Mon, May 23, 2022
Multi-factor authentication (MFA) exploits and countermeasure tooling are evolving in real time and at a rapid pace. Some threat actors aim to bypass this security feature for financial gain, while other groups seek to control the flow of information. Many organizations that Kroll works with every month convey to Kroll that they implemented MFA, almost as checkbox to a security requirement, and then “set it and forget it.” In this article, Kroll experts share some of the latest tactics used to bypass or neutralize MFA as well as what organizations can do to enhance their MFA-related protections as criminal groups look to meet and overcome the “set and forget” MFA systems protecting networks.
The threat actor group Lapsus$ has openly discussed techniques they have been employed to defeat MFA, which aligns with what Kroll has observed during its research of the group as well as with our investigations that we have been retained to investigate. One tried-and-true tactic that Lapsus$ has used with great success—MFA prompt bombing—aims to wear down recipients or capitalize on an accidental acceptance:
“No limit is placed on the amount of calls that can be made,” a member of Lapsus$ wrote on the group’s official Telegram channel. “Call the employee 100 times at 1 am while he is trying to sleep, and he will more than likely accept it. Once the employee accepts the initial call, you can access the MFA enrollment portal and enroll another device.”
Some threat actor groups were recently observed taking a more physical approach to bypass MFA. The Computer Emergency Response Team of Ukraine (CERT-UA) published CERT-UA#4360 on April 5, 2022, in which they stated that a nation-state attempted to intercept one-time SMS codes. As of this writing, it is unclear if actors were using physical systems on the ground designed to capture this information in real time or deny access to the cellular network from the target device. Kroll continues to monitor this situation as details emerge.
In reviewing CERT-UA#4360, Kroll assessed that threat actors could have potentially also used a transparent reverse proxy to intercept the SMS codes. For context and in simple terms, when a user seeks to connect to a website on the internet, the organization hosting that target website employs a web server(s) to communicate with users. The organization may choose to employ a “reverse proxy,” which is a server(s) that sits in front of the web server(s). User requests are routed to and from this reverse proxy server. Transparent reverse proxies do not change or otherwise modify the user’s requests or the target web server’s replies. Actors can either compromise a web server to set up their reverse proxy or lure victims to the mirrored website via embedded links in phishing email messages.
Transparent reverse proxy has seen recent momentum and usage as MFA adoption continues to rise. Duo Security reports that 79% of UK and U.S. users deployed MFA in 2021 versus 53% in 2019. As a direct result, new kits to bypass MFA are emerging as threat actors and organized crime groups seek ways to overcome this security layer.
These kits utilize transparent reverse proxy to present the actual website to the victim that they want the user to log into. The attack relies on presenting the actual website to the victim and invoking a man-in-the-middle attack, which completely negates the use of MFA as all of the user’s information is flowing through the actor’s machine. At this point, the actors intercept the users’ information and credentials before relaying the users on to the legitimate, intended website.
Notable kits on the market to perpetrate these attacks are Modlishka, Muraena/Necrobrowser and Evilginx2. These kits are easy to deploy and available for free, meaning that attackers with low technical ability could easily make use of them. Kroll assesses with high confidence that as the portion of the market using MFA grows, so will the use of kits.
Ultimately, adopting MFA is a step in the right direction for better protecting your network access. However, as attackers continue to evolve their techniques, Kroll suggests organizations enhance their configurations. Unless properly implemented, MFA can give organizations a false sense of security that only becomes apparent when it’s too late.
If your organization has adopted MFA, that’s great news. Adopting MFA means you understand the limitations of passwords and are taking positive steps to control who gets access to your data.
As this article shows, and Kroll’s analysis of incident response (IR) events confirms, threat actors are increasingly not deterred when they encounter MFA at the edge of or within in a victim environment. From experience, actors know organizations often unwittingly create gaps in MFA coverage—and they just need one opening to get in.
We often see in our IR work how MFA implementations can fall short and ultimately lead to crimes such as wire fraud, data exfiltration and ransomware. Worse yet, actors today move quickly once they gain access. Kroll has witnessed incidents where actors steal data or launch ransomware within two hours or less of gaining access.
In environments with enhanced security, Kroll has observed actors using techniques to “live off the land” and ultimately install malware or carry out attacks by staying one step ahead of defenders’ other security measures. This is especially true if they have been able to compromise, or even create user accounts with elevated privileges.
Based on known threat actor activity and evolving tactics, Kroll recommends that organizations examine their MFA configurations and confirm or implement the following seven best practices as soon as possible.
On the other hand, TOTP-based MFA will put access out of reach for most actors. While Kroll has seen cases where actors directed MFA prompts to telephone numbers they added to a user’s account, these are still relatively rare and usually reflect a more strategic, rather than opportunistic, attack on a target. Kroll suggests that organizations do not allow MFA via app-based push, telephone call or SMS text and only allow MFA via the TOTP code generation function of an MFA app or a physical token code generator.
Strengthening MFA policies and implementations is imperative, especially given the speed and evasive tactics being employed by actors today. Kroll’s systems assessment and testing team can provide guidance, as well as hands-on help, with the most effective use of MFA in your network environment.
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Kroll's cyber risk assessments deliver actionable recommendations to improve security, using industry best practices & the best technology available.
Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.
Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.
Validate your cyber defenses against real-world threats. Kroll’s world-class penetration testing services bring together front-line threat intelligence, thousands of hours of cyber security assessments completed each year and a team of certified cyber experts — the foundation for our sophisticated and scalable approach.
Kroll’s ransomware preparedness assessment helps your organization avoid ransomware attacks by examining 14 crucial security areas and attack vectors.
Proactively identify your highest-risk exposures and address key gaps in your security posture. As the No. 1 Incident Response provider, Kroll leverages frontline intelligence from 3000+ IR cases a year with adversary intel from deep and dark web sources to discover unknown exposures and validate defenses.
Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.