Not all multi-factor authentication (MFA) can offer the same level protection against different types of cyber-attacks. So, we’ve created this blog to show you how easy it is to bypass multifactor authentication.
MFA requires users to provide two or more forms of identity verification before gaining access to a system or account. It is an additional layer of security which goes beyond a username and password, which are easily exploited by attackers, as people tend to reuse or have weak passwords.
Despite the benefits of MFA, adoption varies significantly. While over half of businesses worldwide implement some form of MFA, only 4% utilise phishing-resistant MFA, which provides a stronger defence against sophisticated attacks.
What is multifactor authentication?
MFA can take the form of something a user knows (password), something they have (hardware token or phone) or something they are (biometrics or facial recognition). This additional layer of verification can significantly decrease the likelihood of malicious actors gaining unauthorised access to your systems or accounts. Even in cases where credentials are compromised.
Sounds secure, right? Watch our ‘How to Bypass Multifactor Authentication’ video to see how hackers can easily bypass MFA protocols and, more importantly, learn how to protect yourself from this type of attack. This attack is based around the Microsoft login page.
What is a Man-in-the-Middle attack?
A Man-in-the-Middle (MitM) attack is a type of cyber-attack where a hacker secretly intercepts and relays messages between two parties who think they are communicating directly with each other.
What is an Adversary-in-the-Middle attack?
An Adversary-in-the-Middle attack (AitM) is like a MitM attack. The key difference here is that the hacker actively inserts themselves into the communication channel, often posing as one of the legitimate parties.
The goal of both these attacks is to gain unauthorised access to sensitive information by infiltrating a communication flow. Once successfully orchestrated, the attack can steal log in credentials, inject malicious code into transmitted data, and gain insight into confidential conversations.
According to the Verizon’s 2023 Data Breach Investigation Report, 74% of breaches had a human element, meaning humans were either total or part of the reason for the breach. With this in mind, we need to make sure we are providing our people with the tools they need to protect themselves, and their organisation from potentially devastating attacks.
Common techniques used in MitM attacks:
- ARP Spoofing: The Address Resolution Protocol (ARP) cache of a target network is manipulated, redirecting traffic intended for one device to their own machine.
- DNS Spoofing: By tampering with Domain Name System (DNS) responses, the attacker redirects legitimate domain names to malicious IP addresses, leading users to fake websites.
- Wi-Fi Eavesdropping: Wi-Fi networks are exploited to intercept and capture data transmitted between devices and the network, allowing them to eavesdrop on sensitive information.
- SSL Stripping: Hackers downgrade secure HTTPS connections to unencrypted HTTP connections, intercepting and manipulating data exchanged between the user and the server.
- Session Hijacking: A user’s session cookie or token is stolen, allowing attackers to impersonate the user and gain unauthorised access to their accounts or sessions.
Common techniques used in AitM attacks:
- Social Engineering: Manipulation tactics to trick users or administrators into granting them access to sensitive systems or information.
- Credential Phishing: Fake login pages or emails are created to deceive users into sharing their usernames, passwords, or other authentication credentials.
- Malware Injection: Malicious code is injected into legitimate websites or software to capture sensitive data or control the victim’s device remotely.
- Compromised Devices: Vulnerabilities in routers, switches, or other network devices are exploited to intercept and manipulate data passing through them.
- DNS Hijacking: Adversaries infiltrate DNS servers or tamper with DNS configurations to reroute users to malicious websites or servers under their control.
Advice from CloudGuard SOC
Always verify the address bar before entering credentials on any login page. For Microsoft, ensure it’s login.microsoftonline.com. Adversary-in-the-middle attacks are gaining traction, so staying ahead of them is important.
This is one of advantages of having a 24/7 managed SOC. Our external team detected and responded to the threat quickly, mitigating potential damage. If you manage your SIEM internally, and this type of attack occurs outside of businesses hours or without our level of expertise, the repercussions can be far more severe. Even if picked up only an hour later.
Atif Chaudry, SOC Analyst, CloudGuard
How to bypass multifactor authentication – our scenarios
We have captured a real-time demonstration showcasing the vulnerability of multi-factor authentication to phishing attacks.
We’ve created a scenario involving three characters: Alice, Mallory, and Bob. Alice, our unsuspecting victim, uses strong security measures, including a 128-character password and push-based MFA. Despite these precautions, her account remains susceptible to exploitation.
Mallory, the cybercriminal orchestrates a phishing attack by setting up a deceptive domain that mimics her company’s Microsoft login page. When Alice clicks the phishing link, Mallory’s server captures her credentials and authenticated session cookie.
Armed with this information, Mallory bypasses the MFA prompts and gains unauthorised access to Alice’s account. By injecting the captured session cookie into his browser, Mallory successfully impersonates Alice and accesses sensitive information in Microsoft Azure.
It’s not all bad though. We then demonstrate how this attack could have been prevented using a phishing-resistant method, such as a web authentication FIDO2 key. This MFA method is specifically designed to prevent such attacks.
Finals thoughts on ‘how to bypass MFA’
Multi-factor authentication is an important defence against various cyber threats, yet not all MFA methods offer equal protection. While it adds an extra layer of security to your accounts beyond passwords, it’s important to also acknowledge its limitations.
Man-in-the-Middle and Adversary-in-the-Middle attacks use specific tactics to exploit vulnerabilities within MFA. These attacks aim to intercept communication, steal credentials, and manipulate data.
Our real-time scenario showcases how even security measures, like MFA, can be bypassed by phishing attacks. The best defence is implementing advanced MFA methods, such as FIDO 2, to reduce the risk of a successful attack.
We hope you’ve found ‘How to Bypass Multifactor Authentication’ insightful. If you want to learn more about protecting yourself or your organisation from these types of threats, reach out to the CloudGuard team.
5 FIDO-supported authentication providers
- Microsoft Entra
- Okta Workforce Identity
- Yubico YubiKey
- Google Cloud
- Thales SafeNet Trusted Access
