Blog

Rising MFA Exploits And Best Practices To Mitigate Them

Threat actors have, in the recent past been exploiting misconfiguration in MFA, to get a foothold into the victim’s network – a trend SISA has been observing in forensic investigations. A commonly observed instance has been the exploitation of default MFA protocols followed by the PrintNightmare vulnerability exploit.
MFA exploits by Threat Actors on the rise

The rise in exploitation of multi-factor authentication (MFA) protocols by malicious threat actors in the recent past has been a worrisome trend. That, much of this activity is being orchestrated by nation-state sponsored actors is only intensifying the impact, leading to escalating cyber warfare.

MFA is one of the simple, yet effective techniques used by organizations across the board to neutralize credential stuffing attacks and add a certain degree of security while managing access to critical infrastructure. Threat actors have, in the recent past been exploiting misconfiguration in MFA, to get a foothold into the victim’s network – a trend SISA has been observing in forensic investigation and incident response. A commonly observed instance has been the exploitation of default MFA protocols followed by the PrintNightmare vulnerability exploit – a critical MS Windows vulnerability to run arbitrary code with system privileges. By deploying this tactic, threat actors have been able to perform lateral movement and exfiltrate documents with sensitive data from the victim’s cloud and email accounts.

How the exploit works?

The attackers are using compromised credentials, obtained via a brute force attack to enrol a new device in the target organization’s MFA account. A key lapse that’s offering ready ammunition to attackers is the un-enrolment of the account from MFA after a long period of inactivity, but the same not being disabled in Active Directory. Typically, MFA’s default setting allows for the re-enrolment of new devices for dormant accounts, and the attackers are exploiting this feature to enrol a new device for the target account, complete the authentication requirements, and gain access to the network. This is usually accompanied by the PrintNigthtmare vulnerability exploit through which privileges are escalated to admin level. The threat actors are able to change the configuration of MFA to call localhost rather than the server, which disables MFA for active domain accounts, as the default policy on Windows is to ‘Fail open’ if the MFA server cannot be reached. After effectively disabling MFA, the attackers are able to successfully authenticate to the victim’s virtual private network (VPN) as non-administrator users and make Remote Desktop Protocol (RDP) connections to Windows domain controllers.

SISA-recommended mitigations and best practices

Organizations, especially critical infrastructure providers and government entities need to ensure proper configuration of MFA to thwart targeted attacks. As one of the top 4 global PCI forensic investigators (PFIs), SISA has been observing a high prevalence of misconfigured MFA in breach investigations and forensic audits performed over the past 1-2 years. Some of the widely observed lapses include:

  • No rule configuration in the network to block RDP communication between web and Jump servers
  • Non-usage of out-of-band MFA (Enabling VPN access through certificate and passwords)
  • Use of shared user accounts, weak account lockout policy and faulty password management

As cyber criminals are finding new ways to exploit MFA, organizations need to step up defenses and keep a closer watch on new and emerging adversary tactics. SISA recommends adopting the following security practices to mitigate the increasing threat of MFA exploitation – by private groups and state-sponsored actors alike:

  • Ensure proper configuration of MFA. The MFA should ensure that it is an out-of-band authentication and that it is applicable for accessing all applications and system components.
  • Enforce MFA for all users, without exception, and ensure it is properly configured to protect against “fail open” and re-enrollment scenarios.
  • Implement strong account time-out and lock-out features.
  • Disable inactive accounts uniformly in active directory, MFA, etc.
  • Implement frequent patching and software updates and prioritize known exploited vulnerabilities first.
  • Deploy continuous monitoring of logs and extend it to non-critical environment too.
  • Ensure use of strong, unique passwords and their non-reuse across multiple accounts.

 

To learn more about emerging trends, threat exploits, intruder tactics and SISA’s top learnings from breach investigations, register for a Forensics Learning Session.