A Threat Actor’s Playbook: Common Techniques and How to Bypass MFA
Blog Post
Blog Post
By: Kevin O’Connor, Director of Threat Research
A Threat Actor’s Playbook: Common Techniques and How to Bypass MFA is a part of Adlumin’s Threat Bulletin Series content series.
Businesses with a network or email system are dealing with a big problem causing network issues: cybercriminals bypass multifactor authentication (MFA). The threat is not novel, overly complex, engineered, or used exclusively by an Advanced Persistent Threat (APT) but rather a persistent and increasingly easy-to-adopt tactic and exploitation chain attackers are successfully using to potentially devastating effects.
The attack chain is simple. A cybercriminal gains access to a user’s credentials to access their email accounts and then sets up automatic inbox rules to hide nefarious emails and any replies from the legitimate user. Then, they use that basic access to further compromise systems and networks or directly affect payments through business email compromise.
At the heart of defense against these attacks is ensuring that only legitimate and verified users can log onto and use these systems. The first step to this is the obvious username and password – but weak passwords and password reuse add to the ever-growing list of compromised services leaking user account details.
Administrators often set up MFA or two-factor authentication to harden systems against attacks and help prevent unauthorized access.
Unfortunately, MFA is probably overly valued in today’s security landscape, and the security it grants accounts is perhaps given too much weight as an effective security control. This is not to say that multifactor isn’t a useful control; it is a critical security fundamental for any business system or network. However, Adlumin’s Threat Research Team has found that it often gives administrators and security professionals a false sense of security in their authorization controls. MFA is important in securing systems by strengthening authentication but is just one part of the security stack and often on the frontlines of defense for a system. Still, in our experience, security professionals rely too much on MFA protections.
Adlumin’s Threat Research and MDR team has seen MFA security controls increasingly being circumvented or bypassed by attackers in the never-ending cat-and-mouse game of security as evidenced by an increasing number of our incident response investigations being underpinned by compromised MFA-protected accounts.
MFA will not always protect users and businesses from attackers gaining access to potentially critical business systems. First, let’s clarify what we mean by Multifactor Authentication, sometimes known as 2FA or 2 Factor Authentication. MFA is when you authenticate – “login” – against a system like a website or service by proving your identity using traditional means of providing something you know, like a username and password, but adding a second source to verify the user.
Here are a few ways MFA is implemented:
One of the first but increasingly relic ways of implementing that second factor is using Secure ID Tokens. For example, this includes the RSA(c) Token on many IT and even regular business users’ keychains next to their car and house keys or attached to a lanyard around their neck. These physical hardware tokens generate a computable, predictable, and reproducible but secure six or so digit number every so often, typically rotating in a range of 10 to 30 seconds. While mathematically predictable, this number requires knowing a secret, which is usually a very large prime number, to predict the next key in the sequence.
The token or fob (as in key fob, owing to their similar appearance) has that secret built into its components to generate the codes. The other end of the authentication system you’re using has those secret keys for the tokens essentially registered with it so that it can generate the same predictable keys. When logging in, you provide the 6-digit number, and the authentication system compares that to what it expects. If you’ve supplied the correct username and password and then also supplied the correct code from your hardware key, the system checks your credentials, and when the code matches what it expects, it grants you access.
This is a somewhat simplified view of how these secure tokens and their codes can work with some abstractions and condensing of the layers and processes involved being taken. Some systems use time-based syncing to ensure that the correct key is generated and checked at the correct time, different cryptography and methods of generating and predicting the code, and even more complex asymmetric cryptographic schemes.
The most common way we’ve seen MFA implemented today is through Authentication Apps. These are apps on your phone that tie to whatever service and account you’re trying to access and offer rotating codes used for MFA authentication. The MFA functionality may even be built into its corresponding phone app for some services.
The issue that the Adlumin Threat Research Team has identified is that organizations have likely become too reliant on the security offered by MFA. Originally, MFA strengthened authentication, could prevent breaches where passwords were compromised and known to attackers, or helping to mitigate brute force attempts against an account trying up to hundreds or thousands of passwords to gain access.
The early effectiveness of MFA has lulled security practitioners into a trap of over-relying on the control system to prevent unauthorized access. This has become a problem as Adlumin has first-hand observed attackers employing a number of attacks meant to bypass MFA.
The most common and effective method we see is the use of phishing emails to a target/user, which results in a man-in-the-middle (MiTM) attack. In this attack, an unwitting user is directed to a site that looks just like the service they are trying to authenticate to, but unbeknownst to them, they’re actually in a secure connection with the attacker who is capturing and relaying any provided credentials to the legitimate site, making this a convincing trick since users see and interact with the page as they expect. Through this, attackers gain an opportunity to access passwords input by the targeted user, intercept second factors like MFA codes, and, most importantly, capture credentials such as authentication tokens or cookies to replay and gain access to an otherwise completely legitimately user authorized session. Essentially, it is hijacking or at least co-opting the user’s granted authorization and access.
Many open-source techniques and frameworks, such as Evilginx, have been developed to support such attacks, which help automate this credential capture through phishing messages, automated deployment of infrastructure needed to support the attack, and the capture of user credentials and sessions. These tools enable even the lowest skilled attackers to bypass MFA-based security and have lowered the entry barrier before an attacker becomes a serious threat to a targeted organization. Adlumin’s Threat Research Team demonstrated in a break-out session at this year’s Blackhat conference an example of Evilginx-based attacks enabling MFA bypass enhancing its potency by chaining components with Large Language Model (LLM) usage like ChatGPT, paired with LinkedIn scraping to create an automated framework for generating and delivering targeted spear phishing emails and then scraping user access tokens/credentials allowing for easy, scalable and importantly targeted attacks.
The Evilginx MiTM type-attack, underpinned by phishing, leading to user credential compromise, is the most common technique the team has seen used by attackers to bypass MFA protections across industries and business sizes.
In fact, Adlumin’s Threat Research Team has observed cases where users in targeted organizations have bypassed protections in Microsoft 365 online email services meant to prevent users from clicking on suspicious links which may lead these types of attacks. Many businesses use this feature, which is part of Microsoft’s Defender for 365 product and includes phishing link identification and usage prevention and warning, requiring users to manually acknowledge that they are trying to browse the internet to a site that has been labeled as potentially malicious. Despite this, Adlumin’s Threat Research Team has observed specific logs in these types of attacks, the OnClick logs, which indicate users are regularly bypassing these critical warnings.
Th team then observes that shortly after these likely malicious sessions, users’ accounts are then accessed by attackers remotely, likely reusing the session authorization tokens captured by a MitM attack tied to the clicked link. Essentially running either an EvilGinx provided or Evilginx-likely infrastructure to support it. In these attacks, the user is often presented with a site that looks like a legitimate login portal for the service intended to be accessed, such as a Microsoft 365 login page.
A scrupulous user may even notice that the connection to the supposedly legitimate but actually malicious site is secure – indicated by the now ubiquitous green or gray lock icon typically indicating a secure, encrypted connection using SSL/TLS technology/encryption. This offers users a false sense of security as they may believe it means the access is secure. In reality, it’s just the user’s access to the malicious site that is secure, which is where the user’s direct access ends. The malicious server then proxies, or stands in the middle of, a secure connection to the legitimate access endpoint, allowing for snooping of data sent supposedly securely from the user to the end service. With that, the attacker has credentials ready to be replayed, allowing them to reuse the same authorization granted to the legitimate user.
Luckily, Adlumin’s Threat Research Team has prevented multiple potential compromises using this method of MFA bypass, which we believe is the most commonly used technique with the lowest barrier to entry for attackers. This is owed to the methodology’s corpus of information and open-source tools. In these cases, users often bypass the security warning provided in relation to a phishing link, which can result in their credentials being predictably compromised. However, when the attacker goes to access the system using the same credentials or during the portion where they’re proxying the login – they’re often doing so with different systems or from locations different from the legitimate user which triggers Adlumin’s various User Entity Behavior Analytics (UEBA) leading to alerting and potential blocking through Security Orchestration Automation and Response (SOAR) actions which can issue commands such as automatic resets of the user’s credentials or locking of the account preventing any malicious access.
Security administrators need to be aware of the common usage of these techniques, which have proven effective in the attack chain. They need to monitor for OnClick usage and ensure they’re using advanced detection and alerting systems such as UEBA to detect when these attacks are occurring. Additionally, SOAR capabilities remain critical in preventing such attacks and are arguably becoming more important in the modern cyber battle space where attack and comprise has become an inevitable when vs. if question.
Learn more about how Adlumin’s Managed Detection and Response Services and Extended Detection and Response can empower your team to illuminate threats, eliminate cyber risk, and command authority. Contact us today, schedule a demo, or sign up for a free trial.