPN), virtual desktop infrastructure (VDI), special purpose portals, etc., unprotected and vulnerable to unauthorized access. For example, hundreds of thousands of VPN credentials are available for sale on the dark web due to historical vulnerabilities in widely used VPN appliances, such as Fortinet (CVE-2018-13379) and Citrix NetScaler (CVE-2019-19781). 
2. Be Careful With Conditional Access Rules That Weaken MFA Policies
   Allowing exceptions from certain domains or locations, even for traffic from approved office networks, creates another gap in MFA coverage that actors are quick to seize on. For example, Kroll has seen actors leverage wireless guest networks to quickly access a victim’s environment with ease. As our colleagues observed in the linked article, when administrators allow users with valid credentials to log in without MFA from a “named location,” such as within corporate offices, this “means a threat actor in the vicinity of the targeted company and in possession of valid credentials may be able to connect to the wireless guest network, which often uses the same IP address range as the corporate network, and sign into a M365 [Microsoft 365]  account without satisfying MFA requirements.”
3. Require MFA for Everyone Who Can Remotely Access Your Network
   Savvy actors know that organizations often create MFA exceptions for certain individuals. Some common reasons for exceptions include a person’s seniority, trusted vendor status, operational limitations (e.g., facilities where mobile telephones are not permitted or lack reception) or privacy-related issues (e.g., persons protected by collective bargaining agreements whose personal telephones cannot be used for mandated business purposes). Actors then actively target these individuals/groups in a number of ways, from phishing attacks to purchasing compromised credentials from dark web sources. Further, Kroll suggests that remote access to an organization be restricted to the smallest group of users who require this access—this is to say, administrative and service accounts at a minimum should not be able to gain remote access.
4. Avoid Push-style MFA Solutions. Opt for Time-based One-time Password (TOTP) Tools
   In Kroll’s IR experience, users frequently approve MFA application pushes (as well as telephone-call-based MFA) with the rationale, “I want to make sure my computer doesn’t stop working” or “I was getting so many alerts, I just wanted my phone to stop buzzing,” even if they haven’t done anything that would have sent an MFA approval. As with phishing attacks, actors know that by simply playing the odds, sooner or later they will get someone at an organization to accept the MFA push that opens the door for unauthorized access. In Kroll’s experience, individuals have a far greater likelihood on Friday evenings of accepting a fraudulent MFA app push.
    

   On the other hand, TOTP-based MFA will put access out of reach for most actors. While Kroll has seen cases where actors directed MFA prompts to telephone numbers they added to a user’s account, these are still relatively rare and usually reflect a more strategic, rather than opportunistic, attack on a target. Kroll suggests that organizations do not allow MFA via app-based push, telephone call or SMS text and only allow MFA via the TOTP code generation function of an MFA app or a physical token code generator.

5. Act on Every Impossible Travel Style Alert
   It is important to regularly review Azure sign-in logs for logins that are not consistent with authorized access to a user account. Impossible travel alerts can be an excellent early indicator that actors were able to capitalize on a gap in MFA coverage or bypass MFA requirements in some way, e.g., by exploiting a software vulnerability, such as CVE-2019-11510 (Pulse Secure). Adopt the posture that a successful MFA approval does not necessarily mean that the user is the user you are expecting.
6. Configure MFA Services to Fail “Closed”
   Many MFA services require an application to run on an organization’s local network, allowing a connection to the directory service. Many of these MFA services can fail or be interrupted for several reasons, such as from a distributed denial of service (DDoS) attack originating either on the internet or via an attacker who has gained access to the environment, or other connectivity issues. In these cases, organizations can choose for the service to fail “open,” i.e., enable open access without MFA authentication, or fail “closed,” i.e., prevent all access until MFA authentication can be restored. Kroll highly recommends the fail “closed” setting. Organizations may not be comfortable with the thought of users losing access to network resources and the resulting operational disruptions. However, an actor gaining unauthorized access can cause far greater disruption and harm to an organization’s operations, assets and reputation that can last far longer.
7. Audit New and Unknown Devices Registered to Your MFA Service
   With user-level access, threat actors can surreptitiously add devices to a user’s MFA profile, allowing the actors to easily gain and maintain access to your network as they continue to approve MFA pushes or generate codes on their own, actor-controlled devices. Keep an inventory of all devices registered to your MFA service and review any and all new and unknown devices in a routine manner.

Strengthening MFA policies and implementations is imperative, especially given the speed and evasive tactics being employed by actors today. Kroll’s systems assessment and testing team can provide guidance, as well as hands-on help, with the most effective use of MFA in your network environment.