With the rising adoption of multi-factor authentication (MFA), MFA attacks too have become increasingly common. These attacks can range from the devious to the highly sophisticated. Typically, MFA bypass techniques fall into one of two categories: either brute-forcing the two-factor process and attempting to guess the code or using social engineering to trick a targeted user into generating the code and approving a fraudulent access request. In addition to compromising MFA platforms and tricking employees into approving illegitimate access requests, attackers are also using adversary-in-the-middle (AiTM) and proxy attacks to bypass MFA authentication.
MFA brute-forcing, which is becoming the new favourite tactic in high-profile breaches such as Uber and Reddit, is the most widely used type of MFA attack where an attacker attempts to gain unauthorized access to an account that is protected by MFA, by using a brute-force attack to guess the correct combination of the user’s login credentials. The attacker uses automated software to try many different combinations of usernames and passwords until the correct combination is found. This can also involve attempts to bypass the additional layer of authentication by guessing or stealing the one-time code or security token.
While there are several strategies and best practices to safeguard against MFA brute force attacks, in this post we look at how a forensics-driven approach to cybersecurity can help prevent such attacks, by delving into a real case investigated by SISA.
Bank customers reported fraudulent deductions and unauthorized e-commerce transactions, with initial investigations revealing that the fraudsters called customers posing as bank employees, and requested card details, CVV2, and OTPs. Detailed investigations revealed that a bank call center supervisor’s personal laptop and social media account had been compromised, and the intruder used the supervisor’s credentials obtained through MFA push notifications, to log in to the bank’s network (VPN), Active Directory, email, and CRM application. Thereafter he executed a social engineering attack using customer details extracted from the CRM.
The incident was caused by a control failure in MFA, wherein the user had approved the MFA push notification multiple times, eventually falling prey to an MFA brute-forcing attack. Despite the organization providing information security training, the user had shared credentials with colleagues, used the same password for all accounts, and used a personal system to log into the network, which was compromised with key logger malware. Additionally, the user’s social media credentials were compromised, and they used the same credentials for logging into VPN, email, and CRM application.
SISA’s forensics-driven approach uses a unique 4D framework consisting of deciphering the breaches, deconstructing the loopholes, developing essential controls and disseminating the learnings to help organizations strengthen their security posture. The learnings derived from the breach investigations are used to develop and fine-tune preventive and detective controls – the controls with the highest probability of preventing or detecting a breach.
Based on the findings from the above case investigation, SISA recommends that organizations deploy the following controls and best practices to guard against MFA attacks.
While MFA provides an additional layer of security, it is essential to implement the best practices to guard against MFA brute-forcing attacks. By following strong password policies, enabling account lockouts, utilizing adaptive authentication, and educating users, organizations can significantly reduce the risk of unauthorized access. Importantly, organizations must deploy an EDR solution on the remote systems so that the security team can hunt the remote user system for any malicious activity/malware.
Customer Success Stories
SISA Radar – Data Discovery and Classification Tool
Fast | Accurate | Reliable
Get Daily Updates on our Latest Threat Advisories