When it comes to access security, one recommendation stands out above the rest: multi-factor authentication (MFA). With passwords alone being simple work for hackers, MFA provides an essential layer of protection against breaches. However, it's important to remember that MFA isn't foolproof. It can be bypassed, and it often is.
If a password is compromised, there are several options available to hackers looking to circumvent the added protection of MFA. We'll explore four social engineering tactics hackers successfully use to breach MFA and emphasize the importance of having a strong password as part of a layered defense.
1. Adversary-in-the-middle (AITM) attacks
AITM attacks involve deceiving users into believing they're logging into a genuine network, application, or website. But really, they're giving up their information to a fraudulent lookalike. This lets hackers intercept passwords and manipulate security measures, including MFA prompts. For instance, a spear-phishing email may arrive in an employee's inbox, posing as a trusted source. Clicking on the embedded link directs them to a counterfeit website where hackers collect their login credentials.
While MFA should ideally prevent these attacks by requiring an additional authentication factor, hackers can employ a technique known as '2FA pass-on.' Once the victim enters their credentials on the fake site, the attacker promptly enters the same details on the legitimate site. This triggers a legitimate MFA request, which the victim anticipates and readily approves, unwittingly granting the attacker complete access.
This is a common tactic for threat groups such as Storm-1167, who are known for crafting fake Microsoft authentication pages to harvest credentials. They also create a second phishing page that mimics the MFA step of the Microsoft login process, prompting the victim to put in their MFA code and grant the attackers access. From there, they gain access to a legitimate email account and can use it as a platform for a multi-stage phishing attack.
2. MFA prompt bombing
This tactic takes advantage of the push notification feature in modern authentication apps. After compromising a password, attackers attempt to login which sends an MFA prompt to the legitimate user's device. They rely on the user either mistaking it for a genuine prompt and accepting it or becoming frustrated with continuous prompts and accepting one to stop the notifications. This technique, known as MFA prompt bombing, poses a significant threat.
In a notable incident, hackers from the 0ktapus group compromised an Uber contractor's login credentials through SMS phishing, then continued with the authentication process from a machine they controlled and immediately requested a multi-factor authentication (MFA) code. They then impersonated an Uber security team member on Slack, convincing the contractor to accept the MFA push notification on their phone.
3. Service desk attacks
Attackers deceive helpdesks into bypassing MFA by feigning password forgetfulness and gaining access through phone calls. If service desk agents fail to enforce proper verification procedures, they may unknowingly grant hackers an initial entry point into their organization's environment. A recent example was the MGM Resorts attack, where the Scattered Spider hacker group fraudulently contacted the service desk for a password reset, giving them a foothold to log in and launch a ransomware attack.
Hackers also try to exploit recovery settings and back-up procedures by manipulating service desks to circumvent MFA. 0ktapus have been known to resort to targeting an organization's service desk if their MFA prompt bombing proves unsuccessful. They'll contact service desks claiming their phone is inoperable or lost, then request to enroll in a new, attacker-controlled MFA authentication device. They can then exploit the organization's recovery or backup process by getting a password reset link sent to the compromised device. Concerned about service desk security gaps? Learn how to secure yours.
4. SIM swapping
Cybercriminals understand MFA often relies on cell phones as a means of authentication. They can exploit this with a technique called a 'SIM swap', where hackers deceive service providers into transferring a target's services to a SIM card under their control. They can then effectively take over the target's cell service and phone number, letting them intercept MFA prompts and gain unauthorized access to accounts.
After an incident in 2022, Microsoft published a report detailing the tactics employed by the threat group LAPSUS$. The report explained how LAPSUS$ dedicates extensive social engineering campaigns to gaining initial footholds in target organizations. One of their favored techniques is targeting users with SIM-swapping attacks, along with MFA prompt bombing, and resetting a target's credentials through help desk social engineering.
You can't fully rely on MFA – password security still matters
This wasn't an exclusive list of ways to bypass MFA. There are several others ways too, including compromising endpoints, exporting generated tokens, exploiting SSO, and finding unpatched technical deficiencies. It's clear that setting up MFA doesn't mean organizations can forget about securing passwords altogether.
Account compromise still often starts with weak or compromised passwords. Once an attacker obtains a valid password, they can then shift their focus towards bypassing the MFA mechanism. Even a strong password can't protect users if it's been compromised through a breach or password reuse. And for most organizations, going fully passwordless won't be a practical option.
With a tool like Specops Password Policy, you can enforce robust Active Directory password policies to eliminate weak passwords and continuously scan for compromised passwords resulting from breaches, password reuse, or being sold after a phishing attack. This ensures that MFA serves as an additional layer of security as intended, rather than being solely relied upon as a silver-bullet solution. If you're interested in exploring how Specops Password Policy can fit with your organization's specific needs, please contact us.