Q3 Cyber Threat Report: The Ransomware Ecosystem is Increasingly Distributed
Ransomware attacks remained high in Q3 2024, with groups targeting sectors like Construction and Healthcare, often exploiting weak VPN credentials.
It’s not surprising that more and more organizations each year choose to implement multi-factor authentication (MFA). It protects against a large number of threats (like data breaches and password-based attacks) and it’s relatively affordable to implement organization-wide. However, threat actors have adapted their attack strategies to circumvent controls (like MFA) that are meant to protect an organization.
The cyber team at Kroll found that in 90% of their business email compromise investigations, MFA had been in place at the time of the attack. Corvus has also begun to see an increase in MFA bypass techniques used in attacks against our policyholders.
This highlights an important truth to security — there is no silver bullet to reduce all risk. Attackers are constantly revisiting their playbooks and adapting to changing defense techniques. It’s on us to keep up.
MFA bypass is a method that attackers use to circumvent multiple authentication methods to access an account. While attack methods vary, they all have the same goal: gain unauthorized access to a target account. At a high level, there are two key tactics used by attackers to get around the second authentication layer provided by MFA (SMS, email, app based) on top of the standard username and password.
The first tactic relies on social engineering, which aims to trick an unsuspecting user into granting them access. The second tactic is a bit more comprehensive, which involves a more “technical” bypass to circumvent weak links within the operational MFA flow.
Session cookies are stored in your browser and save information as you use the web. They act as a ‘badge’ that a user's browser presents to a web server to prove their identity. This allows users to stay signed in to an application, instead of constantly having to re-login. While they do simplify the user experience, they have an obvious flaw. If somebody were to extract the session cookie (aka badge), they could authenticate as the user in a separate web browser session on another system.
Through infostealer malware or a proxy server mirroring a real website (which sits between the victim and website), attackers can steal a user’s session cookie. With the session cookie in hand, the threat actor can now access the account from a device or browser they control, and take over the user's session.
Cybercriminals appear to have endless creativity when it comes to creating new social engineering tactics to access credentials and circumvent MFA. This can range from fake websites crafted to save your login credentials (normally linked through phishing emails) to “vishing” (voice phishing) attempts to IT helpdesks where threat actors will pose as a user within their target organization.
The threat actor will provide basic information about the user (typically information that can be found on public sources like LinkedIn) and pretend to be locked out of their account. The unsuspecting helpdesk operator believes this is a legitimate user needing to reset their credentials or MFA method, and compl, ies with the request. If all goes according to plan, the threat actor now has access to the account, and all it took was tricking the helpdesk operator.
If attackers possess stolen credentials but are blocked by a request for an authentication code they may turn to a tried-and-true bypass method: MFA fatigue (or prompt bombing). This calls for harassing users with repeated authentication requests. Attackers rely on the onslaught of push notifications to be overwhelming enough that the end user will eventually confirm the request, believing it to be a glitch.
SIM swapping is when an attacker convinces a mobile carrier to transfer a victim’s phone number to a SIM card they control. This allows them to intercept calls and messages, including those used for MFA. The attacker gathers personal information about a victim, contacts their mobile carrier pretending to have lost their phone, and requests to transfer the victim’s number to a new SIM card.
Despite these new attack techniques, MFA is still an important and effective security control. But like all security measures, there are weaknesses being exploited by attackers. Additional measures to decrease the chances of MFA Bypass:
The best offensive is often a good defense, especially when it comes to cybersecurity!
They are a passwordless way to log in, typically using a fingerprint, face scan, or screen lock PIN — and they’re phishing-resistant!
A team effort can go a long way to make sure the helpdesk doesn't get overwhelmed, and ensures everyone is doing their part to help prevent attacks
Ensure that users can only access what they need to perform necessary tasks for their job.
Additional Resources: