You shall not Bypass! Preparing for MFA Bypass Attacks
Multi-factor Authentication (MFA) Bypass attacks are threat actors’ response to the proliferation of MFA in the ongoing arms race between defenders/Gandalf and attackers/the Balrog. MFA Bypass attacks are going through continuous innovation in 2023, with new techniques emerging and different methods trending up and downwards. We currently identified at least eight popular categories of MFA Bypass attacks we believe organisations should consider during their defence posture and gaming these out has its advantages. The mysterious “they” say that a smart person learns from their mistakes but a wise person learns from the mistakes of others. This can be applied to MFA Bypass attacks and a scenario-based approach is one way to achieve this. Plus, we really dig anything we can relate to Lord of the Rings.
The Merriam Webster Dictionary defines…
Admit it, we’ve all started a piece of writing this way. And whilst we won’t actually consult George and Charles Merriam or Noah Webster, we will briefly define MFA and MFA Bypass attacks. MFA refers to a security control that demands more than one authentication method to verify a user’s identity when attempting to login into a system, popular examples include one-time passwords (OTPs), SMS verification codes, and physical tokens. Unsurprisingly, MFA Bypass is malicious activity focused on circumventing the protection MFA offers in order to gain unauthorised access to data, accounts, or systems. Example categories include:
MFA Bypass continues its rise
Adoption of good MFA in the workplace is still a little spotty, with Oort noting in their “State of Identity Security 2023” that the average company has 40.26% of accounts with either no MFA or weak MFA. However, that hasn’t stopped threat actors from increasingly investing time and resources into compromising the existing MFA accounts. Taking a quick glance backwards, Okta’s latest and similarly named “The State of Secure Identity” report (no comment on who copied whom) demonstrated a clear increase in MFA Bypass attacks per day in 2022 compared to the same months in 2021 and 2020.
Although 2023 is not yet up, we have seen little (public) data or reason to believe MFA Bypass attacks are declining in 2023. Quite the opposite. To draw on one indicator, Proofpoint observed an increase in the spread of phishing kits embedded with MFA Bypass capabilities in Q1 2023, especially when looking at the 'Phishing-as-a-Service platform' EvilProxy.
What we find interesting about MFA Bypass
In our research, we identified the 8 most notably approaches to MFA bypass to be as followed:
领英推荐
The most intriguing aspect about MFA Bypass is that MFA mostly represents a technical control to harden our credentials but many threat actors are responding with a human approach. Technical categories of MFA Bypass (e.g. Pass-the-Cookie attacks, Token Theft, and Attacker-in-the-Middle Proxy) obviously dominate but many methods centre on targeting the user with social engineering (e.g. MFA Flooding & Fatigue). If a threat actor convinces a victim to volunteer their OTP, the investment an organisation made in strong processes and technology to mitigate MFA Bypass will fall flat - something the Lapsus$ group could attest to.?We had just got our employees used to adopting MFA, now need to get them vigilant against MFA Bypass attacks targeting their social side.
Preparation that considers the human side too
An approach that prepares your organisation for both the technical and social engineering types of MFA Bypass is important to ensure holistic security and threat informed defense. We favour taking a scenario-based approach to preparing for MFA Bypass because it is flexible enough to do this. You can use an MFA Bypass attack scenario to run exercises, identifying technical gaps and shape your employee security awareness training program based on the latest popular attack methods.
A good scenario-based approach will get into the granular steps an attacker would likely take when going through the attack sequence for different categories of MFA Bypass to educate on opportunities for proactive intervention. In addition, a good threat scenario should enable you to understand the tactics, techniques, and procedures (TTPs), active threat actors, and targeted functions/systems of MFA Bypass attacks. A great scenario will enable you to import this data to other security tools.
The Venation MFA Bypass Threat Scenario will be published & available to our subscribers of our content platform this August 2023.
Referenced documents
In digital security, a lot of time is wasted on understanding the biggest threats to an organisation. Current solutions provide too much information, raising more questions than answers, necessitating excess manual analysis, and leaving responders with little time to act.
Venation empowers heroes at the front line of cyber security in radically improving their productivity. We drive this change through developing products and services that reduce time spend identifying, prioritizing, and taking action on digital threats. We exist to make prioritising security investments as efficient as possible.
www.venation.digital