When it comes to access security, one recommendation stands above the rest: multi-factor authentication (MFA). With only passwords being easy work for hackers, MFA provides an important layer of protection against breaches. However, it is important to remember that MFA is not subtle. It can be skipped, and it always is.
If a password is compromised, there are several options available to hackers looking to bypass the additional protection of MFA. Let’s examine four social engineering tactics that hackers have successfully used to breach MFA and emphasize the importance of having a strong password as part of a layered defense.
1. Adversary-in-the-middle (AITM) attack.
AITM attacks involve tricking users into believing they are logging into a real network, application, or website. But in fact, they give their information in a deceptive appearance. This allows hackers to intercept passwords and manipulate security measures, including MFA prompts. For example, a spear-phishing email may arrive in an employee’s inbox, posing as a trusted source. Clicking on the embedded link directs them to a fake website where hackers collect their login credentials.
While MFA should best prevent these attacks by requiring an additional authentication factor, hackers can use a technique known as ‘2FA pass-on.’ Once the victim enters their credentials on the fake site, the attacker immediately enters the same details on the legitimate site. This prompts a legitimate MFA request, which the victim expects and quickly approves, inadvertently giving the attacker full access.
This is a common tactic for threat groups such as Storm-1167, known for creating fake Microsoft authentication pages to harvest credentials. They also created a second phishing page that mimics the MFA step in Microsoft’s login process, prompting the victim to enter their MFA code and giving the attackers access. From there, they gain access to a legitimate email account and use it as a platform for a multi-stage phishing attack.
2. MFA rapid bombardment
This tactic takes advantage of the push notification feature of modern authentication applications. After compromising a password, attackers attempt to login sending an MFA prompt to the legitimate user on the device. They rely on the user to mistake it for a real prompt and accept it or get frustrated with the continuous prompts and accept one to stop the notifications. This technique, known as MFA prompt bombing, poses a significant threat.
In a rare incident, hackers from 0 finish the group compromised an Uber contractor’s login credentials via SMS phishing, then proceeded to authenticate from a machine they controlled and then requested a multi-factor authentication (MFA) code. Then they pretending to be a member of the Uber security team in Slack, convincing the contractor to receive MFA push notifications on their phone.
3. Service desk attacks
Attackers trick helpdesks into bypassing MFA by pretending to forget the password and accessing via phone calls. If service desk agents fail to implement proper verification procedures, they may unknowingly provide hackers with an initial entry point into their organization’s environment. A recent example is the attack on MGM Resorts, where the Scattered Spider The hacker group fraudulently contacted the service desk for a password reset, giving them a foothold to log in and launch a ransomware attack.
Hackers also try to exploit recovery settings and backup methods by manipulating service desks to bypass MFA. 0 finish have been known to resort to targeting an organization’s service desk when their MFA quick bombardment proves unsuccessful. They can contact service desks claiming their phone is unavailable or lost, then ask to enroll in a new, attacker-controlled MFA authentication device. They can exploit the organization’s recovery or backup process by obtaining the password reset link sent to the compromised device. Worried about service desk security gaps? Learn how to secure yours.
4. SIM swapping
Cybercriminals understand that MFA often relies on cell phones as a means of authentication. They can exploit this with a technique called ‘SIM swap’, where hackers trick service providers into transferring a target’s services to a SIM card under their control. They can effectively capture the target’s cell service and phone number, allowing them to bypass MFA prompts and gain unauthorized access to accounts.
After an incident in 2022, Microsoft published a report detailing the tactics used by the threat group LAPSE$. The report explains how LAPSE$ dedicated extensive social engineering campaigns to gain initial footholds in target organizations. One of their favored techniques is targeting users with SIM-swapping attacks, with MFA prompt bombing, and resetting the target’s credentials through help desk social engineering.
You can’t completely rely on MFA – password security is still important
This is not an exclusive list of ways to avoid MFA. There are several methods as well, including compromising endpoints, exporting generated tokens, exploiting SSO, and finding unattended technical flaws. It’s clear that setting up MFA doesn’t mean organizations can forget about completely securing passwords.
Account compromise often starts with weak or compromised passwords. Once an attacker obtains a valid password, they can shift their focus to bypassing the MFA mechanism. Even a strong password cannot protect users if it is compromised through a breach or password reuse. And for most organizations, going completely passwordless isn’t a practical option.
With a tool like Specops Password Policy, you can enforce strong password policies in Active Directory to eliminate weak passwords and continuously scan for compromised passwords resulting from breaches, password reuse, or sold after a phishing attack. This ensures that MFA serves as an additional layer of security as intended, rather than being relied upon solely as a silver bullet solution. If you are interested in exploring how the Specops Password Policy can fit the specific needs of your organization, please contact us.