A Rise In MFA Bypass Attacks Leads to Massive Breaches

The last couple of years have seen an explosion in the interest around Identity Security because of increasing digitalization, rapid cloud adoption, surge in remote/hybrid work, and stricter personal data regulations (like GDPR and CCPA). The rapidly growing acceptance of zero-trust security, software as a service (SaaS), IoT, cloud services, and container technologies also means that identities (human as well as non-human) have become the new “perimeter” for businesses and enterprises. The new perimeter has led to increasing attacks on identities and the identity infrastructure (e.g. IdP, IAM/IGA, PAM), leading to the exploding interest in Identity Security.

Multi-factor Authentication (MFA) has become the most popular solution to the problem of securing the identity perimeter. MFA adds one or more layers of security beyond just credentials, significantly reducing the risk of unauthorized access and defending against identity-based attacks. The implementation of MFA also discourages less sophisticated attackers from targeting an organization and makes it much harder for bots and automated tools to compromise identities at scale. Advanced Risk-Based MFA systems (like Conditional Access in Microsoft Entra ID) can adjust the authentication workflow based on risk factors associated with the access (usually computed using ML/AI techniques over thousands of identity/access attributes), enhancing security without compromising the end-user experience.

Navigating the New Frontier of Cyber Attacks

Being the most popular secure authentication technology also means MFA has become the next frontier in the fight against attackers. As part of the rise in identity attacks, we also see that attacks on the MFA processes and infrastructure are increasing rapidly and becoming more sophisticated. MFA attack tools are becoming readily accessible on the dark web, making it easier for even for less skilled attackers to launch more sophisticated attacks.

In the last few years we have seen a broad spectrum of MFA attacks:

• MFA Implementation Flaws: Being a (relatively) new and popular security control means that some organizations (even those at the cutting edge of technology) are implementing MFA in a hurry, often poorly configured, and sometimes incomplete, leaving security gaps that allow for attackers to sneak in. Examples of this are:

  • During the MGM Resorts breach, the hackers gained access by finding an employee on LinkedIn, calling the Helpdesk to say this employee account was locked, and taking advantage of the fact that the account recovery process didn’t require the account to authenticate with MFA

  • In the case of multiple customers of two US-based cloud providers, flaws in the implementation of MFA, or the policies, enabled the adversaries to gain access without MFA

• MFA Bombing or MFA Fatigue attacks: In these scenarios, the attackers abuse a feature or weakness of a multi-factor authentication (MFA) system in a way that inundates the target’s device(s) with alerts to approve a password change or login. Some people confronted with such a deluge may eventually click “Allow” to the incessant password reset prompts — just so they can use their device again.

  • A recent ‘MFA Bombing’ attack targeted Apple users. The attackers in this campaign had an ace up their sleeves: If a user denied all of the password reset prompts, they called the user on his iPhone that said they were from Apple Support (the number displayed was 1-800-275-2273, Apple’s real customer support line).

• Brute force MFA attacks: These attacks are executed against weaker MFA methods like SMS/text-based codes. If the account itself doesn’t automatically lock after a set number of incorrect attempts, the attacker can simply launch a new MFA guessing session and keep trying.

• MFA Bypass Phishing Kits: Threat actors are widely adopting emerging adversary-in-the-middle (AitM) phishing kits sold to target Microsoft 365 and Gmail email accounts with threat campaigns that can bypass MFA protections:

  • A threat actor known as W3LL developed a phishing kit that can bypass multi-factor authentication along with other tools compromised more than 8,000 Microsoft 365 corporate accounts.

  • The "Tycoon 2FA" phishing-as-a-service (PhaaS) platform has been active since at least last August and has been massively used in numerous phishing campaigns

  • EvilProxy uses reverse proxy and cookie-injection methods to give threat actors a way around 2FA

  • Emotet botnet is just one of the many malware families that target cookies and other credentials stored by browsers, such as stored logins. While user account names and passwords are the most obvious targets of credential-stealing activities, attackers are increasingly turning to stealing the “cookies” associated with credentials to clone active or recent web sessions—bypassing MFA in the process.

• MFA Bypass Services: An even easier way to bypass MFA is to use a service that does the work for you. Services like this are available even to adversaries with no technical skills:

  • OTP.Agency was an online platform that provided social engineering help to obtain one-time passcodes from customers of various banks and services in the U.K. The OTP (temporary One Time Passwords) were part of multi-factor authentication protections and criminals subscribing to the illegal service could use them to access a victim's bank account and empty it. The basic package enabled bypassing multi-factor authentication for bank accounts at HSBC, Monzo, and Lloyds, while the top-tier unlocked access to Visa and Mastercard verification sites.

• Using Social Engineering: Hackers have always exploited human behaviors using “social engineering” to trick humans to give out information they shouldn’t or do things they shouldn’t. For example:

  • The MGM Resorts breach - as explained above, this breach was initiated by smartly using public user information available on LinkedIn to trick the Helpdesk to recover the account.

  • SEC’s X (aka Twitter) accounts was hacked by using SIM swapping and the fact that SEC twitter accounts were not protected with MFA, enabled the hackers to hijack the accounts. The social engineering part was related to Sim-swapping which involves gaining control of a cellular phone number by convincing a mobile carrier to transfer a number to a sim card controlled by the attacker. Once the attacker controls the victim’s phone number, they can use that phone number to reset the password of accounts belonging to the victim. Having gained control of the number associated with the agency’s account, the swappers simply reset the SEC’s password on X, giving them access to the agency’s account.

  • Attempted Voice Phishing Attack Using Deep Fake AI tools: LastPass Labs warned in April 2024 about an attempted voice phishing attack on an employee that made use of an audio deepfake of company CEO Karim Toubba. The AI tools that enable these attacks are becoming readily available, so we can expect to see more sophisticated social engineering campaigns in the future.

Defending Against Sophisticated MFA-Bypass Attacks

Defending against sophisticated MFA-bypass attacks requires a multi-layered approach that goes beyond basic Identity Threat Detection methods (ITDR). It involves continuously monitoring for suspicious activity, and detecting anomalies in access attempts, as well as ensuring that MFA implementations and configurations are robust.

The AuthMind Identity Security Platform is the only solution that combines ISPM and ITDR to ensure your MFA defenses are properly implemented, effective, and aren’t bypassed by either internal users or external adversaries. AuthMind’s ISPM capabilities detect weaknesses and coverage gaps in MFA implementations. AuthMind’s ITDR monitors all identity access activities across the hybrid enterprise, providing detailed observability and analysis of identity behaviors. Combined with AuthMind’s the AI access graph users can detect any MFA bypass attempts and enable a response to prevent a breach.

An example of some of the issues AuthMind can discover includes:

• • Credentials Hygiene with MFA: AuthMind discovers weak and/or compromised credentials used with MFA to access assets.

  • Bypassing MFA with Direct Local Accounts: AuthMind detects the existence of local accounts, and any direct access attempts that use these account to bypass MFA.

  • Assets without MFA: AuthMind discovers applications and services that are managed by an IDP, but do not require MFA from identities that are accessing them.

  • Identities without MFA: AuthMind discovers identities that are managed by an IDP, but not authenticating with MFA when accessing applications or services.

  • Shadow Assets: AuthMind detects access to unmanaged shadow assets that does not require MFA.

  • MFA policy gaps or misconfigurations: Policy gaps and misconfigurations are often a result of human error, but can also happen due to various changes in dynamic environments - new assets that are added, new users, etc. AuthMind also detects policy drifts where MFA was enforced in the past, but is no longer enforced due to some unrelated change (for example in the MGM breach this happened after the account was restored).

  • MFA Fatigue: AuthMind detects suspicious activity involving too many MFA requests and alerts on the potentially malicious access attempts.

To quickly enable MFA protection, AuthMind offers MFA playbooks that can automatically trigger a workflow (via API) in any orchestration/automation tool: IDP, IAM, or a SOAR. The playbooks apply the appropriate remediation according to the issues discovered.

This makes AuthMind Identity Security Platform a crucial defense in staying ahead of attackers who are increasingly skilled at exploiting vulnerabilities in MFA systems.

For more information on AuthMind’s platform, schedule a demo today.