Nine ways MFA can be breached (and why passwords still matter) 

Of all the access security recommendations you come across, multi-factor authentication (MFA) is arguably the most consistent. And there’s good reason many best practice recommendations and compliance frameworks now place MFA at the top of the list of security configurations needed to help protect against compromise. MFA can be the crucial layer preventing a breach, as passwords alone are often easy work for hackers. However, MFA isn’t infallible – and a weak or breached password is still almost always a key factor when a user is breached. 

How MFA can be compromised 

Organizations need to be aware that MFA isn’t a silver bullet for bad passwords. It can be circumvented, and it often is. We’ll run through nine ways MFA can be breached and why organizations need to remain conscious of what MFA is usually adding protection to in the first place – a password.

1. MFA prompt bombing

One feature of modern authentication apps is they provide a push notification that prompts the user to either accept or deny the login request. While this is convenient for the end user, attackers can use it to their advantage. If they’ve already compromised a password, they can attempt to log in and generate an MFA prompt to the legitimate user’s device. They then hope the user either thinks it’s a legitimate prompt and accepts it or gets tired of the continuous prompts and accepts it to stop their phone notifications. This is known as MFA prompt bombing – you can learn more about how to defend against it here.

Threat Intelligence from Outpost24’s KrakenLabs was shared with us to show how hacking group 0ktapus successfully use prompt bombing. After compromising login credentials through SMS phishing, they continue with the authentication process from a machine they control and immediately request a multi-factor authentication (MFA) code. They then generate an endless string of MFA prompts until the user accepts one out of fatigue or frustration. Attackers might also use social engineering to nudge a victim towards accepting a prompt. In 2022, a hacker posed as an Uber security team member on Slack, gaining access by convincing a contractor to accept a push notification on his phone.

0ktapus have also been known to use phone calls, SMS, and/or Telegram to impersonate IT staff. They instructed users to either navigate to a credential-harvesting website containing the company logo or download a remote administration tool. If MFA was enabled, the adversary would either engage the victim directly by convincing them to share their one-time password or indirectly by leveraging MFA push-notification fatigue.

2. Service desk social engineering

Attackers can use social engineering to trick helpdesks into bypassing MFA altogether by pretending they’ve forgotten their password and gaining access via a phone call. If service desk agents don’t enforce verification at this stage, they might unwittingly give a hacker an initial foothold in their organization’s environment.

This exact scenario recently played out in the attack on MGM Resorts. After gaining initial access by fraudulently call the service desk for a password reset, the attack group (Scattered Spider) were able to use their foothold in the environment to launch a ransomware attack. It underscores the importance of organizations having the means in place to verify the identity of users calling the service desk claiming they need accounts reset or unlocked.

0ktapus have also been known to resort to targeting an organization’s service desk if MFA prompt bombing proves unsuccessful. The threat actor contacts an organization’s service desk claiming to be the victim, stating that their phone is inoperable or misplaced, and requests to enroll a new, attacker-controlled MFA authentication device.

Concerned about service desk security gaps?

3. Adversary-in-the-middle (AITM) attacks

AITM attacks essentially trick a user into thinking they’re logging into a legitimate network, application, or website, when in fact they’re putting their details into a fraudulent lookalike. This means hackers can intercept passwords and manipulate MFA prompts and other types of security.

For example, a spear phishing email might land in an employee’s inbox impersonating a known source. The link they click on will take them to a fake site where hackers will harvest their credentials for reuse. In theory, MFA would stop this by requiring a second form of authentication. However, attackers will use a tactic called a ‘2FA pass-on’ where as soon as the victim has entered their credentials into the fake site, the attacker enters those same details into the legitimate site. This will trigger an MFA request, which the victim is expecting and will likely accept, giving the attacker full access.

Threat group Storm-1167 are known for crafting phishing pages that mimic Microsoft’s authentication page in order to prompt the victim to add their credentials to the website. Then, another phishing page, this time mimicking the MFA step of the Microsoft login process, is displayed to the victim, who enters the MFA code and grants the attackers access to their account. From there, the hackers have full access to a legitimate email account and can use it as a platform for a multi-stage phishing attack.

4. Session hijacking

Session hijacking is similar to an AITM attack, as it involves an attacker positioning themselves in the middle of a legitimate process and exploiting it. When a user authenticates using their password and MFA, many applications use a cookie or session token to remember the user is authenticated and grant access to protected resources. The cookie or token prevents the user from having to authenticate multiple times. But if an attacker uses a tool such as Evilginx to steal the session token or cookie, they can masquerade as an authenticated user, effectively bypassing the multi-factor authentication configured on the account.

5. Sim swaps

Attackers know MFA often relies on cell phones as the “thing you possess” to complete an authentication process. A SIM swap attack is where cybercriminals trick service providers into switching services to a SIM card they control, effectively hijacking the victim’s cell service and phone number. This allows attackers to receive the MFA prompts to the hijacked service and grant themselves access.

Upon being compromised in early 2022, Microsoft published a report detailing the tactics employed by threat group LAPSUS$. According to the report, LAPSUS$ dedicates extensive social engineering campaigns to gain initial footholds in organizations. One of their favored techniques is targeting users with SIM-swapping attacks, along with MFA prompt bombing, and resetting a target’s credentials through help desk social engineering.

6. Exporting generated tokens

Another tactic attackers can use is compromising the back end system that generates and validates multi-factor authentication. In a bold attack in 2011, attackers were able to steal the “seeds” possessed by RSA for generating SecurID tokens (code-generating key fobs used for multi-factor authentication). Once the seed values were compromised, attackers were able to clone the SecurID tokens and even create their own.

Sometimes, attackers will seek the help of malicious insiders, who are paid to provide session tokens for MFA approval. Threat group LAPSUS$ ‘s Telegram channel has confirmed that they have indeed bought accesses from a company’s employee in the past – and are actively looking for other insiders to work as providers. Microsoft have also reported that LAPSUS$ were able to obtain passwords and session tokens with the use of RedLine stealer. These credentials and session tokens are then sold on underground forums. 

There are entire online marketplaces built around buying and selling user data. Interested to learn how many of your people are currently using a breached or compromised password? Run a quick read-only scan of your Active Directory with our free tool: Specops Password Auditor.

7. Endpoint compromise

One way to avoid MFA completely is to compromise an endpoint with malware. Installing malware on a device lets hackers create shadow sessions following successful logins, steal and use session cookies, or access additional resources.  If the system in questions allow users to remain logged on after an initial authentication (by generating a cookie or session token), hackers could keep their access for a significant period.

Hackers may also look to exploit recovery settings and back-up procedures that could be less safe than MFA processes. People often forget passwords and regularly need new or modified accesses. For example, a common recovery method is sending an email link to a secondary email address (or an SMS with a link). If this back-up address or phone is compromised, hackers gain full access to their target.

8. Exploiting SSO

Single Sign-on (SSO) is convenient for users as they only need to authenticate once. However, it can be exploited by hackers who use it to log in to a site requiring just a compromised password, then use SSO to gain access to other sites and applications that would normally require MFA. A sophisticated form of this technique was used in the 2020 SolarWinds hack, where hackers exploited SAML (a method for exchanging authentication between multiple parties in SSO). The hackers gained an initial foothold, then got access to the certificates used to sign SAML objects. With these, they were able impersonate any user they wanted to, with full access to all SSO resources. 

9. Finding technical deficiencies

Like all software, MFA technology has bugs and weaknesses that can be exploited. Most MFA solutions have had exploits published which temporarily exposed opportunities for hacking. For example, 0ktapus leveraged CVE-2021-35464 to exploit a ForgeRock OpenAM application server, which front-ends web applications and remote access solutions in many organizations. This highlights the importance of encouraging employees to regularly update and patch their devices. These risks should also inform organization’s policies on shadow IT and BYOD (bring your own devices).

Why passwords still matter

Going fully passwordless is unlikely to be an option for most organizations. And as we’ve outlined, MFA isn’t enough to simply forget about password security. Often, account compromise starts with a weak or breached password. Once an attacker has a password, they can then focus on defeating MFA. Weak passwords dramatically increase the chances of cybercriminals ultimately breaching accounts – and even strong passwords offer no protection if they have already been compromised.

Specops Password Policy not only lets you enforce strong Active Directory policies to eliminate weak passwords, it also continuously scans for passwords that have become compromised, due to breaches, phishing, or password reuse. MFA is then the additional layer of security it’s intended to be, rather than a silver bullet you’re fully reliant on.

Interested in seeing how Specops Password Policy might work for your organization? Have questions on how you could adapt this for your needs? Contact us.