The shortcoming of traditional user ID and password (single factor) logins is that passwords can be easily compromised. Threat actors can use automated password cracking tools to guess various combinations of usernames and passwords until they find the right sequence.
Multi-factor authentication (MFA), alternately referred to as two-factor authentication (2FA), is an electronic authentication method which protects user data from being accessed by an unauthorised third party. If one factor is compromised or broken, the attacker still has at least one or more barriers to breach before successfully breaking into the target.
A user is only granted access to a website or application after successfully presenting two or more of the following factors to an authentication mechanism:
- Something the user has: a physical object in the possession of the user, such as a USB security token, swipe card, a key or smartphone.
- Something the user knows: information known to the user, such as a username, password, PIN or answer to a security question (‘mother’s maiden name’ or ‘name of first pet’ are common).
- Something the user is: a physical characteristic of the user, such as a fingerprint, eye iris, voice, typing speed, pattern in key press intervals or other biometric.
- Somewhere the user is: connection to a specific computing network or using a GPS signal to identify the location.
Older, weaker forms of MFA include one-time passwords (OTPs) sent via SMS, or push prompts sent to a mobile device application. When someone is logging in with a valid password, they must also enter the OTP into a field on the sign-in screen, or push a button displayed on the screen of their phone. Both of these methods can be easily exploited if not paired with further mitigations.
The strongest forms of MFA are based on a framework called Fast IDentity Online (FIDO)2, which was developed by a consortium of companies to balance security and simplicity of use. FIDO2 forms of MFA are relatively new, so have yet to be widely adopted by consumers and large organisations.
Some enterprises provide single sign-on (SSO) access to corporate portals via employee personal devices. This allows access to services and applications such as email accounts, training portals and numerous administrative tools that contain personal identifiable information (PII) on wage slips, expense claims and travel requests.
Users accessing corporate portals from personal devices are often required to use a second factor for authentication. During enrolment to such platforms, the user will usually have the choice of three MFA options:
- SMS: a six-digit OTP is sent to the user’s chosen mobile device via text message.
- Email: an email token is sent to the user’s chosen email address.
- Authentication app: a code is obtained from an app downloaded from the appropriate app store. Such apps include Google Authenticator, Open OTP, Authy and Microsoft Authenticator.
Upon authenticating with their chosen MFA method, the user may have the option to tick a box to ‘remember me on this device for X number of days’, usually between 14 and 90, with the current Microsoft 365 default setting being 90 days. This provides convenience, allowing the user to skip MFA during subsequent logins. When they successfully authenticate and select this option, two ‘tokens’ are stored in their browser for secure, persistent access to corporate services:
- Access token: effectively a session cookie which expires after a short period of time, sometimes as quickly as 30 seconds, but often up to one hour.
- Refresh token: this is used during subsequent logins to obtain a new access token if the initial authentication via username and password is still valid. The refresh token is initially valid for anything between 24 hours and 14 days, but if the corporate portal is continually accessed during this period it can last between 14 and 90 days. This period will likely be defined by the enterprise risk appetite.
If the account password is reset, a new device is used to access the account or the user clears existing cookies from their browser, then both tokens will immediately expire and the user will be required to reauthenticate with MFA at the next login.
Methods of compromise
Browser pivoting is an attack that can be achieved via legitimate security tools such as Cobalt Strike and Metasploit, though most modern browsers have sufficient mitigation mechanisms in place, such as running individual tabs and sessions in separate processes. The attack involves hijacking authenticated web sessions via a proxy server, which injects additional processes. An attacker browsing through this proxy server can inherit cookies, authenticated HTTP sessions, and client SSL/TLS certificates, using these to bypass weak MFA mechanisms.
Stolen cookies and stealer malware are also used by criminals to compromise networks. Session cookies allow users to be recognised within a website so any page changes or item or data selection you do is remembered from page to page. The most common example of this functionality is the shopping cart feature of any ecommerce site. Credentials offering access to corporate portals have subsequently been seen for sale on popular dark web marketplaces such as Genesis and Russian Market. Credentials for sale can include session cookies, besides usernames and passwords.
IT teams can configure browsers and apps to shorten the allowable timeframe that cookies, access tokens and refresh tokens remain valid; however, this requires users to re-authenticate more often. IT teams need to strike a balance between security and convenience.
Session cookies can be stolen via deployment of info-stealer malware such as Erbium, Redline or Raccoon Stealer in victim browsers. Modern info-stealers are usually parts of botnets, and sometimes the target of attack and related events are configured remotely from a command and control (C2) server.
Next, we have social engineering, which can come in two forms, sometimes used together:
- Voice phishing (vishing): calling the user, pretending to be from a support organisation that they know and trust. The user is convinced to accept an MFA request under a deceptive premise, such as resetting a password following a breach.
- MFA fatigue (aka MFA bombing): an attacker in possession of a username and password sends a high volume of push requests to the user’s mobile device. The user accepts, either accidentally or simply to silence the repeated push notifications they are receiving.
Security practitioners also need to be aware of legacy authentication hijacking. In instances where enterprises have recently mandated MFA, it has been possible for threat actors to gain unauthorised access to dormant accounts via legacy authentication methods. After accessing via stolen or guessed credentials, the attackers are able to self-enrol on MFA and take control of these accounts.
Finally, it is relatively easy for an attacker to intercept an OTP sent via unencrypted communications such as SMS. The attacker can then use this OTP to authenticate to a service, in many cases before the legitimate user is even aware that an MFA request has been sent.
Recent attacks
Lapsus$ Group (also tracked as DEV-0537, UNC3661 or SLIPPY SPIDER) have been active since December 2021, initially targeting South American companies. They branched out in February and March 2022 to demand ransoms from higher profile companies such as Vodafone, Nvidia, Okta, Samsung, Electronic Arts (EA) and Microsoft. Attacks on Uber and Rockstar Games in September 2022 were also attributed to the group in media reporting.
Lapsus$ are assessed by several threat intelligence vendors to be a low level threat group who are financially motivated. They do not employ ransomware to achieve their aims, instead relying on social engineering tactics and threatening to leak data.
In the specific case of EA, it was reported that initial access was gained following the purchase of a stolen session cookie from the Genesis marketplace, giving the attacker access to EAs Slack instance. This allowed them to spoof the existing login of an EA employee and deceive a member of EA’s IT support team into providing network access.
Large scale phishing campaigns are also a common attack vector deployed by criminals. On 12 July 2022, the Microsoft Threat Intelligence Center (MSTIC) reported details of a phishing campaign which had targeted more than 10,000 organisations since September 2021. In most cases, attackers lured victims to a phishing site masquerading as Outlook Online, allowing them to intercept the victim password and session cookie.
After a compromised account signed into the phishing site for the first time, the attacker used the stolen session cookie to authenticate to the genuine Outlook portal. In multiple cases, the cookies had an MFA claim, which means that even if the organisation had an MFA policy in place, the attacker used the session cookie to gain access on behalf of the compromised account.
In the days following the cookie theft, the threat actors accessed employee email accounts and looked for messages to use in business email compromise scams, which tricked targets into wiring large sums of money to accounts they believed belonged to co-workers or business partners.
APT29 take over dormant Microsoft accounts to set up MFA
On 18 August 2022, Mandiant published a report sharing details of a new tactic by APT29 (aka Cozy Bear, aka Nobelium) and other threat actors that involves taking advantage of the self-enrolment process for MFA in Azure Active Directory and other platforms. APT29 have previously been implicated in the attack on the US Democrat Party ahead of the 2016 presidential election, and the far-reaching SUNBURST campaign of 2020 that saw updates of Solarwinds security software Trojanised with remote access tools.
In this instance, APT29 conducted a password guessing attack against a list of mailboxes they had obtained through unknown means. The threat actor successfully guessed the password to an account that had been set up, but never used. Because the account was dormant, Azure AD prompted APT29 to enrol in MFA. Once enrolled, APT29 was able to use the account to access the organisation’s VPN infrastructure that was using Azure AD for authentication and MFA.
Cisco Systems breach
On 10 August 2022, Cisco Systems confirmed they had been breached, with initial access achieved with the compromise of an employee’s personal Google account. While a compromised personal account is generally not an issue, in this case, the employee was signed into Chrome and used the password syncing feature to store his Cisco credentials.
Read More: news.google.com
Bitcoin 
Ethereum 
Tether 
XRP 
BNB 
Solana 
USDC 
Dogecoin 
Cardano 
TRON 
Lido Staked Ether 
Wrapped Bitcoin 
Sui 
Hyperliquid 
Wrapped stETH 
Chainlink 
Avalanche 
Stellar 
Toncoin 
LEO Token 
Shiba Inu 
Bitcoin Cash 
Hedera 
WETH 
Litecoin 
USDS 
Polkadot 
Monero 
Wrapped eETH 
Bitget Token 
Binance Bridged USDT (BNB Smart Chain) 
Pepe 
Pi Network 
Ethena USDe 
Coinbase Wrapped BTC 
WhiteBIT Coin 
Uniswap 
Aave 
Bittensor 
Dai 
NEAR Protocol 
Aptos 
OKB 
Jito Staked SOL 
Tokenize Xchange 
BlackRock USD Institutional Digital Liquidity Fund 
Ondo 
Cronos 
Internet Computer 
Ethena Staked USDe