Can your MFA implementations stymie MFA bypass attacks?

Shay Nahari, Head of Red-Team services at CyberArk, says that they’ve been increasingly asked by customers to probe their multi-factor authentication (MFA) defenses, which lead them to pinpoint four main attack vectors used by threat actors to circumvent MFA controls, by exploiting: architectural and design flaws, insecure channels, side channel attacks and insufficient attack surface coverage.

Why MFA is a good choice

The cybersecurity industry has been extolling the virtues of MFA use for years.

According to Microsoft, using any kind of MFA “significantly increases the costs for attackers, which is why the rate of compromise of accounts using any type of MFA is less than 0.1% of the general population.”

Attackers are always on the lookout for ways to bypass MFA protections, whether through vulnerabilities, legacy authentication protocols that do not fully support MFA, rogue apps, and so on.

Even though the COVID-19 pandemic resulted in a spike in remote working and a consequent call for a wider MFA implementation, CoreView found that, for example, most enterprise Microsoft 365 administrators do not have MFA activated.

Possible MFA bypass attacks

While MFA controls may stop some run-of-the-mill attacks like attempted account hijacking through brute-forcing, it is sometimes not a big enough obstacle for determined attackers set on compromising a specific enterprise target (see: the Duo MFA bypass pulled off by the SolarWinds attackers).

Other possible real-world attacks against MFA controls performed by CyberArk’s red teamers include:

• Post-MFA authentication attacks targeting easily decrypted browser cookies stored in the targeted user’s browser
• Targeting critical assets through secondary channels (e.g., even if RDP access is MFA-protected, other inbound interfaces on the server (enabled by default) are exempt from second factor (e.g., SMB, RPC)
• Exploitation of insecure token onboarding processes
• Manipulation of architectural and design flaws (e.g., MFA being applied for infrastructure-based access but not for individual user identities)

So, yes, multi-factor authentication is a must for organizations looking to implement a zero-trust strategy, but it has to be “done” correctly.

“MFA needs to be considered in the context of multi-layered Identity Security controls, including strong privileged access controls like session isolation and credential management. And just like any aspect of security, design matters. Implementation matters. And most important, operational security matters. You are only as secure as your weakest link,” he concluded.