Rising MFA Exploits And Best Practices To Mitigate Them

What is Multi-Factor Authentication (MFA)?

MFA stands for Multi-Factor Authentication, a multi-step authentication method that requires the user to provide two or more verification factors to gain access to a system or application such as an application, online account, or a VPN.

MFA requires one or more additional verification factors, in addition to username and password, which decreases the likelihood of a successful cyber attack

How does MFA work?

MFA works by requiring additional verification information (factors). A second form of authentication helps to prevent unauthorized account access if a system password has been compromised. There are 3 types of factors that can be used for MFA, such as:

• Something you know: This could be a password, PIN, or security question.
• Something you have: This could be a physical token, such as a Yubikey, or a mobile app that generates one-time passwords (OTPs).
• Something you are: This could be biometric data, such as a fingerprint or facial scan

For example, along with the password, users might be asked to enter a code sent to their email, answer a secret question, or scan a fingerprint.

Most common MFA factors that users incorporate is one-time passwords (OTP). OTPs are typically 4-8 digit codes that you often receive via email, SMS or authentication app. With OTPs a new code is generated periodically or each time an authentication request is submitted and gets expires within the set duration or input

Rise in exploitation of multi-factor authentication (MFA)

The rise in exploitation of multi-factor authentication (MFA) protocols by malicious threat actors in the recent past has been a worrisome trend. That, much of this activity is being orchestrated by nation-state sponsored actors is only intensifying the impact, leading to escalating cyber warfare.

MFA is one of the simple, yet effective techniques used by organizations across the board to neutralize credential stuffing attacks and add a certain degree of security while managing access to critical infrastructure. Threat actors have, in the recent past been exploiting misconfiguration in MFA, to get a foothold into the victim’s network – a trend SISA has been observing in forensic investigation and incident response. A commonly observed instance has been the exploitation of default MFA protocols followed by the PrintNightmare vulnerability exploit – a critical MS Windows vulnerability to run arbitrary code with system privileges. By deploying this tactic, threat actors have been able to perform lateral movement and exfiltrate documents with sensitive data from the victim’s cloud and email accounts.

How the exploit works?

1. The attackers are using compromised credentials, obtained via a brute force attack to enrol a new device in the target organization’s MFA account.
2. A key lapse that’s offering ready ammunition to attackers is the un-enrolment of the account from MFA after a long period of inactivity, but the same not being disabled in Active Directory.
3. Typically, MFA’s default setting allows for the re-enrolment of new devices for dormant accounts, and the attackers are exploiting this feature to enrol a new device for the target account, complete the authentication requirements, and gain access to the network.
4. This is usually accompanied by the PrintNigthtmare vulnerability exploit through which privileges are escalated to admin level.
5. The threat actors are able to change the configuration of MFA to call localhost rather than the server, which disables MFA for active domain accounts, as the default policy on Windows is to ‘Fail open’ if the MFA server cannot be reached.
6. After effectively disabling MFA, the attackers are able to successfully authenticate to the victim’s virtual private network (VPN) as non-administrator users and make Remote Desktop Protocol (RDP) connections to Windows domain controllers.

SISA-recommended mitigations and best practices

Organizations, especially critical infrastructure providers and government entities need to ensure proper configuration of MFA to thwart targeted attacks. As one of the top 4 global PCI forensic investigators (PFIs), SISA has been observing a high prevalence of misconfigured MFA in breach investigations and forensic audits performed over the past 1-2 years. Some of the widely observed lapses include:

• No rule configuration in the network to block RDP communication between web and Jump servers
• Non-usage of out-of-band MFA (Enabling VPN access through certificate and passwords)
• Use of shared user accounts, weak account lockout policy and faulty password management

As cyber criminals are finding new ways to exploit MFA, organizations need to step up defenses and keep a closer watch on new and emerging adversary tactics. SISA recommends adopting the following security practices to mitigate the increasing threat of MFA exploitation – by private groups and state-sponsored actors alike:

• Ensure proper configuration of MFA. The MFA should ensure that it is an out-of-band authentication and that it is applicable for accessing all applications and system components.
• Enforce MFA for all users, without exception, and ensure it is properly configured to protect against “fail open” and re-enrollment scenarios.
• Implement strong account time-out and lock-out features.
• Disable inactive accounts uniformly in active directory, MFA, etc.
• Implement frequent patching and software updates and prioritize known exploited vulnerabilities first.
• Deploy continuous monitoring of logs and extend it to non-critical environment too.
• Ensure use of strong, unique passwords and their non-reuse across multiple accounts.

To learn more about emerging trends, threat exploits, intruder tactics and SISA’s top learnings from breach investigations, register for a Forensics Learning Session.