Despite the ability to significantly reduce the risk from account takeovers, MFA is not without its challenges. While MFA is a simple control to use, configuring it isn’t necessarily so seamless – yet it’s a control that can’t be dismissed. From MFA push notification fatigue to exploiting weaknesses in self-enrollment configurations, multiple threat actor types seem to be increasingly bypassing this important cyber defense technique. Accordingly, recent compromises regarding Okta, Twilio, Cloudflare, and Cisco highlight the determination and success threat actors are exhibiting at gaining valid credentials, including accounts with MFA, especially Microsoft accounts.
Therefore, with MFA bypass being reported more frequently and threat actors’ propensity to violate one of the most used platforms, it’s crucial for organizations to be aware of the different techniques being observed and how to best protect against them. A recent article at HelpNetSecurity, Attackers take over dormant Microsoft accounts and set up MFA provides a good overview of several MFA bypass techniques being observed against Microsoft accounts. Access HelpNetSecurity to review.
For additional posts on MFA bypass techniques and incidents:
- You Can’t Audit Me: APT29 Continues Targeting Microsoft 365 (Mandiant) – discusses the exploitation of the self-enrollment process for MFA in Azure Active Directory and other platforms.
- Exploiting stolen session cookies to bypass multi-factor authentication (MFA) (HelpNetSecurity) – covers how threat actors are increasingly leveraging stolen session cookies to bypass multi-factor authentication (MFA)
- Hackers use AiTM attack to monitor Microsoft 365 accounts for BEC scams (BleepingComputer) – highlights the stealthy technique used to avoid MFA token expiration and/or revocation to access Exchange and SharePoint almost exclusively.
- Roasting 0ktapus: The phishing campaign going after Okta identity credentials (Group-IB) – shares techniques that utilize surprisingly simple tools that were used to overcome enterprise identity access management (IAM) and conduct supply chain attacks.
- Twilio, Cloudflare Attacked in Campaign That Hit Over 130 Organizations (SecurityWeek) – summarizes the aforementioned Group-IB report.
