Bypassing MFA

Bypassing MFA

?

Independent of which authentication technology you use, implementation flaws and misconfigurations can lead to successful MFA bypass attacks

?

1.????Disabling/Weakening Multifactor Authentication

This occurs when an attacker modifies a configuration to outright disable or weaken an organization's ability to enforce MFA policies, such as modifying trusted IP configurations. This allows the attacker(s) to connect from their home base without the need for the additional layer of authentication.

2.????Directly Bypassing MFA

This is when an attacker uses techniques that allows persistent access without MFA. There are two ways this happens: Use of a malicious app that is downloaded by the user and authenticates while still controlled by the attacker, or they exploit an MFA weakness such as SMS interception of the 2FA code within the message.

Example – Red teaming activity done by Synopsys on o9 environment

?

3.????Exploiting Authorized MFA Exceptions

This is more frequently seen within organizations that use public cloud environments. It occurs when an attacker identifies accounts operating without MFA requirements, such as service accounts, and attacks them directly. Alternatively, attackers take advantage of legacy apps which don't support MFA, such as a POP/SMTP mail server

?

4.????Stolen SAML Signing Certificate

This technique has been known for a while; however, it recently gained notoriety when it was used in the?Solarflare campaign?(aka: SolarWinds breach). It occurs when an attacker has stolen the private key to sign certificates or has a forged key (aka, a golden ticket), allowing an attacker to control every aspect of the SAMLResponse object (e.g., username, permission set, validity period, and more). This technique is incredibly difficult to detect given everything looks legitimate, yet it underscores the need for continuous monitoring and threat detection as users go beyond the perimeter.

?

Recent SolarWinds hack, the?“Golden SAML” attack?is an example of a complex MFA bypass tactic. SAML allows employees to use single sign-on (SSO) for multiple applications by creating a trust relationship between them and the Identity Provider. This is very useful, especially if you use MFA within the Identity Provider. However, if an attacker gains admin access to the Identity Provider server and accesses the private key, it’s game over. They can use that stolen key to sign the SAML response and force the Identity Provider to allow authentication even if the credentials are wrong. So, if you are implementing SAML, make sure your private keys and access to the server are highly protected.

5.????Session Reuse

Attackers will compromise a system that already has an authenticated session, eliminating the need to reauthenticate. Most MFA tools have a default 30-day period until it requires the user, application, or system to reauthenticate, giving the attacker enough time to establish persistent access.

“pass-the-cookie”?attack is one such example, and here’s how it works. Once a user authenticates, their browser creates a cookie to remove the need for constant re-authentication. The cookie usually remains valid for just that session or a very short period. Depending on the implementation, an attacker could steal a cookie to access your services without reauthenticating.

Even worse, after a first authentication, some desktop applications create a long-lived “token” (not to be confused with the authentication token), allowing users to access the application for months before they require reauthentication. To prevent the risk of sustaining a pass-the-cookie attack, reduce the lifetime of those cookies or tokens (without forcing users to reauthenticate multiple times per day)